search

unjs / h3

⚡️ Minimal H(TTP) framework built for high performance and portability
https://h3.unjs.io/
MIT License
3.58k stars 210 forks source link

csp support #336

Open pi0 opened 2 years ago

pi0 commented 2 years ago

https://github.com/nuxt/nuxt.js/issues/11793

(we probably do need to add this partially to unjs/h3)

fkammer commented 1 year ago

Is this part of the roadmap for one of the next releases?

What would otherwise be a good entry point to start working on this, if one doesn't have any experience with this project so far?

just-maik commented 1 year ago

Any news on this? Trying to avoid 'unsafe-inline' in my nuxt project and got here. Are there any plans on generating a nonce or hash per request if SSR'd / build if SSG'd?

terwer commented 1 year ago

+1, I will not use nuxt for chrome extension building until this issue be fixed.

pi0 commented 1 year ago

This is an important feature to have indeed. Moving to h3 as probably finally be a util from h3, served by nitro/nuxt renderers.

For nuxt, you can try nuxt-security module in meanwhile. (Notice: I did not audited the module and it only adds general CSP rules - ie not preventing bad script execution from same origin)

tnabil commented 1 year ago

Any updates on this, please? nuxt-security uses "unsafe-inline", so is definitely not a secure option. If we do not have an end-to-end solution, is there at least a way to ensure that all script tags are added dynamically so that we can layer a custom solution on top of that by, for example, manually calculating hashes?

dargmuesli commented 1 year ago

Hey @tnabil, please include only the information in comments that are relevant to the repository you're posting to. Copy pasting to multiple similar issues across different repositories does slow things down due to unnecessary notifications. If you're affected by an already existing issue, please add a :+1: to the original post.

Regarding your question: nuxt-security includes unsafe-inline per default as it is required while https://github.com/vitejs/vite/issues/11862 is still unresolved. You can override that default if you wish. Also, nuxt-security allows to make use of nonces, which might be close enough to what you long for.

tnabil commented 1 year ago

@dargmuesli Actually, nonces do not work for us because we are deploying as a static app, so we are looking to use hashes. I believe the main issue is that Nuxt uses script tags with a src attribute, which is not compatible with the use of 'strict-dynamic'. For example: <script type="module" src="/_nuxt/entry.75c7075c.js" crossorigin=""></script> Whereas the recommended approach (e.g. here) is to load scripts dynamically. Is there any workaround to achieve this now? Note that I'm yet to tackle the CSS side of things.

dargmuesli commented 1 year ago

Please continue the Nuxt related conversation in https://github.com/nuxt/nuxt/issues/11793.