docs(csp): Documentation on CSP #282
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
|
||
| 1. **`useHead` composable** - If you are dynamically adding script or link tags in your application using the `useHead` composable, all nonce values will be automatically added. | ||
| However, take note that due to [a current bug in unjs/unhead](https://github.com/unjs/unhead/issues/136), you'll need to add a workaround **when using ssr** to prevent double loading and executing of your scripts when using nonce. |
There was a problem hiding this comment.
I am not sure unhead has a bug, this seems normal to me
I am leaving the note but rather in the form of a comment in the code section just below
| ``` | ||
|
|
||
| 2. **Directly inserting tags into DOM** - If you are unable or unwilling to use `useHead` and are inserting directly into the DOM (e.g. `document.createElement`), you can get the current valid nonce value using the `useNonce` composable: |
There was a problem hiding this comment.
It's not clear to me why there would be a need for a useNonce composable
We are already adding the nonce to all HTML elements so this does not seem necessary
I am taking this paragraph out of this page, but leaving the documentation about useNonce in the FAQ
|
|
||
| ```html | ||
| <NuxtImg src="https://localhost:8000/api/image/xyz" :nonce="nonce" /> |
There was a problem hiding this comment.
Images are not nonceable, so this looks unnecessary too
I am taking this paragraph out from here, but leaving the comments about NuxtImg in the FAQ
| }) | ||
| ``` | ||
| Nuxt Security will be clever enough to pick up the integrity attributes and add them to the `script-src` policy if the `ssg: hashScripts` option is set to `true`. | ||
|
|
There was a problem hiding this comment.
I am leaving out important details at this stage on Subresource Integrity, but I will include them as soon as we merge the SRI feature.
It is a critical component that needs to be included to ensure efficient whitelisting in SSG mode
|
Wowww, This is such an amazing work @vejja ! Thank you so much for this detailed explanation of the usage. I am sure that community members and module users would benefit a lot from this documentation section. I will review it in the upcoming days but TBH after a rough look, I think I wont have that many concerns. I like your way of writing. Maybe I will just find some nitpicks to cover as general idea is really really good! |
|
I dont have any comments. Really well written documentation. I am merging it right now! I might have some small corrections before releasing 1.0.0-rc.4 but it will be mainly about styling probably. Great work, thank you! |
Types of changes
Modify & Update the CSP documentation section
Create an Advanced Section on CSP with knowledge base
Description
Checklist: