New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot use nonce in nuxt-security:headers hook #407
Comments
Hey, thanks for reporting this. @vejja @huang-julien do you have some ideas about it? :) |
@jackpercy-acl : does it work if you don't use the runtime config and instead use the default |
@vejja yes, it works fine if configuring only in |
Thanks |
@huang-julien if you check the headers on the returned doc rather than logging I assume this
|
Version
nuxt-security: 1.2.2
nuxt: 3.11.1
Reproduction Link
https://stackblitz.com/edit/nuxt-security-missing-nonce?file=server%2Fplugins%2Fsecurity.ts
Steps to reproduce
nuxt-security:headers
hook to change CSP with Runtime Config as per docs'nonce-{{nonce}}'
value in one of the CSP valuesWhat is Expected?
The CSP header should be transformed to include the actual nonce value.
What is actually happening?
The CSP value contains the exact string
'nonce-{{nonce}}'
By adding some logging into the
nuxt-security
nitro plugins files, you can see that the custom CSP from the hook is being registered. However, when the plugin99-cspSsrNonce.ts
runs, the CSP value it resolves and replaces the nonces in, is the default/nuxt.config.ts CSP.nuxt-security/src/runtime/nitro/plugins/99-cspSsrNonce.ts
Line 43 in 13a96a6
This is meaning we cannot do a combination of using runtime config in the CSP and nonces.
The text was updated successfully, but these errors were encountered: