fix(csp): apply right csp header when status code is 304 (#8352)

2024-11-23 06:05:11 +00:00 · 2020-11-25 22:22:32 +08:00 · 2020-11-25 22:22:32 +08:00 · 135456f051
commit 135456f051
parent 691f21c683
1 changed files with 8 additions and 8 deletions
--- a/packages/server/src/middleware/nuxt.js
+++ b/packages/server/src/middleware/nuxt.js
@ -36,6 +36,14 @@ export default ({ options, nuxt, renderRoute, resources }) => async function nux
      res.statusCode = context.nuxt.error.statusCode || 500
    }

+    if (options.render.csp && cspScriptSrcHashes) {
+      const { allowedSources, policies } = options.render.csp
+      const isReportOnly = !!options.render.csp.reportOnly
+      const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+
+      res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }))
+    }
+
    // Add ETag header
    if (!error && options.render.etag) {
      const { hash } = options.render.etag
@ -69,14 +77,6 @@ export default ({ options, nuxt, renderRoute, resources }) => async function nux
      }
    }

-    if (options.render.csp && cspScriptSrcHashes) {
-      const { allowedSources, policies } = options.render.csp
-      const isReportOnly = !!options.render.csp.reportOnly
-      const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
-
-      res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }))
-    }
-
    // Send response
    res.setHeader('Content-Type', 'text/html; charset=utf-8')
    res.setHeader('Accept-Ranges', 'none') // #3870