nuxt-security: fix: hash generation missing for link as script
Steps to reproduce
Add a link header with as="script" attribute hrefing to a script.
What is Expected?
There should be a hash added to the script-src for that linked script.
What is actually happening?
I think only script tags are accounted for currently and thus <link as="script" tags are not whitelisted by having a hash added to script-src.
Stylesheets could benefit from that as well, I guess.
About this issue
- Original URL
- State: closed
- Created 8 months ago
- Comments: 21 (11 by maintainers)
ok, I’ll submit a PR that modifies the default config to reflect this
Hey @vejja @dargmuesli
I would vote for the secure one. Users tend to use this module to have opinionated and secure approach in their apps. And if the default one does not work for them, they can always modify and customize it to match their needs
Maybe this is the right moment to mention the discussion in https://github.com/Baroshem/nuxt-security/issues/258. I imagine other modules, let’s take
nuxt-gtagfor example, to use a hook provided by nuxt-security to add the headers they require automatically for the user. So a user is not required to ever see things likeconnect-src: https://*.analytics.google.com🌈 (but could of course if they chose to)Right, this is because we set
hashScripts : trueby default 🤯 So what you are seeing are the hashes for the inline scripts. In your case, CSP is blocking the external scripts, hence the requirement for’self’🤯🤯A static build yields in firefox:
Mentioning those head links:
