Open pi0 opened 2 years ago
Is this part of the roadmap for one of the next releases?
What would otherwise be a good entry point to start working on this, if one doesn't have any experience with this project so far?
Any news on this? Trying to avoid 'unsafe-inline' in my nuxt project and got here. Are there any plans on generating a nonce or hash per request if SSR'd / build if SSG'd?
+1, I will not use nuxt for chrome extension building until this issue be fixed.
This is an important feature to have indeed. Moving to h3 as probably finally be a util from h3, served by nitro/nuxt renderers.
For nuxt, you can try nuxt-security module in meanwhile. (Notice: I did not audited the module and it only adds general CSP rules - ie not preventing bad script execution from same origin)
Any updates on this, please? nuxt-security uses "unsafe-inline", so is definitely not a secure option. If we do not have an end-to-end solution, is there at least a way to ensure that all script tags are added dynamically so that we can layer a custom solution on top of that by, for example, manually calculating hashes?
Hey @tnabil, please include only the information in comments that are relevant to the repository you're posting to. Copy pasting to multiple similar issues across different repositories does slow things down due to unnecessary notifications. If you're affected by an already existing issue, please add a :+1: to the original post.
Regarding your question: nuxt-security
includes unsafe-inline
per default as it is required while https://github.com/vitejs/vite/issues/11862 is still unresolved. You can override that default if you wish. Also, nuxt-security
allows to make use of nonces, which might be close enough to what you long for.
@dargmuesli Actually, nonces do not work for us because we are deploying as a static app, so we are looking to use hashes. I believe the main issue is that Nuxt uses script
tags with a src
attribute, which is not compatible with the use of 'strict-dynamic'
.
For example:
<script type="module" src="/_nuxt/entry.75c7075c.js" crossorigin=""></script>
Whereas the recommended approach (e.g. here) is to load scripts dynamically. Is there any workaround to achieve this now? Note that I'm yet to tackle the CSS side of things.
Please continue the Nuxt related conversation in https://github.com/nuxt/nuxt/issues/11793.
https://github.com/nuxt/nuxt.js/issues/11793
(we probably do need to add this partially to unjs/h3)