UNPKG

nuxt-security

Version:

🛡️ Security Module for Nuxt based on HTTP Headers and Middleware

nuxt-security.vercel.app

73 lines (72 loc) 3.04 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
import { defineNitroPlugin } from "#imports"; import { resolveSecurityRules } from "../context/index.js"; import { generateHash } from "../../../utils/crypto"; const INLINE_SCRIPT_RE = /<script(?![^>]*?\bsrc="[\w:.\-\\/]+")[^>]*>([\s\S]*?)<\/script>/gi; const STYLE_RE = /<style[^>]*>([\s\S]*?)<\/style>/gi; const SCRIPT_RE = /<script(?=[^>]+\bsrc="[^"]+")(?=[^>]+\bintegrity="([\w\-+/=]+)")[^>]+(?:\/>|><\/script[^>]*?>)/gi; const LINK_RE = /<link(?=[^>]+\brel="(stylesheet|preload|modulepreload)")(?=[^>]+\bintegrity="([\w\-+/=]+)")(?=(?:[^>]+\bas="(\w+)")?)[^>]+>/gi; export default defineNitroPlugin((nitroApp) => { if (!import.meta.prerender) { return; } nitroApp.hooks.hook("render:html", async (html, { event }) => { const rules = resolveSecurityRules(event); if (!rules.enabled || !rules.headers || !rules.headers.contentSecurityPolicy) { return; } event.context.security.hashes = { script: /* @__PURE__ */ new Set(), style: /* @__PURE__ */ new Set() }; const scriptHashes = event.context.security.hashes.script; const styleHashes = event.context.security.hashes.style; const hashAlgorithm = "SHA-256"; if (rules.ssg) { const { hashScripts, hashStyles } = rules.ssg; const sections = ["body", "bodyAppend", "bodyPrepend", "head"]; for (const section of sections) { for (const element of html[section]) { if (hashScripts) { const inlineScriptMatches = element.matchAll(INLINE_SCRIPT_RE); for (const [, scriptText] of inlineScriptMatches) { const hash = await generateHash(scriptText, hashAlgorithm); scriptHashes.add(`'${hash}'`); } const externalScriptMatches = element.matchAll(SCRIPT_RE); for (const [, integrity] of externalScriptMatches) { scriptHashes.add(`'${integrity}'`); } } if (hashStyles) { const styleMatches = element.matchAll(STYLE_RE); for (const [, styleText] of styleMatches) { const hash = await generateHash(styleText, hashAlgorithm); styleHashes.add(`'${hash}'`); } } const linkMatches = element.matchAll(LINK_RE); for (const [, rel, integrity, as] of linkMatches) { if (integrity) { if (rel === "stylesheet" && hashStyles) { styleHashes.add(`'${integrity}'`); } else if (rel === "preload" && hashScripts) { switch (as) { case "script": case "audioworklet": case "paintworklet": case "xlst": scriptHashes.add(`'${integrity}'`); break; default: break; } } else if (rel === "modulepreload" && hashScripts) { scriptHashes.add(`'${integrity}'`); } } } } } } }); });