fix: relax devtools-specific security headers in dev#2331
fix: relax devtools-specific security headers in dev#2331ghostdevv merged 4 commits intonpmx-dev:mainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
📝 WalkthroughWalkthroughThe module Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 1✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ghostdevv
left a comment
ghostdevv
left a comment
There was a problem hiding this comment.
Could we instead add the necessary nuxt permissions in dev?
|
@ghostdevv I’m not fully sure what you mean by “nuxt permissions” here. If you mean a built-in Nuxt/DevTools setting, I couldn’t find one that seems to apply here. From what I can tell, the issue is caused by our security headers rather than a Nuxt option: DevTools uses a same-origin iframe under |
What I meant was can we expand the permissions in dev to support the devtools iframe? I'm weary against relaxing the policy in dev as it may make it harder for us to catch issues with the security policy as we have one less testing ground before production - if that makes sense? |
|
Yep, that makes sense. I kept the headers in dev and only relaxed the bits DevTools needs ( |
RYGRIT
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (3)
modules/security-headers.ts (1)
26-30: TheisDevtoolsRuntimecondition is correct but complex; consider adding a clarifying comment.The logic correctly handles all devtools configuration forms (boolean
false,null/undefined, and object with optionalenabledproperty), defaulting to enabled when not explicitly disabled. This aligns with Nuxt DevTools' default behaviour whereenableddefaults totrue. The past review suggested!!nuxt.options.devtools?.enabled, but that would incorrectly treat unset/undefined as disabled.A brief inline comment would help future maintainers understand the intent.
📝 Suggested clarifying comment
+ // DevTools is considered active when: + // - We're in dev mode + // - devtools is not explicitly disabled (boolean false, or object with enabled: false) + // - We're not running tests const isDevtoolsRuntime = nuxt.options.dev && devtools !== false && (devtools == null || typeof devtools !== 'object' || devtools.enabled !== false) && !process.env.TESTtest/unit/modules/security-headers.spec.ts (2)
49-53: Consider adding test cases for additional edge configurations.The current tests cover
devtools: { enabled: true }anddevtools: { enabled: false }, but the module'sisDevtoolsRuntimelogic also handles:
devtools: undefinedordevtools: null(should enable in dev mode)devtools: {}(enabled property not specified, should enable)process.env.TESTbeing set (should disable regardless of devtools config)dev: false(production mode, should disable)Adding these cases would strengthen coverage of the defensive checks in lines 26-30 of the module.
💡 Suggested additional test cases
it('enables devtools relaxations when devtools config is undefined', () => { const nuxt = createNuxt({ dev: true, devtools: undefined, }) useNuxt.mockReturnValue(nuxt) securityHeadersModule.setup() const csp = getCsp(nuxt) expect(csp).toContain('ws://localhost:*') expect(nuxt.options.routeRules['/__nuxt_devtools__/**']).toBeDefined() }) it('enables devtools relaxations when devtools is empty object', () => { const nuxt = createNuxt({ dev: true, devtools: {}, }) useNuxt.mockReturnValue(nuxt) securityHeadersModule.setup() const csp = getCsp(nuxt) expect(csp).toContain('ws://localhost:*') }) it('disables devtools relaxations in production mode', () => { const nuxt = createNuxt({ dev: false, devtools: { enabled: true }, }) useNuxt.mockReturnValue(nuxt) securityHeadersModule.setup() const csp = getCsp(nuxt) expect(csp).not.toContain('ws://localhost:*') expect(nuxt.options.routeRules['/__nuxt_devtools__/**']).toBeUndefined() }) it('disables devtools relaxations when TEST env is set', () => { process.env.TEST = 'true' const nuxt = createNuxt({ dev: true, devtools: { enabled: true }, }) useNuxt.mockReturnValue(nuxt) securityHeadersModule.setup() const csp = getCsp(nuxt) expect(csp).not.toContain('ws://localhost:*') })
112-114: Consider adding a positive assertion for baseframe-srcwhen devtools is disabled.The current assertion verifies
'self'is absent, but doesn't confirm the base frame sources (https://bsky.app https://pdsmoover.com) are still present. Adding a positive assertion would catch potential regressions where the entire directive might be incorrectly modified.💡 Suggested additional assertion
expect(csp).not.toContain('ws://localhost:*') expect(csp).not.toContain("frame-src https://bsky.app https://pdsmoover.com 'self'") + expect(csp).toContain('frame-src https://bsky.app https://pdsmoover.com') expect(nuxt.options.routeRules['/__nuxt_devtools__/**']).toBeUndefined()
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 68456026-73b0-4f4e-8aa0-522cd51c4ea1
📒 Files selected for processing (2)
modules/security-headers.tstest/unit/modules/security-headers.spec.ts
2 participants
🔗 Linked issue
🧭 Context
Nuxt DevTools relies on a same-origin iframe and dev-only runtime connections, which were being blocked by our CSP and frame restrictions during development.
Instead of disabling
security-headersentirely in dev, this change keeps the existing security headers in place and only relaxes the DevTools-specific parts needed for the local dev runtime.📚 Description
This PR updates
security-headersso that:SAMEORIGINinstead ofDENY