image icon indicating copy to clipboard operation
image copied to clipboard
verified publisher icon nuxt

BREAKING CHANGE SUGGESTION: remove nonce property

Open GalacticHypernova opened this issue 1 year ago • 2 comments

The Nonce feature in Nuxt Image can bring many security concerns. The biggest ones of them all are:

  1. User provided nonce may not be cryptographically secure (partially or fully)
  2. User provided nonce may not be standard-compliant (not generated with an appropriate algorithm)
  3. User provided nonce may not be unique (user might reuse the nonce throughout multiple images)

It might be a better idea to leave the security of images for Nuxt Security to handle, as it takes care of all these concerns.

GalacticHypernova avatar Dec 29 '24 08:12 GalacticHypernova

Hey @GalacticHypernova

I agree with this approach and can totally see why it could fail. Nuxt Security should handle it with nonce generation properly.

Or the upcoming CSP support for Nuxt framework in general :)

I wonder how we should approach it to not cause breaking changes instantly. Maybe we could add a note first that this prop will be deprecated with a newer version and users should use Nuxt Security instead?

Baroshem avatar Jan 08 '25 07:01 Baroshem

I think this might be the best approach indeed. Perhaps it can become obsolete but still accepted.

GalacticHypernova avatar Jan 08 '25 11:01 GalacticHypernova