Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(csp): ensure-plugins-last #271

Merged
merged 16 commits into from
Oct 30, 2023
Merged

fix(csp): ensure-plugins-last #271

merged 16 commits into from
Oct 30, 2023

Conversation

vejja
Copy link
Collaborator

@vejja vejja commented Oct 28, 2023

  • put our security plugins last
  • allows to insert nonces after all external scripts have been inserted

Types of changes

  • Bug fix (a non-breaking change which fixes an issue)
  • New feature (a non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Description

This PR ensures that the Nitro Plugins installed by Nuxt Security will run last in order.

It is important for CSP nonces to be injected in the final html only after third-party modules have finished running first.

Background: When a Nuxt application uses several third-party modules, these third-party modules sometimes inject script tags. If they run after us, our nonces will not be injected in such script tags and this will result in a CSP denial, preventing the application to render.

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes (if not applicable, please state why)

vejja added 15 commits October 17, 2023 22:38
@vejja
feat: upgrade nuxt Typescript config
ca3169a
@vejja
remove unecessary workarounds
2df5a5f 
Now that the TS config is compliant, we can
- remove @ts-ignore overrides
- import from "#imports" instead of importing from dependencies
@vejja
use autoImports in playground and fixtures
a19b3f3
@vejja
use defineNitroPlugin helper in nitro plugins
5e714a7 
- no need to import NitroAppPlugin from 'nitropack'
- rename 'nitro' variable to 'nitroApp' for clarity
@vejja
provide typing on runtimeConfig
adf39e9
@vejja
fix type for unsupportedPolicies in cspSsg
50c8ffe
@vejja
improve rateLimiter storage mounting
e751f52
@vejja
Revert "improve rateLimiter storage mounting"
5bf020c 
This reverts commit e751f52.
@vejja
Merge branch 'main' into fix/typescript-config
883de56
@vejja
eslint update
96d831a 
- conform eslint to standard recommendation
- fix "template root requires one element" in secret.vue
- also conforms 'npm run dev' script setup
@vejja
update package
f58f992
@vejja
Merge remote-tracking branch 'upstream/chore/1.0.0-rc.3' into fix/typ…
a9e151e 
…escript-config
@vejja
Merge branch 'chore/1.0.0-rc.3' into fix/typescript-config
0fa8ace
@vejja
fix vercel build step
3e596bc 
- add .nuxtrc autoImport directive in docs/
- enables building outside of root directory
@vejja
modify execution order of nitro plugins
9d26803 
- put our security plugins last
- allows to insert nonces after all external scripts have been inserted
@vercel
Copy link

vercel bot commented Oct 28, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
nuxt-security ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 29, 2023 11:19am

@vejja vejja marked this pull request as ready for review October 28, 2023 17:17
@vejja vejja marked this pull request as draft October 29, 2023 08:41
@vejja vejja changed the title fix: ensure-plugins-last fix(csp): ensure-plugins-last Oct 29, 2023
@vejja vejja marked this pull request as ready for review October 29, 2023 19:01
@Baroshem Baroshem merged commit e8b3651 into nuxt-modules:chore/1.0.0-rc.3 Oct 30, 2023
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Baroshem Baroshem Baroshem approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vejja @Baroshem