feat: external script support for CSP (#2608)

lib/common/options.js

@@ -305,7 +305,9 @@ Options.defaults = {
     etag: {
       weak: false
     },
-    csp: undefined
+    csp: {
+      allowedSouces: []
+    }
   },
   watchers: {
     webpack: {

lib/core/middleware/nuxt.js

@@ -67,10 +67,11 @@ module.exports = async function nuxtMiddleware(req, res, next) {
       res.setHeader('Link', pushAssets.join(','))
     }
 
-    if (this.options.render.csp) {
+    if (this.options.render.csp.hashAlgorithm) {
+      let allowedSources = cspScriptSrcHashes.concat(this.options.render.csp.allowedSources)
       res.setHeader(
         'Content-Security-Policy',
-        `script-src 'self' ${(cspScriptSrcHashes || []).join(' ')}`
+        `script-src 'self' ${(allowedSources || []).join(' ')}`
       )
     }
 

lib/core/renderer.js

@@ -361,7 +361,7 @@ module.exports = class Renderer {
       isJSON: true
     })};`
     let cspScriptSrcHashes = []
-    if (this.options.render.csp) {
+    if (this.options.render.csp.hashAlgorithm) {
       let hash = crypto.createHash(this.options.render.csp.hashAlgorithm)
       hash.update(serializedSession)
       cspScriptSrcHashes.push(

test/basic.ssr.test.js

@@ -24,7 +24,10 @@ test.serial('Init Nuxt.js', async t => {
       stats: false
     },
     render: {
-      csp: true
+      csp: {
+        hashAlgorithm: 'sha256',
+        allowedSources: ['https://example.com', 'https://example.io']
+      }
     }
   }
 
@@ -256,6 +259,8 @@ test('Content-Security-Policy Header', async t => {
   })
   // Verify functionality
   t.regex(headers['content-security-policy'], /script-src 'self' 'sha256-.*'/)
+  t.true(headers['content-security-policy'].includes('https://example.com'))
+  t.true(headers['content-security-policy'].includes('https://example.io'))
 })
 
 test('/_nuxt/server-bundle.json should return 404', async t => {