refactor(server): only append not empty allowed sources to csp (#6771)

packages/config/test/options.test.js

@@ -98,12 +98,12 @@ describe('config: options', () => {
   })
 
   test('should enable csp', () => {
-    const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: [], test: true } } })
+    const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: ['/nuxt/*'], test: true } } })
     expect(csp).toEqual({
       hashAlgorithm: 'sha256',
       addMeta: false,
       unsafeInlineCompatibility: false,
-      allowedSources: [],
+      allowedSources: ['/nuxt/*'],
       policies: undefined,
       reportOnly: false,
       test: true
@@ -112,12 +112,12 @@ describe('config: options', () => {
 
   // TODO: Remove this test in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583)
   test('should enable csp with old typo property name, avoiding breaking changes', () => {
-    const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: [], test: true, unsafeInlineCompatiblity: true } } })
+    const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: ['/nuxt/*'], test: true, unsafeInlineCompatiblity: true } } })
     expect(csp).toEqual({
       hashAlgorithm: 'sha256',
       addMeta: false,
       unsafeInlineCompatibility: true,
-      allowedSources: [],
+      allowedSources: ['/nuxt/*'],
       policies: undefined,
       reportOnly: false,
       test: true

packages/server/src/middleware/nuxt.js

@@ -127,7 +127,7 @@ const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isDev }) =
   const joinedHashes = cspScriptSrcHashes.join(' ')
   const baseCspStr = `script-src 'self'${isDev ? ' \'unsafe-eval\'' : ''} ${joinedHashes}`
 
-  if (Array.isArray(allowedSources)) {
+  if (Array.isArray(allowedSources) && allowedSources.length) {
     return `${baseCspStr} ${allowedSources.join(' ')}`
   }