Fix issue #908 and #916

lib/core/renderer.js

@@ -62,12 +62,12 @@ export default class Renderer extends Tapable {
     // For serving static/ files to /
     this.serveStatic = pify(serveStatic(resolve(this.options.srcDir, 'static'), this.options.render.static))
 
-    // For serving .nuxt/dist/ files (only when build.publicPath is not an URL)
+    // For serving .nuxt/dist/ files
     this.serveStaticNuxt = pify(serveStatic(resolve(this.options.buildDir, 'dist'), {
       maxAge: (this.options.dev ? 0 : '1y') // 1 year in production
     }))
 
-    // gzip middleware for production
+    // GZIP middleware for production
     if (!this.options.dev && this.options.render.gzip) {
       this.gzipMiddleware = pify(compression(this.options.render.gzip))
     }
@@ -179,13 +179,11 @@ export default class Renderer extends Tapable {
       await this.serveStatic(req, res)
 
       // Serve .nuxt/dist/ files (only for production)
-      if (!this.options.dev && req.url.indexOf(this.options.build.publicPath) === 0) {
+      const isValidExtension = (req.url.slice(-3) === '.js') || (req.url.slice(-4) === '.css') || (req.url.slice(-4) === '.map')
+      if (!this.options.dev && isValidExtension) {
         const url = req.url
-        req.url = req.url.replace(this.options.build.publicPath, '/')
-        // Forbid access to sensitive data (#916)
-        if (req.url.includes('server-bundle.json')) {
-          res.statusCode = 404
-          return res.end()
+        if (req.url.indexOf(this.options.build.publicPath) === 0) {
+          req.url = req.url.replace(this.options.build.publicPath, '/')
         }
         await this.serveStaticNuxt(req, res)
         /* istanbul ignore next */