Nuxt.js: csp: too many SHA256 hashes

Created on 25 Oct 2018  路  7Comments  路  Source: nuxt/nuxt.js

Version

v1.4.4

Reproduction link

https://invuekelowna.condos/

Steps to reproduce

We're seeing way too many SHA256 hashes in production. The SSR HTML only contains a single <script> tag, but 39 hashes are cramped into the header.

{
    render: {
        csp: {
            policies: {
                'default-src': ['https:'],
                'img-src': ['https:', '*.google-analytics.com'],
                'style-src': ["'self'", "'unsafe-inline'", process.env.APP_HOST, '*.typekit.net', 'cdnjs.cloudflare.com', 'fonts.googleapis.com'],
                'script-src': ["'self'", "'unsafe-inline'", process.env.APP_HOST, 'sentry.io', '*.sentry-cdn.com', '*.googletagmanager.com', '*.google-analytics.com'],
                'connect-src': ["'self'", 'sentry.io'],
                'form-action': ["'self'"],
                'frame-ancestors': ["'none'"],
            }
        }
    }
}

script-src
'sha256-onEhOVaaW85sYz2BSx9ZoADDB0qR2crL1xHjr2wdpFA='
'self'
'sha256-HLFIqpcsFhUcZ6OXXBcZlVOHoZgNmnuvG+A0jXfG7p8='
'sha256-q78KZwK1E5tRmt5+4WXXc0gTpwoo+7xF768re85BDW0='

What is expected ?

A single SHA256 hash.

What is actually happening?

Three SHA256 hashes.

This bug report is available on Nuxt community (#c8042)
bug-report
Source
picture tillkruss

All 7 comments

@manniL: The bug report as requested 馃憤

tillkruss picture tillkruss on 25 Oct 2018
👍1

My guess:

The window.__NUXT__ inline script (that contains the serialized SSR state) will be hashed and added to the headers. As the content will change, a lot of hashes will be added (but old ones don't get removed though they should).

manniL picture manniL on 27 Oct 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] picture stale[bot] on 17 Nov 2018

Can't reproduce that with latest nuxt-edge anymore.

Please ping me here with a reproduction repo if you still can :relaxed:

manniL picture manniL on 26 Nov 2018

I am having a live site with same problem, I use middleware and nuxtServerInit to pre-populate my store. The CSP header grows to >4kb in few hours.

Working on to reproduce with minimal code now.

williamchong picture williamchong on 11 Dec 2018
👍1

@manniL https://github.com/nuxt/nuxt.js/pull/4519 I probably have find out the issue, please take a look

williamchong picture williamchong on 11 Dec 2018
👍1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 10 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mikekidder picture mikekidder  路  3Comments
nassimbenkirane picture nassimbenkirane  路  3Comments
VincentLoy picture VincentLoy  路  3Comments
o-alexandrov picture o-alexandrov  路  3Comments
jaredreich picture jaredreich  路  3Comments