feat: ssg script hashes support

nuxt-modules · Oct 11, 2023 · 644deee · 644deee
1 parent 4942b07
commit 644deee
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 3 deletions.
diff --git a/docs/content/1.documentation/1.getting-started/2.configuration.md b/docs/content/1.documentation/1.getting-started/2.configuration.md
@@ -26,6 +26,7 @@ interface ModuleOptions {
   csrf: CsrfOptions | false;
   nonce: NonceOptions | false;
   removeLoggers?: RemoveOptions | false;
+  ssg?: Ssg;
 }
 ```
 
@@ -108,6 +109,9 @@ security: {
     consoleType: ['log', 'debug'],
     include: [/\.[jt]sx?$/, /\.vue\??/],
     exclude: [/node_modules/, /\.git/]
+  },
+  ssg: {
+    hashScripts: true
   }
 }
 ```

diff --git a/docs/content/1.documentation/2.headers/1.csp.md b/docs/content/1.documentation/2.headers/1.csp.md
@@ -137,6 +137,18 @@ This will result in following code being added to your static app `<head>` tag:
 ℹ Read more about this [here](https://content-security-policy.com/examples/meta/).
 ::
 
+By default, Nuxt Security will generate script hashes for you. If you do not want this functionality you can disable it like following:
+
+```ts
+export default defineNuxtConfig({
+  security: {
+    ssg: {
+      hashScripts: false
+    }
+  }
+})
+```
+
 ## `Nonce support`
 
 To further increase CSP security, you can use a [nonce-based strict csp](https://web.dev/strict-csp/#what-is-a-strict-content-security-policy).

diff --git a/docs/package.json b/docs/package.json
@@ -13,5 +13,8 @@
     "@nuxtlabs/github-module": "^1.6.3",
     "@nuxtjs/plausible": "^0.2.1",
     "nuxt": "^3.5.3"
-  }
+  },
+  "resolutions": {
+    "string-width": "4.2.3"
+ }
 }
diff --git a/src/defaultConfig.ts b/src/defaultConfig.ts
@@ -76,5 +76,8 @@ export const defaultSecurityConfig = (serverlUrl: string): ModuleOptions => ({
     consoleType: ['log', 'debug'],
     include: [/\.[jt]sx?$/, /\.vue\??/],
     exclude: [/node_modules/, /\.git/]
+  },
+  ssg: {
+    hashScripts: true
   }
 })
diff --git a/src/runtime/nitro/plugins/02-cspSsg.ts b/src/runtime/nitro/plugins/02-cspSsg.ts
@@ -21,10 +21,11 @@ interface NuxtRenderHTMLContext {
   bodyAppend: string[]
 }
 
+const moduleOptions = useRuntimeConfig().security as ModuleOptions
+
 export default <NitroAppPlugin> function (nitro) {
   nitro.hooks.hook('render:html', (html: NuxtRenderHTMLContext, { event }: { event: H3Event }) => {
     // Content Security Policy
-    const moduleOptions = useRuntimeConfig().security as ModuleOptions
 
     if (!isContentSecurityPolicyEnabled(event, moduleOptions)) {
       return
@@ -60,7 +61,7 @@ export default <NitroAppPlugin> function (nitro) {
     }
 
     const tagPolicies = defu(policies) as ContentSecurityPolicyValue
-    if (scriptHashes.length > 0) {
+    if (scriptHashes.length > 0 && moduleOptions.ssg?.hashScripts) {
       // Remove '""'
       tagPolicies['script-src'] = (tagPolicies['script-src'] ?? []).concat(scriptHashes)
     }

diff --git a/src/types/index.ts b/src/types/index.ts
@@ -4,6 +4,10 @@ import type { Options as RemoveOptions } from 'unplugin-remove/types'
 import { SecurityHeaders } from './headers'
 import { AllowedHTTPMethods, BasicAuth, CorsOptions, NonceOptions, RateLimiter, RequestSizeLimiter, XssValidator } from './middlewares'
 
+export type Ssg = {
+  hashScripts?: boolean;
+};
+
 export interface ModuleOptions {
   headers: SecurityHeaders | false;
   requestSizeLimiter: RequestSizeLimiter | false;
@@ -17,6 +21,7 @@ export interface ModuleOptions {
   csrf: CsrfOptions | false;
   nonce: NonceOptions | false;
   removeLoggers?: RemoveOptions | false;
+  ssg?: Ssg;
 }
 
 export interface NuxtSecurityRouteRules {