Zengtudor/Nuxt
1
0
Fork 0
mirror of https://github.com/nuxt/nuxt.git synced 2024-11-23 14:15:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(csp): remove unsafe-eval in dev mode (#7659)

Browse Source
This commit is contained in:
Xin Du (Clark) 2020-07-02 18:37:55 +01:00 committed by GitHub
parent d4363d4477
commit 03424513ce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
packages/server/src/middleware/nuxt.js
View File

@ -74,7 +74,7 @@ export default ({ options, nuxt, renderRoute, resources }) => async function nux
const isReportOnly = !!options.render.csp.reportOnly const isReportOnly = !!options.render.csp.reportOnly
const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy' const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isDev: options.dev, isReportOnly })) res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }))
} }
// Send response // Send response
@ -126,9 +126,9 @@ const defaultPushAssets = (preloadFiles, shouldPush, publicPath, options) => {
return links return links
} }
const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isDev, isReportOnly }) => { const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }) => {
const joinedHashes = cspScriptSrcHashes.join(' ') const joinedHashes = cspScriptSrcHashes.join(' ')
const baseCspStr = `script-src 'self'${isDev ? ' \'unsafe-eval\'' : ''} ${joinedHashes}` const baseCspStr = `script-src 'self' ${joinedHashes}`
const policyObjectAvailable = typeof policies === 'object' && policies !== null && !Array.isArray(policies) const policyObjectAvailable = typeof policies === 'object' && policies !== null && !Array.isArray(policies)
if (Array.isArray(allowedSources) && allowedSources.length) { if (Array.isArray(allowedSources) && allowedSources.length) {

2
packages/server/test/middleware/nuxt.test.js
View File

@ -265,7 +265,7 @@ describe('server: nuxtMiddleware', () => {
expect(res.setHeader).nthCalledWith( expect(res.setHeader).nthCalledWith(
1, 1,
'Content-Security-Policy-Report-Only', 'Content-Security-Policy-Report-Only',
"script-src 'self' 'unsafe-eval' sha256-hashes /nuxt/*.js /nuxt/images/*" "script-src 'self' sha256-hashes /nuxt/*.js /nuxt/images/*"
) )
}) })