Skip to content

Commit

Permalink
Merge pull request #475 from dargmuesli/feat/csp/vite
Browse files Browse the repository at this point in the history
feat(csp): support style nonce in development
  • Loading branch information
Baroshem authored Jul 16, 2024
2 parents 02b8280 + ff0ecfe commit b7701f1
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 31 deletions.
31 changes: 0 additions & 31 deletions docs/content/1.documentation/2.headers/1.csp.md
Original file line number Diff line number Diff line change
Expand Up @@ -215,15 +215,6 @@ export default defineNuxtConfig({
- `"'nonce-{{nonce}}'"` placeholder: Include this value in any individual policy that you want to be governed by nonce.


::alert{type="warning"}
Our default recommendation is to avoid using the `"'nonce-{{nonce}}'"` placeholder on `style-src` policy.
<br>
⚠ This is because Nuxt's mechanism for Client-Side hydration of styles could be blocked by CSP in that case.
<br>
For further discussion and alternatives, please refer to our [Advanced Section on Strict CSP](/documentation/advanced/strict-csp).
::


_Note: Nonce only works for SSR. The `nonce` option and the `"'nonce-{{nonce}}'"` placeholders are ignored when you build your app for SSG via `nuxi generate`._


Expand Down Expand Up @@ -304,28 +295,6 @@ Please see below our section on [Integrity Hashes For SSG](#integrity-hashes-for
_Note: Hashes only work for SSG. The `ssg` options are ignored when you build your app for SSR via `nuxi build`._



## Hot reload during development

If you have enabled `nonce-{{nonce}}` on `style-src`, you will need to disable it in order to allow hot reloading during development.

```ts
export default defineNuxtConfig({
security: {
nonce: true,
headers: {
contentSecurityPolicy: {
'style-src': process.env.NODE_ENV === 'development' ?
["'self'", "'unsafe-inline'"] :
["'self'", "'unsafe-inline'", "nonce-{{nonce}}"]
}
}
}
})
```

Note that this is not necessary if you use our default configuration settings.

## Per-route configuration

All Content Security Policy options can be defined on a per-route level.
Expand Down
7 changes: 7 additions & 0 deletions src/runtime/nitro/plugins/40-cspSsrNonce.ts
Original file line number Diff line number Diff line change
Expand Up @@ -53,5 +53,12 @@ export default defineNitroPlugin((nitroApp) => {
return element
})
}

// Add meta header for Vite in development
if (import.meta.dev) {
html.head.push(
`<meta property="csp-nonce" nonce="${nonce}">`,
)
}
})
})

0 comments on commit b7701f1

Please sign in to comment.