fix(sri): resolve hashes using cdnURL at runtime instead of build-time

[maxmaxme]

Types of changes

• Bug fix (a non-breaking change which fixes an issue)
• New feature (a non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Description

This PR fixes a bug in Subresource Integrity (SRI) generation when using dynamic CDN URLs.

Currently, nuxt-security uses the cdnURL value at build time to construct the keys for the #sri-hashes map. If the same build is deployed to different environments with different CDN base URLs, the computed src / href at runtime does not match any entry in the #sri-hashes, and integrity is not applied.

This change defers the use of cdnURL to runtime, stripping it from the resource URL before matching it against the #sri-hashes map. This makes SRI compatible with multi-environment deployments using different CDN base URLs set via runtime config (NUXT_APP_CDN_URL).

Before:

• #sri-hashes keys were generated using cdnURL at build time
• runtime matching failed if cdnURL changed

After:

• #sri-hashes keys are built without cdnURL
• at runtime, actual resource URLs are normalized by removing cdnURL before lookup

This allows a single build to work reliably across multiple environments with different CDN domains.

Checklist:

• My change requires a change to the documentation. (no)
• I have updated the documentation accordingly. (no behavior changed)
• I have added tests to cover my changes (already exists but fails even in the main branch)

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
nuxt-security	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 3, 2025 0:37am