Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Subresource Integrity error #395

Closed
DamianGlowala opened this issue Mar 6, 2024 · 18 comments · Fixed by #396, #399 or #435
Closed

Subresource Integrity error #395

DamianGlowala opened this issue Mar 6, 2024 · 18 comments · Fixed by #396, #399 or #435
Assignees
Labels
bug Something isn't working

Comments

@DamianGlowala
Copy link
Contributor

DamianGlowala commented Mar 6, 2024

Version

nuxt-security: 1.2.1
nuxt: 3.10.3

Reproduction Link

n/a

Steps to reproduce

n/a

What is Expected?

No SRI error after deploying to Azure Static Web Apps with azure preset with default Nuxt Security's SRI config.

What is actually happening?

image

@DamianGlowala DamianGlowala added the bug Something isn't working label Mar 6, 2024
@Baroshem
Copy link
Collaborator

Baroshem commented Mar 6, 2024

Hey @DamianGlowala

Thabks for reporting this issue.

@vejja do you maybe have a clue what could be the issue here?

@vejja
Copy link
Collaborator

vejja commented Mar 6, 2024

Looking at it right now, I can confirm the issue

@vejja
Copy link
Collaborator

vejja commented Mar 6, 2024

@DamianGlowala we are facing the regression since Nuxt 3.9.0
Not sure where it comes from, but Buffers are involved in the bug

@Baroshem: the easiest way to fix the issue is to upgrade from Nuxt 3.8 to Nuxt 3.10, are you ok with that?

@DamianGlowala
Copy link
Contributor Author

@vejja, really appreciate you looking into this!

Shall I temporarily try overriding nuxt dependency to e.g. 3.10.3 and see whether this works?

@vejja
Copy link
Collaborator

vejja commented Mar 6, 2024

@vejja, really appreciate you looking into this!

Shall I temporarily try overriding nuxt dependency to e.g. 3.10.3 and see whether this works?

It won't work by only upgrading version
Issue in detail is that unstorage's getItem method can now sometimes return a Buffer instead of an object at https://github.com/Baroshem/nuxt-security/blob/main/src/runtime/nitro/plugins/03-subresourceIntegrity.ts#L25

@vejja
Copy link
Collaborator

vejja commented Mar 6, 2024

Update
It's difficult to fix both for Nuxt 3.8 and 3.9+
The reason is that something has changed in the way Nuxt bundles strings:

  • Up until 3.8, strings were bundled as strings :
    Capture d’écran 2024-03-06 à 15 25 08

  • From 3.9, strings are converted to base64 Uint8Array :
    Capture d’écran 2024-03-06 à 15 26 52

I think this could be related to the upgrade to Vite 5 / Rollup 4 that happened with Nuxt 3.9

I am submitting a PR to fix, it includes the upgrade to Nuxt 3.10

@DamianGlowala I can see that you are involved in Nuxt Core, if you have some smarter alternative let me know

@vejja vejja self-assigned this Mar 6, 2024
@Baroshem Baroshem linked a pull request Apr 3, 2024 that will close this issue
6 tasks
@Baroshem Baroshem closed this as completed Apr 3, 2024
@Baroshem Baroshem reopened this Apr 3, 2024
@vejja
Copy link
Collaborator

vejja commented Apr 7, 2024

Hi @Baroshem
I think this one should also be closed by 1.3.1

@Baroshem
Copy link
Collaborator

Baroshem commented Apr 7, 2024

@DamianGlowala coukd you confirm?

@DamianGlowala
Copy link
Contributor Author

I've updated to v1.3.2, removed sri: false and the issue appears to remain.

@vejja
Copy link
Collaborator

vejja commented Apr 18, 2024

Hi @DamianGlowala
Is it possible to nuxi upgrade --force if you are still with Nuxt 3.10 ?

@DamianGlowala
Copy link
Contributor Author

I am currently on Nuxt v3.11.2. Ran the nuxi upgrade --force and had a look at the lockfile - nothing relevant changed which could have an impact on Nuxt Security module, only @vue/compiler-sfc version bumps 😄

@vejja
Copy link
Collaborator

vejja commented Apr 18, 2024

This is really annoying...
Would you mind backing up the lockfile, deleting it and also the whole node_modules directory, and then reinstalling with a fresh npm install ? Then comparing the 2 lockfiles ?
Sorry to ask for such a dumb approach, but if you can do this it would be very helpful because I think we have a dependency issue and I can't locate it

@Baroshem
Copy link
Collaborator

Baroshem commented Apr 22, 2024

@DamianGlowala have you tried it? :)

(Closed by mistake)

@Baroshem Baroshem reopened this Apr 22, 2024
@vejja
Copy link
Collaborator

vejja commented Apr 23, 2024

Hi @DamianGlowala

I managed to track the upstream error. Source issue is in [email protected]: nitrojs/nitro#2217
Was resolved by nitrojs/nitro#2239 which was merged in [email protected]

Could you check this dependency to see if it works now ?

@DamianGlowala
Copy link
Contributor Author

Hi @vejja!

I am currently using [email protected]. Checked the lockfile and no other version is listed there. Might try adding an override anyway and see whether this works. Thank you so much for the help so far!

@Baroshem
Copy link
Collaborator

@vejja @DamianGlowala I released patch 1.4.3 with a fix for that. Could you check if it works now? :)

@DamianGlowala
Copy link
Contributor Author

DamianGlowala commented May 23, 2024

I can confirm the error is gone, thanks! :)

@Baroshem
Copy link
Collaborator

Awesome thank you guys! 💚

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
3 participants