Add nonce to embedded bundle scripts in Vue SSR (strict CSP enabled)
Based on this article on web.dev, I updated host-allowlist-based CSPs to the strict CSP.
I have a Vue application with SSR enabled and I followed all 5 steps listed in that article. But I get the following errors and the app doesn't work (because the main script is not loaded):
My Nonce-based strict CSP looks like this:
script-src 'nonce-e5ecafd12af2d9661071d127eaa72b14' 'strict-dynamic' https:// 'unsafe-inline';
object-src 'none';
base-uri 'none';
Can anyone please support me here let me know how we can allow them in strict CSP?
PS. as you know, we don't have access to these scripts in the html file to assign the nonce to them.
After reading many articles, and trying different solutions like this I came up with a workaround that works just fine as below:
Background:
- I use express for setting my CSP rules. So, on the server side where I located my CSP rules, I generate the nonce and attach it to my response header.
- I have a dedicated template for my webpage where I put some scripts like GTM and etc. there.
Previously:
I was passing the generated nonce to my template through context and inside my template, I was assigning it to each script. But this wasn't working for the embedded bundle scripts. (the main reason that I raised this question in the first place!)
Solution:
- I no longer pass the generated nonce to my html template. So, I don't assign any nonce to any scripts inside my template.
- Instead, I take the interpolated template as a string and add the nonce to all script tags and then send the nonce-included-html version to the client.
- To do so, I modified the callback of
renderToStringas below
renderer.renderToString(context, (err, html) => {
const nonceIncludedHTML = addNonceToScriptTags(html, res.locals.cspNonce);
res.send(nonceIncludedHTML);
})
And this is my "addNonceToScript" function body:
function addNonceToScriptTags(html, nonce) {
if (!nonce || !html) {
return html;
}
return html
.replace(/<script/g, `<script nonce="${nonce}"`)
.replace(/as="script">/g, `nonce="${nonce}" as="script">`);
}
I needed to add the nonce to the <link as="script" rel="preload" href="..."> as my CSP was blocking the scripts for the preload request even though my scripts had the nonce.
- How to type a wrappers props without preventing it from appearing in attrs?
- Toggle vue-multiselect close/open on button click
- Tracking down the root cause of unexpected reactivity in Vue 3 components
- How to put json variable directly into DIV Class
- Consume API endpoint from Laravel + Inertia App
- How to watch for multiple values in Vue 3 script setup?
- vuejs app isn't running when using cdn: version 3
- Vue - v-if not updating with onMounted
- Vue passing data to child component
- Vue3 - possible to bind prop to background-image in style?
- Vue - passing a data list to child component
- VueJs, difference between computed property and watcher?
- How to cleanup Nuxt js extra div containers?
- Open a dropdown with right click in Vue3 and Vuetify3
- How to globally ignore errors with sentry v5 to reduce noise
- How to change port number in vue-cli project
- How to set URL query params in Vue with Vue-Router
- How to set favicon.ico properly on vue.js webpack project?
- Ionic-storage with vue
- PrimeVue FileUpload - Handle server upload error
- vuetify2 to vuetify3 transition-group no longer working
- Vitest with element plus unplugin unknown extension for scss
- Primevue FileUpload custom error handling
- Input clientWidth and scrollWidth are always equal
- How to redirect in Nuxt's asyncData
- How to prevent a custom field from validating on input with VeeValidate
- Footer flashes during route transition
- Intersection observer not triggering on page load and route back
- Vue 3 Vue-router 4 Composition API - Calling router.push outside of component not working
- Vue3 reactivity of an "external" array