@dargmuesli/nuxt-vio 8.3.3 → 9.0.0-beta.1

package/nuxt.config.ts

@@ -49,9 +49,38 @@ export default defineNuxtConfig(
         '@nuxtjs/html-validator',
         '@nuxtjs/i18n',
         '@nuxtjs/tailwindcss',
-        '@nuxtseo/module',
         '@pinia/nuxt',
+        // nuxt-security: remove invalid `'none'`s
+        (_options, nuxt) => {
+          const nuxtConfigSecurity = nuxt.options.security
+
+          if (
+            typeof nuxtConfigSecurity.headers !== 'boolean' &&
+            nuxtConfigSecurity.headers.contentSecurityPolicy &&
+            typeof nuxtConfigSecurity.headers.contentSecurityPolicy !==
+              'boolean' &&
+            typeof nuxtConfigSecurity.headers.contentSecurityPolicy !== 'string'
+          ) {
+            for (const [key, value] of Object.entries(
+              nuxtConfigSecurity.headers.contentSecurityPolicy,
+            )) {
+              if (!Array.isArray(value)) continue
+
+              const valueFiltered = value.filter((x) => x !== "'none'")
+
+              if (valueFiltered.length) {
+                ;(
+                  nuxtConfigSecurity.headers.contentSecurityPolicy as Record<
+                    string,
+                    any
+                  >
+                )[key] = valueFiltered
+              }
+            }
+          }
+        },
         'nuxt-security',
+        '@nuxtseo/module',
       ],
       nitro: {
         compressPublicAssets: true,
@@ -144,6 +173,17 @@ export default defineNuxtConfig(
       security: {
         headers: {
           contentSecurityPolicy: defu(
+            {
+              // Cloudflare
+              ...(process.env.NODE_ENV === 'production'
+                ? {
+                    'connect-src': [`${SITE_URL}/cdn-cgi/rum`],
+                    'script-src-elem': [
+                      'https://static.cloudflareinsights.com',
+                    ],
+                  }
+                : {}),
+            },
             {
               // Google Analytics 4 (https://developers.google.com/tag-platform/tag-manager/web/csp)
               'connect-src': [
@@ -180,6 +220,21 @@ export default defineNuxtConfig(
                   : []),
               ],
             },
+            {
+              // nuxt-og-image
+              ...(process.env.NODE_ENV === 'development'
+                ? {
+                    'font-src': ['https://fonts.gstatic.com/s/inter/'],
+                    'frame-ancestors': ["'self'"],
+                    'frame-src': ["'self'"],
+                    'script-src-elem': ['https://cdn.tailwindcss.com/'],
+                    'style-src': [
+                      // TODO: replace with `style-src-elem` once Webkit supports it
+                      'https://cdn.jsdelivr.net/npm/gardevoir https://fonts.googleapis.com/css2',
+                    ],
+                  }
+                : {}),
+            },
             {
               // nuxt-simple-sitemap
               'script-src-elem': [`${SITE_URL}/__sitemap__/style.xsl`],
@@ -224,6 +279,8 @@ export default defineNuxtConfig(
               'prefetch-src': [],
               'report-to': [],
               'report-uri': [],
+              // TODO: evaluate header (https://github.com/maevsi/maevsi/issues/830) // https://stackoverflow.com/questions/62081028/this-document-requires-trustedscripturl-assignment
+              // 'require-trusted-types-for': ["'script'"], // csp-evaluator
               sandbox: [],
               'script-src': [],
               'script-src-attr': [],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dargmuesli/nuxt-vio",
-  "version": "8.3.3",
+  "version": "9.0.0-beta.1",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/dargmuesli/vio.git"
@@ -66,7 +66,7 @@
     "test:e2e:server:static": "cross-env NODE_ENV=production PORT=3002 SITE_URL=http://localhost:3002 VIO_SERVER=static pnpm run test:e2e",
     "test:e2e": "playwright test"
   },
-  "dependencies": {
+  "devDependencies": {
     "@axe-core/playwright": "4.8.1",
     "@dargmuesli/nuxt-cookie-control": "7.0.1",
     "@heroicons/vue": "2.0.18",