-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chore/2.0.0 #492
Merged
Merged
Chore/2.0.0 #492
Changes from 1 commit
Commits
Show all changes
33 commits
Select commit
Hold shift + click to select a range
ff0ecfe
feat(csp): support style nonce in development
dargmuesli fad91ee
Update from useScript to Nuxt Scripts
vejja 338be11
feat-#487: local dev with nuxt devtools
Baroshem b7701f1
Merge pull request #475 from dargmuesli/feat/csp/vite
Baroshem 88dbb4c
Merge pull request #488 from Baroshem/feat/#487
Baroshem 2d0ae0a
Merge pull request #485 from Baroshem/vejja-patch-3
Baroshem 4528880
fix: ensure RegExp[] origin can be passed to appSecurityOptions
Shana-AE 765d7e1
Merge pull request #498 from Shana-AE/fix/regexp-corsHanlder.origin
Baroshem 23af05a
test: use nullish coalescing operator
P4sca1 eb097d0
test: add test cases for server-only components
P4sca1 c38a710
fix: log warning when removing static nonce from CSP header
P4sca1 2b0cf0f
fix: skip nonce generation and csp header update for NuxtIsland requests
P4sca1 a2425ce
docs: update information about Nuxt Image
P4sca1 0e3ab07
chore: fix typo
P4sca1 7811a00
Merge pull request #503 from P4sca1/docs/image-faq
Baroshem b0b4a08
merge changes from #500 into #502
vejja 57ff90b
Replace isIslandRequest util with check if nonce already exist
P4sca1 1a5ada9
fix: use console warn instead of useLogger
P4sca1 e6df1ac
Merge pull request #502 from P4sca1/main
Baroshem 4993963
feat: bump unplugin-remove to fix sitemaps
Baroshem b133ed6
Revert "fix: ensure RegExp[] origin can be passed to appSecurityOptions"
Baroshem 6d16201
fix: limit cors options to serializable types, support RegExp
P4sca1 2763f72
Add test cases for CORS
P4sca1 be68db2
Add regexp example to docs and warn about escaping dots
P4sca1 1f70e88
Pass origin * as is
P4sca1 2151b7d
Fix linting issues
P4sca1 6a04128
origin matching should be case insensitive
P4sca1 f613df5
fix: update to latest @nuxt/module-builder
ThibaultVlacich a359071
Merge pull request #516 from ThibaultVlacich/update-module-builder
Baroshem 3a5e3bf
fix: augment @nuxt/schema rather than nuxt/schema
ThibaultVlacich 0c48ec5
Merge pull request #520 from ThibaultVlacich/fix/augment-@nuxt/schema
Baroshem 85e5c91
Merge pull request #509 from P4sca1/fix/regexp-origin
Baroshem 4c577d1
chore: bump to 2.0.0
Baroshem File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @P4sca1
Isn’t it a bit severe ?
You could probably use ‘unsafe-hashes’ here, and the inline code is always the same so you could pre-hash it.
I do agree this is not ideal though. @harlan-zw was able to replace all inline event handlers with addEventListener in @nuxt/scripts so maybe the team at NuxtImg can use the same approach?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The inline code will indeed be always the same, so using
unsafe-hashescould work. Maybe we could add it by default in non strict mode or behind a feature flag in strict mode to support<NuxtImg>and<NuxtPicture>.I calculated the hash that would be needed:
Using
addEventListenerin this case is not trivial, because the event listener would be attached inonMounted(), which is too late for some kind of errors. So some errors, e.g. when the url is invalid, could be missed.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @P4sca1
What is the issue when CSP denies execution of the error handler?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
data-errorproperty does not get set on the image tag and the error event is never emitted.From a user's perspective the page works fine, it just shows an unloaded image.