Skip to content

fix(NuxtImg): add image onerror handler in internal script to avoid s… #1884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(NuxtImg): add image onerror handler in internal script to avoid s… #1884

wants to merge 1 commit into from

Conversation

@bobeatspie
Copy link

@bobeatspie bobeatspie commented Jul 1, 2025

…cript-src-attr CSP violation

🔗 Linked issue

Resolves #1011

❓ Type of change

  • 📖 Documentation (updates to the documentation or readme)
  • 🐞 Bug fix (a non-breaking change that fixes an issue)
  • [x ] 👌 Enhancement (improving an existing functionality)
  • ✨ New feature (a non-breaking change that adds functionality)
  • 🧹 Chore (updates to the build process or auxiliary tools and libraries)
  • ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

The CSP header "script-src-attr" prevents inline javascript from executing when the header's value is set to 'none'. By adding the error event handler in the onMounted hook, it becomes easier for Nuxt Security to add a hash to the script and allow the error handler to execute.

@bobeatspie bobeatspie requested a review from danielroe as a code owner July 1, 2025 14:08
@vercel
Copy link

vercel bot commented Jul 1, 2025

@bobeatspie is attempting to deploy a commit to the NuxtLabs Team on Vercel.

A member of the Team first needs to authorize it.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jul 1, 2025

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/image@1884

commit: 9758c40

@danielroe
Copy link
Member

danielroe commented Jul 1, 2025
edited
Loading

the purpose of the inline js is to capture errors that occur before vue has hydrated the page

we might also be able to add a script in <head> that adds an event listener for image load events....

I've marked as draft for my own triage - feel free to unmark whenever it's ready for review.

@danielroe danielroe marked this pull request as draft July 1, 2025 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielroe danielroe Awaiting requested review from danielroe danielroe is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for nonce or hash value [enhancment]

2 participants

@bobeatspie @danielroe