fix(csp): apply right csp header when status code is 304 (#8352)

packages/server/src/middleware/nuxt.js

@@ -36,6 +36,14 @@ export default ({ options, nuxt, renderRoute, resources }) => async function nux
       res.statusCode = context.nuxt.error.statusCode || 500
     }
 
+    if (options.render.csp && cspScriptSrcHashes) {
+      const { allowedSources, policies } = options.render.csp
+      const isReportOnly = !!options.render.csp.reportOnly
+      const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+
+      res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }))
+    }
+
     // Add ETag header
     if (!error && options.render.etag) {
       const { hash } = options.render.etag
@@ -69,14 +77,6 @@ export default ({ options, nuxt, renderRoute, resources }) => async function nux
       }
     }
 
-    if (options.render.csp && cspScriptSrcHashes) {
-      const { allowedSources, policies } = options.render.csp
-      const isReportOnly = !!options.render.csp.reportOnly
-      const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
-
-      res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }))
-    }
-
     // Send response
     res.setHeader('Content-Type', 'text/html; charset=utf-8')
     res.setHeader('Accept-Ranges', 'none') // #3870