From 135456f0517d03f9589e39d5b49355f13d37b1d7 Mon Sep 17 00:00:00 2001
From: Zuckjet <1083941774@qq.com>
Date: Wed, 25 Nov 2020 22:22:32 +0800
Subject: [PATCH] fix(csp): apply right csp header when status code is 304
 (#8352)

---
 packages/server/src/middleware/nuxt.js | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/packages/server/src/middleware/nuxt.js b/packages/server/src/middleware/nuxt.js
index b9431cd841..c958a8b109 100644
--- a/packages/server/src/middleware/nuxt.js
+++ b/packages/server/src/middleware/nuxt.js
@@ -36,6 +36,14 @@ export default ({ options, nuxt, renderRoute, resources }) => async function nux
       res.statusCode = context.nuxt.error.statusCode || 500
     }
 
+    if (options.render.csp && cspScriptSrcHashes) {
+      const { allowedSources, policies } = options.render.csp
+      const isReportOnly = !!options.render.csp.reportOnly
+      const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+
+      res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }))
+    }
+
     // Add ETag header
     if (!error && options.render.etag) {
       const { hash } = options.render.etag
@@ -69,14 +77,6 @@ export default ({ options, nuxt, renderRoute, resources }) => async function nux
       }
     }
 
-    if (options.render.csp && cspScriptSrcHashes) {
-      const { allowedSources, policies } = options.render.csp
-      const isReportOnly = !!options.render.csp.reportOnly
-      const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
-
-      res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }))
-    }
-
     // Send response
     res.setHeader('Content-Type', 'text/html; charset=utf-8')
     res.setHeader('Accept-Ranges', 'none') // #3870