nuxt-modules / security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
826 stars 60 forks source link

feat(csp): require-trusted-types-for #526

Closed dargmuesli closed 2 weeks ago

dargmuesli commented 2 months ago

Is your feature request related to a problem? Please describe.

The module seemingly does not support the require-trusted-types-for content security policy.

Describe the solution you'd like

The policy should be added.

Describe alternatives you've considered

Not using this policy 🥲😉

Additional context

Since https://github.com/vuejs/core/pull/10844 and v3.5 Vue supports trusted types.

Baroshem commented 2 months ago

Hey Jonas!

Thanks for rising this issue. I checked the availability of this particular option and it seems that it is not supported by either Mozilla or Safari and I wonder if we should support as we do it with Permissions Policy or focus on the ones that are more known 🤔

Thougths @vejja?

dargmuesli commented 2 months ago

caniuse shows almost 75% global support. It's not urgent for me though! Just wanted to mention this feature request as it would come up eventually this way or another I'm sure 😁

vejja commented 2 months ago

We can support it, no problem I think

Baroshem commented 2 months ago

@dargmuesli would you be interested in developing this functionality? :)

dargmuesli commented 2 months ago

I might come across this while procrastinating :wink: but if someone else goes first, I won't complain 😁

vejja commented 2 months ago

@dargmuesli it was just a simple type modification Happy to get your feedback on whether require-trusted-types-for has the right type definition. Not clear to me if the spec says that only 'script' is valid, any word, or any combination of words...

Baroshem commented 2 months ago

Thanks @vejja 💚

@dargmuesli I have changed the base branch of the linked PR to 2.1.0 as I would like to plan it for the upcoming new release. Let us know if the code developed by Sebastien is what you wanted :)