Skip to content

Commit

Permalink
Merge pull request #464 from Baroshem/chore/2.0.0-rc.3
Browse files Browse the repository at this point in the history 
fix(headers): fix default-src owasp value
  • Loading branch information
@vejja
vejja authored May 30, 2024
2 parents 41596b1 + c16d0fb commit 10c6e1d
Show file tree
Hide file tree
Showing 12 changed files with 34 additions and 14,989 deletions.
3 changes: 2 additions & 1 deletion .stackblitz/.gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,5 @@ node_modules
.output
.env
dist
.vercel
.vercel
yarn.lock
2 changes: 1 addition & 1 deletion .stackblitz/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@
"nuxt": "3.9.3"
},
"dependencies": {
"nuxt-security": "^2.0.0-rc.2"
"nuxt-security": "latest"
}
}
6,096 changes: 0 additions & 6,096 deletions .stackblitz/yarn.lock
View file

This file was deleted.

1 change: 1 addition & 0 deletions docs/.gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,4 @@ dist
sw.*
.env
.output
yarn.lock
2 changes: 1 addition & 1 deletion docs/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"@nuxtjs/plausible": "^1.0.0",
"@nuxtlabs/github-module": "^1.6.3",
"nuxt": "^3.11.2",
"nuxt-security": "^2.0.0-rc.2"
"nuxt-security": "latest"
},
"resolutions": {
"string-width": "4.2.3",
Expand Down
8,861 changes: 0 additions & 8,861 deletions docs/yarn.lock
View file

This file was deleted.

12 changes: 6 additions & 6 deletions package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "nuxt-security",
"version": "2.0.0-rc.2",
"version": "2.0.0-rc.3",
"license": "MIT",
"type": "module",
"homepage": "https://nuxt-security.vercel.app",
Expand Down Expand Up @@ -43,7 +43,7 @@
"dev:generate": "nuxi generate playground",
"dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground",
"dev:preview": "nuxi preview playground",
"dev:docs": "cd docs && yarn dev",
"dev:docs": "rm -rf dist && cd docs && yarn dev",
"lint": "eslint .",
"test": "vitest run --silent",
"test:watch": "vitest watch",
Expand Down Expand Up @@ -76,10 +76,10 @@
},
"unbuild": {
"entries": [
"src/utils/hash.ts",
"src/utils/headers.ts",
"src/utils/merge.ts",
"src/defaultConfig.ts"
"./src/utils/hash.ts",
"./src/utils/headers.ts",
"./src/utils/merge.ts",
"./src/defaultConfig.ts"
],
"externals": [
"unstorage"
Expand Down
2 changes: 1 addition & 1 deletion src/defaultConfig.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ export const defaultSecurityConfig = (serverlUrl: string): ModuleOptions => ({
crossOriginEmbedderPolicy: 'require-corp',
contentSecurityPolicy: {
'base-uri': ["'none'"],
'default-src' : ["'none'"],
'default-src' : ["'self'"],
'font-src': ["'self'", 'https:', 'data:'],
'form-action': ["'self'"],
'frame-ancestors': ["'self'"],
Expand Down
2 changes: 1 addition & 1 deletion test/headers.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ describe('[nuxt-security] Headers', async () => {
expect(cspHeaderValue).toBeTruthy()
expect(nonceValue).toBeDefined()
expect(nonceValue).toHaveLength(24)
expect(cspHeaderValue).toBe(`base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-${nonceValue}'; upgrade-insecure-requests;`)
expect(cspHeaderValue).toBe(`base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-${nonceValue}'; upgrade-insecure-requests;`)
})

it('has `cross-origin-embedder-policy` header set with correct default value', async () => {
Expand Down
32 changes: 16 additions & 16 deletions test/perRoute.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-origin')
expect(coop).toBe('same-origin')
expect(coep).toBe('require-corp')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=31536000; includeSubDomains;')
Expand Down Expand Up @@ -67,7 +67,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-origin')
expect(coop).toBe('same-origin')
expect(coep).toBe('require-corp')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=31536000; includeSubDomains;')
Expand Down Expand Up @@ -105,7 +105,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-origin')
expect(coop).toBe('same-origin')
expect(coep).toBe('require-corp')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=31536000; includeSubDomains;')
Expand Down Expand Up @@ -227,7 +227,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-origin')
expect(coop).toBe('same-origin-allow-popups')
expect(coep).toBe('require-corp')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=31536000; includeSubDomains;')
Expand Down Expand Up @@ -265,7 +265,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-origin')
expect(coop).toBe('same-origin-allow-popups')
expect(coep).toBe('require-corp')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=31536000; includeSubDomains;')
Expand Down Expand Up @@ -303,7 +303,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-origin')
expect(coop).toBeNull()
expect(coep).toBe('require-corp')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBeNull()
expect(sts).toBe('max-age=31536000; includeSubDomains;')
Expand Down Expand Up @@ -341,7 +341,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-origin')
expect(coop).toBeNull()
expect(coep).toBe('require-corp')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBeNull()
expect(sts).toBe('max-age=31536000; includeSubDomains;')
Expand Down Expand Up @@ -379,7 +379,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBeNull()
expect(coop).toBe('same-origin')
expect(coep).toBe('credentialless')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=31536000; includeSubDomains;')
Expand Down Expand Up @@ -417,7 +417,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-site')
expect(coop).toBeNull()
expect(coep).toBe('credentialless')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=31536000; includeSubDomains;')
Expand Down Expand Up @@ -455,7 +455,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('cross-origin')
expect(coop).toBe('same-origin')
expect(coep).toBe('require-corp')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https:; upgrade-insecure-requests; media-src 'none';")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https:; upgrade-insecure-requests; media-src 'none';")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=1; includeSubDomains; preload;')
Expand Down Expand Up @@ -495,7 +495,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-site')
expect(coop).toBeNull()
expect(coep).toBe('credentialless')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=2;')
Expand Down Expand Up @@ -535,7 +535,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-site')
expect(coop).toBe('same-origin-allow-popups')
expect(coep).toBe('credentialless')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer-when-downgrade')
expect(sts).toBe('max-age=1; preload;')
Expand Down Expand Up @@ -576,7 +576,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBeNull()
expect(coop).toBe('same-origin')
expect(coep).toBe('require-corp')
expect(csp).toBe("default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src https:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self'; upgrade-insecure-requests;")
expect(csp).toBe("default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src https:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self'; upgrade-insecure-requests;")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=10; preload;')
Expand Down Expand Up @@ -614,7 +614,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
expect(corp).toBe('same-origin')
expect(coop).toBe('same-origin')
expect(coep).toBe('require-corp')
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self'; upgrade-insecure-requests; manifest-src 'none';")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self'; upgrade-insecure-requests; manifest-src 'none';")
expect(oac).toBe('?1')
expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=10; includeSubDomains;')
Expand Down Expand Up @@ -662,7 +662,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
const csp = headers.get('content-security-policy')
const pp = headers.get('permissions-policy')

expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src blob:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src blob:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(pp).toBe('accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=self, document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), layout-animations=(self), legacy-image-formats=(self), magnetometer=(), microphone=(), midi=(), oversized-images=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), speaker-selection=(), sync-xhr=(self), unoptimized-images=(self), unsized-media=(self), usb=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=()')
})

Expand Down Expand Up @@ -958,7 +958,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
const { headers } = res
const csp = headers.get('content-security-policy')
expect(csp).toBeDefined()
expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
const rp = headers.get('referrer-policy')
expect(rp).toBeDefined()
expect(rp).toBe('no-referrer')
Expand Down
Loading

0 comments on commit 10c6e1d

Please sign in to comment.