fix(nonce): duplication

[dargmuesli]

Environment

- Operating System: Linux
- Node Version:     v22.12.0
- Nuxt Version:     -
- CLI Version:      3.16.0
- Nitro Version:    -
- Package Manager:  [email protected]
- Builder:          -
- User Config:      -
- Runtime Modules:  -
- Build Modules:    -

Nuxt Security Version

v2.1.5

Default setup used?

Yes, the bug happens even if the security option is not customized

Reproduction

will provide if necessary

Description

Currently a nonce is added to elements regardless of a nonce being applied already. For example, the nuxt/image module allows to set nonces for image preload links. The regexes could be changed to not match elements which already have a nonce added.

[vejja]

Hi @dargmuesli

I'm a bit annoyed by this one.

On the one hand you have a valid point. Duplicate nonce attributes are not valid, so if a nonce is already present our code should definitely not result in invalid tags.

On the other hand, I think the @nuxt/image implementation is wrong, if not dangerous. Allowing users to inject a nonce by themselves opens a whole can of worms security-wise:

• How do you make sure the user is not injecting the same value always?
• Is that value cryptographically secure and generated in accordance with the RFC?
• How does the user then copies the nonce into the CSP header?

In order to properly implement the nonce, users should always rely on Nuxt Security to achieve that.
Which then means that the nonce property of @nuxt/image is useless.

I would seriously recommend to never use the @nuxt/image nonce property. Installing Nuxt Security takes care of injecting nonces automatically and seamlessly, and provides the necessary security guarantees.

In conclusion, the best way to address the situation should be:
The regexes could be changed to not match replace elements which already have a nonce added

WDYT?

[dargmuesli]

Yes, I agree with this train of thought 👍

Alternatively, I thought about changing nuxt/image so that it doesn't add a duplicate nonce when nuxt-security is detected. But your approach fixes this behavior in a general manner, also for other such sources of confusion.

[vejja]

Pinging our regex czar @GalacticHypernova here 😊
Would you have an idea on how to do this ?

[GalacticHypernova]

Hey! So sorry for the late response, I've gotten caught up a bit with personal life. I think I know how to do that, would you like me to make a PR?

Should it replace instances with a nonce, essentially removing the existent one and overriding with the nonce from Nuxt Security?

The only downside with this is that technically it would indeed make the nonce feature useless in Nuxt Image, which could inadvertently act as a sort of deterrent from using Nuxt Security for people who for some reason would want to use their own nonce. I think the best move here would indeed be to just deprecate the nonce in Nuxt Image, to allow only Nuxt Security to handle, well, security.

[vejja]

Hey! So sorry for the late response, I've gotten caught up a bit with personal life. I think I know how to do that, would you like me to make a PR?

Hey @GalacticHypernova yes a PR would be great, thanks

Should it replace instances with a nonce, essentially removing the existent one and overriding with the nonce from Nuxt Security?

Yes, that’s exactly it

The only downside with this is that technically it would indeed make the nonce feature useless in Nuxt Image, which could inadvertently act as a sort of deterrent from using Nuxt Security for people who for some reason would want to use their own nonce. I think the best move here would indeed be to just deprecate the nonce in Nuxt Image, to allow only Nuxt Security to handle, well, security.

I think it’s ok, as long as we only replace the nonce attribute in the html tag and we don’t delete the nonce value in the CSP header itself, we are not modifying any existing functionality in Nuxt Image, but we are improving security