Skip to content

Cannot define both SHA hash and unsafe-inline in CSP for best compatibility #5627

New issue
New issue
Closed
#5975
Closed
Cannot define both SHA hash and unsafe-inline in CSP for best compatibility#5627
#5975
Labels
2.xgood first issuepending triage
@williamchong

Description

@williamchong
williamchong
opened on Apr 30, 2019

Version

v2.6.3

Reproduction link

https://codesandbox.io/s/p91l8w1zzq?module=%2Fnuxt.config.js

Steps to reproduce

Define both sha256 as hashAlgorithm and 'unsafe-inline' in CSP script-src policy, in nuxt.config.js

What is expected ?

Both dynamic page SHA hash and 'unsafe-inline' should be present in CSP header

What is actually happening?

Only 'unsafe-inline' is present in CSP header

Additional comments?

Follow up on #5387 (comment)

original comment:

==========

Defining BOTH unsafe-inline and hash in CSP is actually a valid use case, it is for backward compatibility of CSPv1. That's why browsers with CSPv2+ support ignore it when hash is present at the same time.

MDN reference:

See unsafe inline script for an example. Specifying nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support.

It is also a recommended practice suggested by google
image

With this PR in, how can I specify BOTH unsafe-inline and SHA hash for my CSP rule?

==========

Would reverting the PR, and allow a special disable value for hashAlgorithm to solve @sambowler 's use case a better idea?

@manniL

This bug report is available on Nuxt community (#c9134)

Metadata

Metadata

Assignees

No one assigned

    Labels

    2.xgood first issuepending triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions