mirror of
https://github.com/nuxt/nuxt.git
synced 2024-11-27 16:12:12 +00:00
Merge branch 'dev' into config-pages-dir
This commit is contained in:
commit
0b1e54dc57
@ -31,7 +31,7 @@ module.exports = {
|
|||||||
page.html = modifyHtml(page.html)
|
page.html = modifyHtml(page.html)
|
||||||
},
|
},
|
||||||
// This hook is called before rendering the html to the browser
|
// This hook is called before rendering the html to the browser
|
||||||
'render:route': (url, page) => {
|
'render:route': (url, page, { req, res }) => {
|
||||||
page.html = modifyHtml(page.html)
|
page.html = modifyHtml(page.html)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -92,7 +92,7 @@ module.exports = function webpackClientConfig() {
|
|||||||
new webpack.DefinePlugin(
|
new webpack.DefinePlugin(
|
||||||
Object.assign(env, {
|
Object.assign(env, {
|
||||||
'process.env.NODE_ENV': JSON.stringify(
|
'process.env.NODE_ENV': JSON.stringify(
|
||||||
env.NODE_ENV || (this.options.dev ? 'development' : 'production')
|
this.options.env.NODE_ENV || (this.options.dev ? 'development' : 'production')
|
||||||
),
|
),
|
||||||
'process.env.VUE_ENV': JSON.stringify('client'),
|
'process.env.VUE_ENV': JSON.stringify('client'),
|
||||||
'process.mode': JSON.stringify(this.options.mode),
|
'process.mode': JSON.stringify(this.options.mode),
|
||||||
|
@ -47,7 +47,7 @@ module.exports = function webpackServerConfig() {
|
|||||||
new webpack.DefinePlugin(
|
new webpack.DefinePlugin(
|
||||||
Object.assign(env, {
|
Object.assign(env, {
|
||||||
'process.env.NODE_ENV': JSON.stringify(
|
'process.env.NODE_ENV': JSON.stringify(
|
||||||
env.NODE_ENV || (this.options.dev ? 'development' : 'production')
|
this.options.env.NODE_ENV || (this.options.dev ? 'development' : 'production')
|
||||||
),
|
),
|
||||||
'process.env.VUE_ENV': JSON.stringify('server'),
|
'process.env.VUE_ENV': JSON.stringify('server'),
|
||||||
'process.mode': JSON.stringify(this.options.mode),
|
'process.mode': JSON.stringify(this.options.mode),
|
||||||
|
@ -313,7 +313,9 @@ Options.defaults = {
|
|||||||
push: false,
|
push: false,
|
||||||
shouldPush: null
|
shouldPush: null
|
||||||
},
|
},
|
||||||
static: {},
|
static: {
|
||||||
|
prefix: true
|
||||||
|
},
|
||||||
gzip: {
|
gzip: {
|
||||||
threshold: 0
|
threshold: 0
|
||||||
},
|
},
|
||||||
@ -323,7 +325,8 @@ Options.defaults = {
|
|||||||
csp: {
|
csp: {
|
||||||
enabled: false,
|
enabled: false,
|
||||||
hashAlgorithm: 'sha256',
|
hashAlgorithm: 'sha256',
|
||||||
allowedSources: []
|
allowedSources: undefined,
|
||||||
|
policies: undefined
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
watchers: {
|
watchers: {
|
||||||
|
@ -10,7 +10,7 @@ module.exports = async function nuxtMiddleware(req, res, next) {
|
|||||||
res.statusCode = 200
|
res.statusCode = 200
|
||||||
try {
|
try {
|
||||||
const result = await this.renderRoute(req.url, context)
|
const result = await this.renderRoute(req.url, context)
|
||||||
await this.nuxt.callHook('render:route', req.url, result)
|
await this.nuxt.callHook('render:route', req.url, result, context)
|
||||||
const {
|
const {
|
||||||
html,
|
html,
|
||||||
cspScriptSrcHashes,
|
cspScriptSrcHashes,
|
||||||
@ -68,12 +68,31 @@ module.exports = async function nuxtMiddleware(req, res, next) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (this.options.render.csp && this.options.render.csp.enabled) {
|
if (this.options.render.csp && this.options.render.csp.enabled) {
|
||||||
const allowedSources = cspScriptSrcHashes.concat(this.options.render.csp.allowedSources)
|
const allowedSources = this.options.render.csp.allowedSources
|
||||||
|
const policies = this.options.render.csp.policies ? {...this.options.render.csp.policies} : null
|
||||||
|
let cspStr = `script-src 'self' ${(cspScriptSrcHashes).join(' ')}`
|
||||||
|
if (Array.isArray(allowedSources)) {
|
||||||
|
// For compatible section
|
||||||
|
cspStr = `script-src 'self' ${cspScriptSrcHashes.concat(allowedSources).join(' ')}`
|
||||||
|
} else if (typeof policies === 'object' && policies !== null && !Array.isArray(policies)) {
|
