feat: external script support for CSP (nuxt#2608)

sunecosuri · pi0 · commit 5ebf60f2a144 · 2018-01-16T18:40:10.000+03:30
diff --git a/lib/common/options.js b/lib/common/options.js
@@ -305,7 +305,9 @@ Options.defaults = {
     etag: {
       weak: false
     },
-    csp: undefined
+    csp: {
+      allowedSouces: []
+    }
   },
   watchers: {
     webpack: {
diff --git a/lib/core/middleware/nuxt.js b/lib/core/middleware/nuxt.js
@@ -67,10 +67,11 @@ module.exports = async function nuxtMiddleware(req, res, next) {
       res.setHeader('Link', pushAssets.join(','))
     }
 
-    if (this.options.render.csp) {
+    if (this.options.render.csp.hashAlgorithm) {
+      let allowedSources = cspScriptSrcHashes.concat(this.options.render.csp.allowedSources)
       res.setHeader(
         'Content-Security-Policy',
-        `script-src 'self' ${(cspScriptSrcHashes || []).join(' ')}`
+        `script-src 'self' ${(allowedSources || []).join(' ')}`
       )
     }
 
diff --git a/lib/core/renderer.js b/lib/core/renderer.js
@@ -361,7 +361,7 @@ module.exports = class Renderer {
       isJSON: true
     })};`
     let cspScriptSrcHashes = []
-    if (this.options.render.csp) {
+    if (this.options.render.csp.hashAlgorithm) {
       let hash = crypto.createHash(this.options.render.csp.hashAlgorithm)
       hash.update(serializedSession)
       cspScriptSrcHashes.push(
diff --git a/test/basic.ssr.test.js b/test/basic.ssr.test.js
@@ -24,7 +24,10 @@ test.serial('Init Nuxt.js', async t => {
       stats: false
     },
     render: {
-      csp: true
+      csp: {
+        hashAlgorithm: 'sha256',
+        allowedSources: ['https://example.com', 'https://example.io']
+      }
     }
   }
 
@@ -256,6 +259,8 @@ test('Content-Security-Policy Header', async t => {
   })
   // Verify functionality
   t.regex(headers['content-security-policy'], /script-src 'self' 'sha256-.*'/)
+  t.true(headers['content-security-policy'].includes('https://example.com'))
+  t.true(headers['content-security-policy'].includes('https://example.io'))
 })
 
 test('/_nuxt/server-bundle.json should return 404', async t => {

Original file line number	Diff line number	Diff line change
`@@ -67,10 +67,11 @@ module.exports = async function nuxtMiddleware(req, res, next) {`
`67`	`67`	`res.setHeader('Link', pushAssets.join(','))`
`68`	`68`	`}`
`69`	`69`
`70`		`- if (this.options.render.csp) {`
	`70`	`+ if (this.options.render.csp.hashAlgorithm) {`
	`71`	`+ let allowedSources = cspScriptSrcHashes.concat(this.options.render.csp.allowedSources)`
`71`	`72`	`res.setHeader(`
`72`	`73`	`'Content-Security-Policy',`
`73`		- `script-src 'self' ${(cspScriptSrcHashes \|\| []).join(' ')}`
	`74`	+ `script-src 'self' ${(allowedSources \|\| []).join(' ')}`
`74`	`75`	`)`
`75`	`76`	`}`
`76`	`77`