From 4a513e73d2cec5e6c3fe6a6bae38d64f8952da2f Mon Sep 17 00:00:00 2001 From: Pedro Domingues Date: Thu, 17 Oct 2019 11:46:02 +0100 Subject: [PATCH 1/2] Replacing all occurrences of unsafeInlineCompatiblity to unsafeInlineCompatibility. --- packages/config/src/options.js | 2 +- packages/config/test/options.test.js | 2 +- packages/vue-renderer/src/renderers/ssr.js | 2 +- test/unit/basic.ssr.csp.test.js | 8 ++++---- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/config/src/options.js b/packages/config/src/options.js index 243f673ebcf9..b6867e2262fd 100644 --- a/packages/config/src/options.js +++ b/packages/config/src/options.js @@ -241,7 +241,7 @@ export function getNuxtConfig (_options) { allowedSources: undefined, policies: undefined, addMeta: Boolean(options._generate), - unsafeInlineCompatiblity: false, + unsafeInlineCompatibility: false, reportOnly: options.debug }) } diff --git a/packages/config/test/options.test.js b/packages/config/test/options.test.js index 87166c45c9b0..e33fe05160ef 100644 --- a/packages/config/test/options.test.js +++ b/packages/config/test/options.test.js @@ -102,7 +102,7 @@ describe('config: options', () => { expect(csp).toEqual({ hashAlgorithm: 'sha256', addMeta: false, - unsafeInlineCompatiblity: false, + unsafeInlineCompatibility: false, allowedSources: true, policies: undefined, reportOnly: false, diff --git a/packages/vue-renderer/src/renderers/ssr.js b/packages/vue-renderer/src/renderers/ssr.js index 410a9c3a3198..954fc71ccb22 100644 --- a/packages/vue-renderer/src/renderers/ssr.js +++ b/packages/vue-renderer/src/renderers/ssr.js @@ -138,7 +138,7 @@ export default class SSRRenderer extends BaseRenderer { if (csp) { // Only add the hash if 'unsafe-inline' rule isn't present to avoid conflicts (#5387) const containsUnsafeInlineScriptSrc = csp.policies && csp.policies['script-src'] && csp.policies['script-src'].includes(`'unsafe-inline'`) - if (csp.unsafeInlineCompatiblity || !containsUnsafeInlineScriptSrc) { + if (csp.unsafeInlineCompatibility || !containsUnsafeInlineScriptSrc) { const hash = crypto.createHash(csp.hashAlgorithm) hash.update(serializedSession) cspScriptSrcHashes.push(`'${csp.hashAlgorithm}-${hash.digest('base64')}'`) diff --git a/test/unit/basic.ssr.csp.test.js b/test/unit/basic.ssr.csp.test.js index b5fa67685f91..2d820f079e17 100644 --- a/test/unit/basic.ssr.csp.test.js +++ b/test/unit/basic.ssr.csp.test.js @@ -198,14 +198,14 @@ describe('basic ssr csp', () => { ) test( - 'Contain hash and \'unsafe-inline\' when unsafeInlineCompatiblity is enabled', + 'Contain hash and \'unsafe-inline\' when unsafeInlineCompatibility is enabled', async () => { const policies = { 'script-src': [`'unsafe-inline'`] } nuxt = await startCspServer({ - unsafeInlineCompatiblity: true, + unsafeInlineCompatibility: true, policies }) @@ -419,14 +419,14 @@ describe('basic ssr csp', () => { ) test( - 'Contain hash and \'unsafe-inline\' when unsafeInlineCompatiblity is enabled', + 'Contain hash and \'unsafe-inline\' when unsafeInlineCompatibility is enabled', async () => { const policies = { 'script-src': [`'unsafe-inline'`] } nuxt = await startCspServer({ - unsafeInlineCompatiblity: true, + unsafeInlineCompatibility: true, policies }) From 1fa24c34136d9bd48822206273d4a5f44f010a20 Mon Sep 17 00:00:00 2001 From: Pedro Domingues Date: Fri, 18 Oct 2019 16:10:30 +0100 Subject: [PATCH 2/2] Still allowing old typo property name `unsafeInlineCompatiblity` in order to avoid breaking-changes (displaying an alert), but also allowing the correct name `unsafeInlineCompatibility` to be used. Introduced TODO comments/notes that should be resolved before the release of Nuxt 3. --- packages/config/src/options.js | 7 ++++ packages/config/test/options.test.js | 14 ++++++++ test/unit/basic.ssr.csp.test.js | 54 ++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) diff --git a/packages/config/src/options.js b/packages/config/src/options.js index b6867e2262fd..e05c41292cb8 100644 --- a/packages/config/src/options.js +++ b/packages/config/src/options.js @@ -244,6 +244,13 @@ export function getNuxtConfig (_options) { unsafeInlineCompatibility: false, reportOnly: options.debug }) + + // TODO: Remove this if statement in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583) + if (options.render.csp.unsafeInlineCompatiblity) { + consola.warn('Using `unsafeInlineCompatiblity` is deprecated and will be removed in Nuxt 3. Use `unsafeInlineCompatibility` instead.') + options.render.csp.unsafeInlineCompatibility = options.render.csp.unsafeInlineCompatiblity + delete options.render.csp.unsafeInlineCompatiblity + } } // cssSourceMap diff --git a/packages/config/test/options.test.js b/packages/config/test/options.test.js index e33fe05160ef..717680a6bd6e 100644 --- a/packages/config/test/options.test.js +++ b/packages/config/test/options.test.js @@ -110,6 +110,20 @@ describe('config: options', () => { }) }) + // TODO: Remove this test in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583) + test('should enable csp with old typo property name, avoiding breaking changes', () => { + const { render: { csp } } = getNuxtConfig({ render: { csp: { allowedSources: true, test: true, unsafeInlineCompatiblity: true } } }) + expect(csp).toEqual({ + hashAlgorithm: 'sha256', + addMeta: false, + unsafeInlineCompatibility: true, + allowedSources: true, + policies: undefined, + reportOnly: false, + test: true + }) + }) + test('should check unknown mode', () => { const { build, render } = getNuxtConfig({ mode: 'test' }) expect(consola.warn).toHaveBeenCalledWith('Unknown mode: test. Falling back to universal') diff --git a/test/unit/basic.ssr.csp.test.js b/test/unit/basic.ssr.csp.test.js index 2d820f079e17..94716cc57362 100644 --- a/test/unit/basic.ssr.csp.test.js +++ b/test/unit/basic.ssr.csp.test.js @@ -222,6 +222,33 @@ describe('basic ssr csp', () => { expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self' 'unsafe-inline'$/) } ) + + // TODO: Remove this test in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583) + test( + 'Contain hash and \'unsafe-inline\' when the typo property unsafeInlineCompatiblity is enabled', + async () => { + const policies = { + 'script-src': [`'unsafe-inline'`] + } + + nuxt = await startCspServer({ + unsafeInlineCompatiblity: true, + policies + }) + + for (let i = 0; i < 5; i++) { + await rp(url('/stateless'), { + resolveWithFullResponse: true + }) + } + + const { headers } = await rp(url('/stateful'), { + resolveWithFullResponse: true + }) + + expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self' 'unsafe-inline'$/) + } + ) }) describe('debug mode', () => { @@ -443,5 +470,32 @@ describe('basic ssr csp', () => { expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self' 'unsafe-inline'$/) } ) + + // TODO: Remove this test in Nuxt 3, we will stop supporting this typo (more on: https://github.com/nuxt/nuxt.js/pull/6583) + test( + 'Contain hash and \'unsafe-inline\' when the typo property unsafeInlineCompatiblity is enabled', + async () => { + const policies = { + 'script-src': [`'unsafe-inline'`] + } + + nuxt = await startCspServer({ + unsafeInlineCompatiblity: true, + policies + }) + + for (let i = 0; i < 5; i++) { + await rp(url('/stateless'), { + resolveWithFullResponse: true + }) + } + + const { headers } = await rp(url('/stateful'), { + resolveWithFullResponse: true + }) + + expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self' 'unsafe-inline'$/) + } + ) }) })