||||||
|
// Set default policy if necessary
|
||||||
|
if (!policies['script-src'] || !Array.isArray(policies['script-src'])) {
|
||||||
|
policies['script-src'] = [`'self'`].concat(cspScriptSrcHashes)
|
||||||
|
} else {
|
||||||
|
policies['script-src'] = cspScriptSrcHashes.concat(policies['script-src'])
|
||||||
|
if (!policies['script-src'].includes(`'self'`)) {
|
||||||
|
policies['script-src'] = [`'self'`].concat(policies['script-src'])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
res.setHeader(
|
// Make content-security-policy string
|
||||||
'Content-Security-Policy',
|
let cspArr = []
|
||||||
`script-src 'self' ${(allowedSources).join(' ')}`
|
Object.keys(policies).forEach((k) => {
|
||||||
)
|
cspArr.push(`${k} ${policies[k].join(' ')}`)
|
||||||
|
})
|
||||||
|
cspStr = cspArr.join('; ')
|
||||||
|
}
|
||||||
|
res.setHeader('Content-Security-Policy', cspStr)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Send response
|
// Send response
|
||||||
|
@ -255,6 +255,8 @@ module.exports = class Renderer {
|
|||||||
this.options.render.static
|
this.options.render.static
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
staticMiddleware.prefix = this.options.render.static.prefix
|
||||||
|
this.useMiddleware(staticMiddleware)
|
||||||
|
|
||||||
// Serve .nuxt/dist/ files only for production
|
// Serve .nuxt/dist/ files only for production
|
||||||
// For dev they will be served with devMiddleware
|
// For dev they will be served with devMiddleware
|
||||||
|
122
test/basic.ssr.csp.test.js
Normal file
122
test/basic.ssr.csp.test.js
Normal file
@ -0,0 +1,122 @@
|
|||||||
|
import test from 'ava'
|
||||||
|
import { resolve } from 'path'
|
||||||
|
import rp from 'request-promise-native'
|
||||||
|
import { Nuxt, Builder } from '..'
|
||||||
|
import { interceptLog } from './helpers/console'
|
||||||
|
|
||||||
|
const port = 4005
|
||||||
|
const url = route => 'http://localhost:' + port + route
|
||||||
|
|
||||||
|
// Init nuxt.js and create server listening on localhost:4005
|
||||||
|
const startCSPTestServer = async (t, csp) => {
|
||||||
|
const options = {
|
||||||
|
rootDir: resolve(__dirname, 'fixtures/basic'),
|
||||||
|
buildDir: '.nuxt-ssr',
|
||||||
|
dev: false,
|
||||||
|
head: {
|
||||||
|
titleTemplate(titleChunk) {
|
||||||
|
return titleChunk ? `${titleChunk} - Nuxt.js` : 'Nuxt.js'
|
||||||
|
}
|
||||||
|
},
|
||||||
|
build: { stats: false },
|
||||||
|
render: { csp }
|
||||||
|
}
|
||||||
|
|
||||||
|
let nuxt = null
|
||||||
|
const logSpy = await interceptLog(async () => {
|
||||||
|
nuxt = new Nuxt(options)
|
||||||
|
const builder = await new Builder(nuxt)
|
||||||
|
await builder.build()
|
||||||
|
await nuxt.listen(port, '0.0.0.0')
|
||||||
|
})
|
||||||
|
|
||||||
|
t.true(logSpy.calledWithMatch('DONE'))
|
||||||
|
t.true(logSpy.calledWithMatch('OPEN'))
|
||||||
|
|
||||||
|
return nuxt
|
||||||
|
}
|
||||||
|
|
||||||
|
test.serial('Not contain Content-Security-Policy header, when csp.enabled is not set', async t => {
|
||||||
|
const nuxt = await startCSPTestServer(t, {})
|
||||||
|
const { headers } = await rp(url('/stateless'), {
|
||||||
|
resolveWithFullResponse: true
|
||||||
|
})
|
||||||
|
|
||||||
|
t.is(headers['content-security-policy'], undefined)
|
||||||
|
|
||||||
|
await nuxt.close()
|
||||||
|
})
|
||||||
|
|
||||||
|
test.serial('Contain Content-Security-Policy header, when csp.enabled is only set', async t => {
|
||||||
|
const cspOption = {
|
||||||
|
enabled: true
|
||||||
|
}
|
||||||
|
|
||||||
|
const nuxt = await startCSPTestServer(t, cspOption)
|
||||||
|
const { headers } = await rp(url('/stateless'), {
|
||||||
|
resolveWithFullResponse: true
|
||||||
|
})
|
||||||
|
|
||||||
|
t.regex(headers['content-security-policy'], /^script-src 'self' 'sha256-.*'$/)
|
||||||
|
|
||||||
|
await nuxt.close()
|
||||||
|
})
|
||||||
|
|
||||||
|
test.serial('Contain Content-Security-Policy header, when csp.allowedSources set', async t => {
|
||||||
|
const cspOption = {
|
||||||
|
enabled: true,
|
||||||
|
allowedSources: ['https://example.com', 'https://example.io']
