fix: csp false in rc5 removes custom csp header

[dargmuesli]

Reproduction Link

Build: https://github.com/maevsi/maevsi/actions/runs/7138462986/job/19440077662?pr=1475
PR: maevsi/maevsi#1475

Steps to reproduce

Set content-security-policy header using appendHeader in a server middleware and set contentSecurityPolicy: false for this module.

What is Expected?

Up until rc4 the csp set in the server middleware was applied and this module's default csp was not used.

What is actually happening?

There is no csp header at all in rc5. Seems like the existing header is removed when set to false?

[Baroshem]

@vejja

What are your thoughts on that? I think we recently had a PR where we were changing the boolean values for headers

[vejja]

@dargmuesli you're right.

Setting header.contentSecurityPolicy: false now removes the header. Semantically we interpret it as 'do not send a CSP header'.
This is also the case for all other security headers controlled by Nuxt Security (e.g. Strict-Transport-Security, etc.).

However we could change this. It could mean 'do not set a CSP header'.

[vejja]

I'm about to patch this.

Just for clarity, the behavior is specific to false, ie:

• If option is false, we do not remove user-defined headers.
• If option is any other value, we overwrite user-defined headers.

This would revert to rc-4 behaviour.
This sounds logical because if you use Nuxt Security to set some security header values, there should be no reason to redefine them elsewhere.

@dargmuesli @Baroshem : do you agree this is the intended behavior ?

[dargmuesli]

Yes, I understand the module as a helper to set values. In the best case it should be possible to disable single features of modules, e.g. to be able to use a custom implementation.

[Baroshem]

Guys I am not sure about this change.

CSP is set by default when NuxtSecurity is added. I would expect when setting a csp to false that this csp wont be included at all.

Like with middleware (i.e. rateLimiter). If I dont want it I just set it to false and this middleware wont be enabled.

I think that the behavior in rc.4 was actually a bug and with rc.5 it is now correct.

But honestly, I am not sure if I understand your use case @dargmuesli. Why setting header in server middleware if you can just do it in the nuxt security?

[dargmuesli]

Like with middleware (i.e. rateLimiter). If I dont want it I just set it to false and this middleware wont be enabled.

Right, but should it just not be enabled or should any such header be removed even if it has another source?

But honestly, I am not sure if I understand your use case @dargmuesli. Why setting header in server middleware if you can just do it in the nuxt security?

Because I cannot! 😂 I'm waiting for runtime support (#233, #298).

[vejja]

I do agree with @dargmuesli

What I am doing in rc.5 is aggressively removing the 'Content-Security-Policy' header from the response with removeResponseHeader just before the response is sent.

Maybe the user wants to use RateLimiter but not CSP and prefers to set its CSP headers manually for whatever reason.

[Baroshem]

Ahhh I see. Now it makes sense for me. Thanks for clarification guys!
Then you have a green light from me :)