nuxt-security: CSP errors on basic install Nuxt 3

This module with default config throws CSP errors with a basic Nuxt 3 app with hardly any content. Something about inline scripts is the issue.

Refused to execute inline script because it violates the following Content Security Policy directive: 
"script-src 'sha256-RvFvkGw+VFj3DQC9iRjKgy66jMeVcehbEbfjrSq1BkM='". 
Either the 'unsafe-inline' keyword, a hash ('sha256-U3lhtYYlwH/zB25t+FJsw10XiovlTTLIjrabXqS26fI='), 
or a nonce ('nonce-...') is required to enable inline execution.

Version

nuxt-security: v0.11.0 nuxt: v3.2.0

Steps to reproduce

basic Nuxt 3 App with this module

What is Expected?

For there not to be CSP errors in http://localhost:3210 or https://production.com, when all the content is on the same site

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 17 (10 by maintainers)

Most upvoted comments

Thanks for the stackblitz reproduction.

The problem you encountered is actually because of how Nuxt 3, no the module.

You enabled 'script-src': ["'self'"], which actually stops Nuxt from working correctly. This is also why in the default configuration of the module, I am not setting this directive.

+1
Baroshem on Mar 30, 2023

I have the same issue. In nuxt 2, the csp plugin injects the hash of the <script> tag that contains all the nuxt SSR data into the final output header. As far as we can see, this module doesn’t do that.

+1
SnykOleg on Mar 29, 2023

@Baroshem it works there Stackblitz . Maybe something is wrong somewhere on my computer. Thanks for the help.

+1
lynxionxs on Mar 9, 2023
Read more comments on GitHub
← nuxt-security: Cross-Origin-Resource-Policy header Error on Paypal Checkout
nuxt-security: Customization on error response →