|
||||||
|
}
|
||||||
|
|
||||||
|
const nuxt = await startCSPTestServer(t, cspOption)
|
||||||
|
const { headers } = await rp(url('/stateless'), {
|
||||||
|
resolveWithFullResponse: true
|
||||||
|
})
|
||||||
|
|
||||||
|
t.regex(headers['content-security-policy'], /^script-src 'self' 'sha256-.*'/)
|
||||||
|
t.true(headers['content-security-policy'].includes('https://example.com'))
|
||||||
|
t.true(headers['content-security-policy'].includes('https://example.io'))
|
||||||
|
|
||||||
|
await nuxt.close()
|
||||||
|
})
|
||||||
|
|
||||||
|
test.serial('Contain Content-Security-Policy header, when csp.policies set', async t => {
|
||||||
|
const cspOption = {
|
||||||
|
enabled: true,
|
||||||
|
policies: {
|
||||||
|
'default-src': [`'none'`],
|
||||||
|
'script-src': ['https://example.com', 'https://example.io']
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
const nuxt = await startCSPTestServer(t, cspOption)
|
||||||
|
const { headers } = await rp(url('/stateless'), {
|
||||||
|
resolveWithFullResponse: true
|
||||||
|
})
|
||||||
|
|
||||||
|
t.regex(headers['content-security-policy'], /default-src 'none'/)
|
||||||
|
t.regex(headers['content-security-policy'], /script-src 'self' 'sha256-.*'/)
|
||||||
|
t.true(headers['content-security-policy'].includes('https://example.com'))
|
||||||
|
t.true(headers['content-security-policy'].includes('https://example.io'))
|
||||||
|
|
||||||
|
await nuxt.close()
|
||||||
|
})
|
||||||
|
|
||||||
|
test.serial('Contain Content-Security-Policy header, when csp.policies.script-src is not set', async t => {
|
||||||
|
const cspOption = {
|
||||||
|
enabled: true,
|
||||||
|
policies: {
|
||||||
|
'default-src': [`'none'`]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
const nuxt = await startCSPTestServer(t, cspOption)
|
||||||
|
const { headers } = await rp(url('/stateless'), {
|
||||||
|
resolveWithFullResponse: true
|
||||||
|
})
|
||||||
|
|
||||||
|
t.regex(headers['content-security-policy'], /default-src 'none'/)
|
||||||
|
t.regex(headers['content-security-policy'], /script-src 'self' 'sha256-.*'/)
|
||||||
|
|
||||||
|
await nuxt.close()
|
||||||
|
})
|
@ -9,7 +9,7 @@ const url = route => 'http://localhost:' + port + route
|
|||||||
|
|
||||||
let nuxt = null
|
let nuxt = null
|
||||||
|
|
||||||
// Init nuxt.js and create server listening on localhost:4003
|
// Init nuxt.js and create server listening on localhost:4004
|
||||||
test.serial('Init Nuxt.js', async t => {
|
test.serial('Init Nuxt.js', async t => {
|
||||||
const options = {
|
const options = {
|
||||||
rootDir: resolve(__dirname, 'fixtures/basic'),
|
rootDir: resolve(__dirname, 'fixtures/basic'),
|
||||||
@ -22,12 +22,6 @@ test.serial('Init Nuxt.js', async t => {
|
|||||||
},
|
},
|
||||||
build: {
|
build: {
|
||||||
stats: false
|
stats: false
|
||||||
},
|
|
||||||
render: {
|
|
||||||
csp: {
|
|
||||||
enabled: true,
|
|
||||||
allowedSources: ['https://example.com', 'https://example.io']
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -253,16 +247,6 @@ test('ETag Header', async t => {
|
|||||||
t.is(error.statusCode, 304)
|
t.is(error.statusCode, 304)
|
||||||
})
|
})
|
||||||
|
|
||||||
test('Content-Security-Policy Header', async t => {
|
|
||||||
const { headers } = await rp(url('/stateless'), {
|
|
||||||
resolveWithFullResponse: true
|
|
||||||
})
|
|
||||||
// Verify functionality
|
|
||||||
t.regex(headers['content-security-policy'], /script-src 'self' 'sha256-.*'/)
|
|
||||||
t.true(headers['content-security-policy'].includes('https://example.com'))
|
|
||||||
t.true(headers['content-security-policy'].includes('https://example.io'))
|
|
||||||
})
|
|
||||||
|
|
||||||
test('/_nuxt/server-bundle.json should return 404', async t => {
|
test('/_nuxt/server-bundle.json should return 404', async t => {
|
||||||
const err = await t.throws(
|
const err = await t.throws(
|
||||||
rp(url('/_nuxt/server-bundle.json'), { resolveWithFullResponse: true })
|
rp(url('/_nuxt/server-bundle.json'), { resolveWithFullResponse: true })
|
||||||
|
Loading…
Reference in New Issue
Block a user