Zengtudor/Nuxt
1
0
Fork 0
mirror of https://github.com/nuxt/nuxt.git synced 2024-11-23 14:15:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(config): typo in unsafeInlineCompatibility name (#6583)

Browse Source
This commit is contained in:
PedroD 2019-10-19 09:15:07 +01:00 committed by Pooya Parsa
parent 99aba8725b
commit 257ae2279b
4 changed files with 80 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
packages/config/src/options.js
View File

@ -241,9 +241,16 @@ export function getNuxtConfig (_options) {
allowedSources: undefined, allowedSources: undefined,
policies: undefined, policies: undefined,
addMeta: Boolean(options._generate), addMeta: Boolean(options._generate),
unsafeInlineCompatiblity: false, unsafeInlineCompatibility: false,
reportOnly: options.debug reportOnly: options.debug
}) })
// TODO: Remove this if statement in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583)
if (options.render.csp.unsafeInlineCompatiblity) {
consola.warn('Using `unsafeInlineCompatiblity` is deprecated and will be removed in Nuxt 3. Use `unsafeInlineCompatibility` instead.')
options.render.csp.unsafeInlineCompatibility = options.render.csp.unsafeInlineCompatiblity
delete options.render.csp.unsafeInlineCompatiblity
}
} }
// cssSourceMap // cssSourceMap

16
packages/config/test/options.test.js
View File

@ -102,7 +102,21 @@ describe('config: options', () => {
expect(csp).toEqual({ expect(csp).toEqual({
hashAlgorithm: 'sha256', hashAlgorithm: 'sha256',
addMeta: false, addMeta: false,
unsafeInlineCompatiblity: false, unsafeInlineCompatibility: false,
allowedSources: true,
policies: undefined,
reportOnly: false,
test: true
})
})
// TODO: Remove this test in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583)
test('should enable csp with old typo property name, avoiding breaking changes', () => {
const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: true, test: true, unsafeInlineCompatiblity: true } } })
expect(csp).toEqual({
hashAlgorithm: 'sha256',
addMeta: false,
unsafeInlineCompatibility: true,
allowedSources: true, allowedSources: true,
policies: undefined, policies: undefined,
reportOnly: false, reportOnly: false,

2
packages/vue-renderer/src/renderers/ssr.js
View File

@ -138,7 +138,7 @@ export default class SSRRenderer extends BaseRenderer {
if (csp) { if (csp) {
// Only add the hash if 'unsafe-inline' rule isn't present to avoid conflicts (#5387) // Only add the hash if 'unsafe-inline' rule isn't present to avoid conflicts (#5387)
const containsUnsafeInlineScriptSrc = csp.policies && csp.policies['script-src'] && csp.policies['script-src'].includes(`'unsafe-inline'`) const containsUnsafeInlineScriptSrc = csp.policies && csp.policies['script-src'] && csp.policies['script-src'].includes(`'unsafe-inline'`)
if (csp.unsafeInlineCompatiblity || !containsUnsafeInlineScriptSrc) { if (csp.unsafeInlineCompatibility || !containsUnsafeInlineScriptSrc) {
const hash = crypto.createHash(csp.hashAlgorithm) const hash = crypto.createHash(csp.hashAlgorithm)
hash.update(serializedSession) hash.update(serializedSession)
cspScriptSrcHashes.push(`'${csp.hashAlgorithm}-${hash.digest('base64')}'`) cspScriptSrcHashes.push(`'${csp.hashAlgorithm}-${hash.digest('base64')}'`)

58
test/unit/basic.ssr.csp.test.js
View File

@ -198,7 +198,34 @@ describe('basic ssr csp', () => {
) )
test( test(
'Contain hash and \'unsafe-inline\' when unsafeInlineCompatiblity is enabled', 'Contain hash and \'unsafe-inline\' when unsafeInlineCompatibility is enabled',
async () => {
const policies = {
'script-src': [`'unsafe-inline'`]
}
nuxt = await startCspServer({
unsafeInlineCompatibility: true,
policies
})
for (let i = 0; i < 5; i++) {
await rp(url('/stateless'), {
resolveWithFullResponse: true
})
}
const { headers } = await rp(url('/stateful'), {
resolveWithFullResponse: true
})
expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self' 'unsafe-inline'$/)
}
)
// TODO: Remove this test in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583)
test(
'Contain hash and \'unsafe-inline\' when the typo property unsafeInlineCompatiblity is enabled',
async () => { async () => {
const policies = { const policies = {
'script-src': [`'unsafe-inline'`] 'script-src': [`'unsafe-inline'`]
@ -419,7 +446,34 @@ describe('basic ssr csp', () => {
) )
test( test(
'Contain hash and \'unsafe-inline\' when unsafeInlineCompatiblity is enabled', 'Contain hash and \'unsafe-inline\' when unsafeInlineCompatibility is enabled',
async () => {
const policies = {
'script-src': [`'unsafe-inline'`]
}
nuxt = await startCspServer({
unsafeInlineCompatibility: true,
policies
})
for (let i = 0; i < 5; i++) {
await rp(url('/stateless'), {
resolveWithFullResponse: true
})
}
const { headers } = await rp(url('/stateful'), {
resolveWithFullResponse: true
})
expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self' 'unsafe-inline'$/)
}
)
// TODO: Remove this test in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583)
test(
'Contain hash and \'unsafe-inline\' when the typo property unsafeInlineCompatiblity is enabled',
async () => { async () => {
const policies = { const policies = {
'script-src': [`'unsafe-inline'`] 'script-src': [`'unsafe-inline'`]