Enable qualtrics for nuxt security crossorigin embedder policy
Trying to embed an external script in our nuxt application. (Nuxt3).
We've got the following security settings:
nuxt.config excerpt:
security: {
headers: {
crossOriginEmbedderPolicy: 'credentialless', // added this specifically for qualtrics
contentSecurityPolicy: {
'connect-src': '*',
'base-uri': 'self',
'default-src': 'self',
'font-src': [
"'self'",
'data:',
],
'form-action': [
"'self'",
// added this specifically for qualtrics:
'https://[our company].qualtrics.com',
],
'img-src': [
"'self'",
'https:',
'data:',
],
'object-src': 'none',
'script-src-attr': 'none',
'style-src': [
"'self'",
'https:',
"'unsafe-inline'",
],
'script-src': [
"'self'",
'https:',
"'unsafe-inline'",
"'strict-dynamic'",
"'nonce-{{nonce}}'",
],
// added this specifically for qualtrics:
'frame-src': [
"'self'",
'https://[our company].qualtrics.com',
],
'frame-ancestors': 'self',
'upgrade-insecure-requests': true,
},
xContentTypeOptions: 'nosniff',
},
},
With this, I can get the survey popup to show up but it doesn't have any content, see screenshot:
On hover, I can see the warning: [our company].qualtrics.com refused to connect
Is there a way to send CORS details from the qualtrics interface? This would be my preferred way of fixing this issue, but I'm not finding anything useful at all on the qualtrics documentation.
Alternatively, how would I need to edit the security policy to see content?
After reading this question, I have tried adding the qualtrics url to script-src and also replacing none-{{nonce}} line with it, but to no avail.
Found some more documentation, and updated the security accordingly:
nuxt.config
security: {
headers: {
crossOriginEmbedderPolicy: 'unsafe-none', // also works when set to false
contentSecurityPolicy: {
'connect-src': '*',
'base-uri': 'self',
'default-src': 'self',
'font-src': [
"'self'",
'data:',
],
'form-action': [
'https://*.qualtrics.com', // needed
"'self'",
],
'frame-ancestors': 'self',
'img-src': [
"'self'",
'https:',
'data:',
'https://*.qualtrics.com', // needed
],
'object-src': 'none',
'script-src-attr': 'none',
'style-src': [
"'self'",
'https:',
"'unsafe-inline'",
],
'script-src': [
"'self'",
'https:',
"'unsafe-inline'",
"'strict-dynamic'",
"'nonce-{{nonce}}'",
'https://*.qualtrics.com', // needed
],
'frame-src': 'https://*.qualtrics.com', // needed
'upgrade-insecure-requests': true,
},
},
}
The documentation also states to allow for eval-unsafe but this wasn't necessary in my case.
- Cannot find name 'defineNuxtConfig'.ts(2304)
- Nuxt 3 Supabase - 500 auth Session missing
- How to add a script block to head in Nuxt 3?
- Nuxt v3 router is not working when trying to push or replace
- Error using $t @nuxtjs/i18n in Nuxt 3 - Vue: __VLS_ctx.$t is of type unknown
- Sitemap generation for Nuxt3
- Nuxt3 Vite server port
- How to extract all the CSS to a single file in Nuxt?
- Why loading dynamically assets fails on Nuxt v3
- Nuxt not automatically importing components from nested directory
- Nuxt3 - Ignore Type checking for few files
- Nuxt3 Robots.txt - @nuxtjs/robots not generating robots.txt file
- Retrieve an oidc access token from Nuxt 3 app
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Nuxt 3: Cannot find module 'C:/Program Files/nodejs/node_modules/@nuxt/devtools/module.cjs'
- How to include the children of a route when creating a middleware?
- How to get current domain at Nuxt 3 middleware?
- Favicon loading from assets is not working in nuxt3
- Properly proxy WebSocket connection through Nuxt 3 Server
- Nuxt3 config to fetch the data from rest api and generate static page based on fetched data
- Nuxt3 pages are duplicated twice at the end of the scroll on production
- How to recognize within application that i am within an testcafe e2e test
- How to fix CORS error on 3rd party API call in Nuxt 3?
- Nuxt 3 - SSR return 500 with plugin provider
- Nuxt useFetch/useAsyncData twice in method throws error: `nuxt instance not available`
- setup script for more than one component from one place - Nuxt3
- Failed to fetch dynamically imported module in nuxt3
- Imports in Nuxt with @ or ~, which is better?
- VSCode Auto-Import doesn't work: Cannot find name
- Nuxt 3 app with tailwind css how to edit the main body element?