Unrecognized Content-Security-Policy directive 'worker-src' on Safari 14

[agracia-foticos]

Version

nuxt-security: 2.0.0-rc.9 nuxt: 3.12.3

Reproduction Link

Unrecognized Content-Security-Policy directive 'worker-src' on Safari 14

Steps to reproduce

Unrecognized Content-Security-Policy directive 'worker-src' on Safari 14

Nuxt.config.ts

security : { headers: { crossOriginResourcePolicy: 'cross-origin', crossOriginOpenerPolicy: 'same-origin-allow-popups', crossOriginEmbedderPolicy: 'unsafe-none', contentSecurityPolicy: { 'default-src': ["'self'"], 'base-uri': ["'self'"], 'font-src': ["'self'", 'https:', 'data:'], 'form-action': ["'self'", 'https:'], 'frame-ancestors': ["'self'"], 'img-src': ["'self'", 'data:', 'https:'], 'object-src': ["'none'"], 'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'", 'https:'], 'script-src-attr':["'self'", 'https:', "'unsafe-inline'", "'unsafe-eval'"], 'style-src': ["'self'", 'https:', "'unsafe-inline'"], 'upgrade-insecure-requests': true, 'frame-src': ["'self'", 'https:'], 'worker-src': ["'self'", 'blob:', 'https:'], 'connect-src': ["'self'", 'https:', 'wss:'], 'media-src': ["'self'", 'https:'], }, originAgentCluster: '?1', referrerPolicy: 'no-referrer-when-downgrade', strictTransportSecurity: { maxAge: 15552000, includeSubdomains: true }, xContentTypeOptions: 'nosniff', xDNSPrefetchControl: 'off', xDownloadOptions: 'noopen', xFrameOptions: 'SAMEORIGIN', xPermittedCrossDomainPolicies: 'none', xXSSProtection: '0', permissionsPolicy: false }, requestSizeLimiter: { maxRequestSizeInBytes: 40000000, maxUploadFileRequestInBytes: 80000000, }, rateLimiter: false, xssValidator: false, corsHandler: { origin: '*', methods: ['GET','HEAD','PUT','PATCH','POST','DELETE'], preflight: { statusCode: 204 }, exposeHeaders : '*' }, hidePoweredBy: true, basicAuth: false, enabled: true, csrf: false },

There is any way to, by navigator, apply diferent policies in nuxt security? https://caniuse.com/mdn-http_headers_content-security-policy_script-src-attr https://caniuse.com/?search=worker-src

[Baroshem]

Hey there,

Thanks for reporting this issue. I don't think it is possible to define a navigator based rules on the nuxt config level.

I think, if you want to get rid of this issue in your app, you would have to disable this header.

[agracia-foticos]

Maybe can be a good improvement? determine hook in execute time to handle this option?

[Baroshem]

Could be, would you be interested in creating a Proof of Concept pull request with such solution? :)

I can try to help as much as I can once you will have something ready and give you some guidance :)

[vejja]

Hi This is a standard situation where an older browser doesn’t support a newer technology. However this will not prevent the application from running. The only inconvenience is a minor warning message in the console.

My recommendation is to avoid degrading good security practices to support potentially older browser versions, because this creates a risk of opening even bigger loopholes in modern browsers. CSP was designed from start to be backwards-compatible, which means that receiving ‘worker-src’ in a browser that doesn’t support it will have no negative consequences.

Don’t forget that CSP headers are generated by the server, which has absolutely no reliable idea of the version and brand of the browser used by a random user navigating the web.

Unless there is something I’m misunderstanding here, @agracia-foticos I would suggest to close this issue ?