Skip to content

Commit

Permalink
feat(ssr): add csp nonce to all elements
Browse files Browse the repository at this point in the history
add csp nonce to all elements that could potentiall be affected by CSP directives
  • Loading branch information
blake-newman committed Dec 16, 2020
1 parent 4f81b5d commit 8e40316
Showing 1 changed file with 10 additions and 7 deletions.
17 changes: 10 additions & 7 deletions src/server/template-renderer/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ export default class TemplateRenderer {
this.inject = options.inject !== false
// if no template option is provided, the renderer is created
// as a utility object for rendering assets like preload links and scripts.

const { template } = options
this.parsedTemplate = template
? typeof template === 'string'
Expand Down Expand Up @@ -133,7 +133,7 @@ export default class TemplateRenderer {
return (
// render links for css files
(cssFiles.length
? cssFiles.map(({ file }) => `<link rel="stylesheet" href="${this.publicPath}${file}">`).join('')
? cssFiles.map(({ file }) => `<link rel="stylesheet" href="${this.publicPath}${file}"${getNonceAttribute(context)}>`).join('')
: '') +
// context.styles is a getter exposed by vue-style-loader which contains
// the inline component styles collected during SSR
Expand Down Expand Up @@ -177,7 +177,7 @@ export default class TemplateRenderer {
asType !== '' ? ` as="${asType}"` : ''
}${
extra
}>`
}${getNonceAttribute(context)}>`
}).join('')
} else {
return ''
Expand All @@ -198,7 +198,7 @@ export default class TemplateRenderer {
if (alreadyRendered(file)) {
return ''
}
return `<link rel="prefetch" href="${this.publicPath}${file}">`
return `<link rel="prefetch" href="${this.publicPath}${file}"${getNonceAttribute(context)}>`
}).join('')
} else {
return ''
Expand All @@ -214,9 +214,8 @@ export default class TemplateRenderer {
const autoRemove = process.env.NODE_ENV === 'production'
? ';(function(){var s;(s=document.currentScript||document.scripts[document.scripts.length-1]).parentNode.removeChild(s);}());'
: ''
const nonceAttr = context.nonce ? ` nonce="${context.nonce}"` : ''
return context[contextKey]
? `<script${nonceAttr}>window.${windowKey}=${state}${autoRemove}</script>`
? `<script${getNonceAttribute(context)}>window.${windowKey}=${state}${autoRemove}</script>`
: ''
}

Expand All @@ -226,7 +225,7 @@ export default class TemplateRenderer {
const async = (this.getUsedAsyncFiles(context) || []).filter(({ file }) => isJS(file))
const needed = [initial[0]].concat(async, initial.slice(1))
return needed.map(({ file }) => {
return `<script src="${this.publicPath}${file}" defer></script>`
return `<script src="${this.publicPath}${file}" defer${getNonceAttribute(context)}></script>`
}).join('')
} else {
return ''
Expand Down Expand Up @@ -275,3 +274,7 @@ function getPreloadType (ext: string): string {
return ''
}
}

function getNonceAttribute(context: Object): string {
return context.nonce ? ` nonce="${context.nonce}"` : ''
}

0 comments on commit 8e40316

Please sign in to comment.