Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(csp): Extend CSP support of SSG mode #272

Merged
merged 1 commit into from
Oct 30, 2023
Merged

feat(csp): Extend CSP support of SSG mode #272

merged 1 commit into from
Oct 30, 2023

Conversation

vejja
Copy link
Collaborator

@vejja vejja commented Oct 29, 2023
edited
Loading

Types of changes

  • Bug fix (a non-breaking change which fixes an issue)
  • New feature (a non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Extend CSP support of SSG applications:

  • parse all HTML sections
  • hashes for inline styles
  • hashes for external scripts
  • CSP headers for static nitro presets

Description

This PR extends how we support CSP for SSG applications.

Currently, in SSG mode, Nuxt Security only searches for inline scripts in the bodyAppend section of Ntro's html rendering step.

With this PR, the following functionalities are added:

  • Scan all sections of the html being rendered by Nitro.
    This covers the case where scripts or styles are added to the <head> tag, or to other parts of the <body> section.

  • Scan inline styles, and add SHA hashes to the style-src policy.
    This covers the case where, in the absence of the unsafe-inline value, CSP requires that inline styles are individually authorized.

  • Scan external script ressources that carry the integrity attribute and add SHA hashes to the script-src policy.
    This covers the case where an external ressource is not explicitely whitelisted (or where whitelisting is ignored by the use of strict-dynamic).
    In that case, CSP provides the ability to authorize an external script by its hash, provided this hash is present in its integrity attribute.

In addition, this PR improves SSG support for hosting providers that can automatically generate headers for static serving via their nitro: preset option.

  • For such hosting providers, the static server now returns HTTP headers with the correct CSP policy
  • In all cases, the same policy is still being provided via the <meta http-equiv> tag. This ensures that, for hosting providers that cannot set HTTP headers, the static CSP policy is still being provided.

Note: This PR does not make any change to CSP in SSR mode

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes (if not applicable, please state why)

@vercel
Copy link

vercel bot commented Oct 29, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
nuxt-security ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 30, 2023 11:08am

@vejja vejja changed the base branch from main to chore/1.0.0-rc.3 October 29, 2023 19:02
@vejja vejja marked this pull request as ready for review October 29, 2023 19:03
@Baroshem
Copy link
Owner

Hey @vejja

Could you please rebase your branch?

Unless you think that it will be better to release this functionality in rc.4?

@vejja
Copy link
Collaborator Author

vejja commented Oct 30, 2023

Hey @vejja

Could you please rebase your branch?

Unless you think that it will be better to release this functionality in rc.4?

Sure, done now

@Baroshem
Copy link
Owner

Thanks @vejja really nice addition! :)

@Baroshem Baroshem merged commit 1f83cb2 into Baroshem:chore/1.0.0-rc.3 Oct 30, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Baroshem Baroshem Baroshem approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vejja @Baroshem