CSP violation when directive set to false

[cesxhin]

Version

nuxt-security: v1.3.2
nuxt: v3.11.2

{
    [...]
    "@nuxt/devtools": "1.2.0",
    "@vueuse/nuxt": "10.9.0",
    "vue-router": "4.3.2",
    "vue": "3.4.24",
    "nuxt": "3.11.2",
    "nuxt-security": "^1.3.2",
    [...]
}

Reproduction

https://codesandbox.io/p/live/833607a5-4e18-4517-99f3-552549b9b9dd

With code sandbox it would seem to work well but on my PC it doesn't.

I cleaned .nuxt, node_modules and package-lock and reinstalled everything and same result.

I cannot share the entire code which is confidential.
This is the nuxt-security configuration:

export default defineNuxtConfig({
[...]
 modules: [
    [...]
    'nuxt-security'
    [...]
],
 security: {
        headers:{
            crossOriginEmbedderPolicy: process.env.NODE_ENV === 'development' ? 'unsafe-none' : 'require-corp',
            permissionsPolicy: {
              fullscreen: 'self'
            },
            contentSecurityPolicy: {
                'upgrade-insecure-requests': !(process.env.NODE_ENV === 'development'),
                'img-src': false
            },
        }
    }
[...]
})

Steps to reproduce

Set any value inside contentSecurityPolicy.

What is Expected?

Not show errors of script-src and hash validation.

What is actually happening?

Show errors of script-src and hash validation.

[vejja]

@cesxhin bug confirmed, can reproduce

Regression introduced by #408 in function setNonceInCsp
Blaming 3248ea1#diff-26212f23d270802b4b1588992c6125c83a6c59a138cc290b0017f01151716a1aR54

Will fix
Thanks for the report

[vejja]

@Baroshem PR #429 fixes, would you like a temporary patch for this one first ?

[Baroshem]

@vejja

I think we can waint until the release of the next major with your PR.

I want to look at it this week to release preferably on thursday a new version if that is ok with you :)

[vejja]

Sounds good to me
@cesxhin the regression is on boolean values for 'upgrade-insecure-requests' and 'img-src', which you are trying to set to false.
Before we fix on Thursday, you could use { 'img-src': ["'none'"] }, and maybe live with the default for upgrade-insecure-requests ?

[cesxhin]

Sounds good to me @cesxhin the regression is on boolean values for 'upgrade-insecure-requests' and 'img-src', which you are trying to set to false. Before we fix on Thursday, you could use { 'img-src': ["'none'"] }, and maybe live with the default for upgrade-insecure-requests ?

Thanks for the immediate replies.

For the moment I have set the version v1.2.2 and I wait when they release.
I'm in no hurry.