refactor(server): only append not empty allowed sources to csp (#6771)

This commit is contained in:
Xin Du (Clark) 2019-12-17 04:16:51 +08:00 committed by Pooya Parsa
parent 112d836e6e
commit e999060da5
2 changed files with 5 additions and 5 deletions

View File

@ -98,12 +98,12 @@ describe('config: options', () => {
}) })
test('should enable csp', () => { test('should enable csp', () => {
const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: [], test: true } } }) const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: ['/nuxt/*'], test: true } } })
expect(csp).toEqual({ expect(csp).toEqual({
hashAlgorithm: 'sha256', hashAlgorithm: 'sha256',
addMeta: false, addMeta: false,
unsafeInlineCompatibility: false, unsafeInlineCompatibility: false,
allowedSources: [], allowedSources: ['/nuxt/*'],
policies: undefined, policies: undefined,
reportOnly: false, reportOnly: false,
test: true test: true
@ -112,12 +112,12 @@ describe('config: options', () => {
// TODO: Remove this test in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583) // TODO: Remove this test in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583)
test('should enable csp with old typo property name, avoiding breaking changes', () => { test('should enable csp with old typo property name, avoiding breaking changes', () => {
const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: [], test: true, unsafeInlineCompatiblity: true } } }) const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: ['/nuxt/*'], test: true, unsafeInlineCompatiblity: true } } })
expect(csp).toEqual({ expect(csp).toEqual({
hashAlgorithm: 'sha256', hashAlgorithm: 'sha256',
addMeta: false, addMeta: false,
unsafeInlineCompatibility: true, unsafeInlineCompatibility: true,
allowedSources: [], allowedSources: ['/nuxt/*'],
policies: undefined, policies: undefined,
reportOnly: false, reportOnly: false,
test: true test: true

View File

@ -127,7 +127,7 @@ const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isDev }) =
const joinedHashes = cspScriptSrcHashes.join(' ') const joinedHashes = cspScriptSrcHashes.join(' ')
const baseCspStr = `script-src 'self'${isDev ? ' \'unsafe-eval\'' : ''} ${joinedHashes}` const baseCspStr = `script-src 'self'${isDev ? ' \'unsafe-eval\'' : ''} ${joinedHashes}`
if (Array.isArray(allowedSources)) { if (Array.isArray(allowedSources) && allowedSources.length) {
return `${baseCspStr} ${allowedSources.join(' ')}` return `${baseCspStr} ${allowedSources.join(' ')}`
} }