@nuxt/scripts 1.0.0-beta.1 → 1.0.0-beta.3

package/dist/runtime/server/sw-handler.js

@@ -0,0 +1,25 @@
+import { defineEventHandler, setResponseHeader } from "h3";
+import { useRuntimeConfig } from "#imports";
+import { parseURL } from "ufo";
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig(event);
+  const proxyConfig = config["nuxt-scripts-proxy"];
+  const swTemplate = config["nuxt-scripts"]?.swTemplate || "";
+  const routes = proxyConfig?.routes || {};
+  const rules = Object.entries(routes).map(([localPath, proxy]) => {
+    const url = parseURL(proxy.replace(/\*\*$/, ""));
+    if (!url.host) return null;
+    return {
+      pattern: url.host,
+      pathPrefix: url.pathname || "",
+      target: localPath.replace(/\/\*\*$/, "")
+    };
+  }).filter(Boolean);
+  const swCode = `const INTERCEPT_RULES = ${JSON.stringify(rules)};
+
+${swTemplate}`;
+  setResponseHeader(event, "Content-Type", "application/javascript");
+  setResponseHeader(event, "Service-Worker-Allowed", "/");
+  setResponseHeader(event, "Cache-Control", "no-cache");
+  return swCode;
+});

package/dist/runtime/server/utils/privacy.d.ts

@@ -0,0 +1,141 @@
+/**
+ * Granular privacy controls for the first-party proxy.
+ * Each flag controls both headers AND body/query params for its domain.
+ */
+export interface ProxyPrivacy {
+    /** Anonymize IP (headers + body). When false, real IP is forwarded via x-forwarded-for. */
+    ip?: boolean;
+    /** Normalize User-Agent (headers + body) */
+    userAgent?: boolean;
+    /** Normalize Accept-Language (headers + body) */
+    language?: boolean;
+    /** Generalize screen resolution, viewport, hardware concurrency, device memory */
+    screen?: boolean;
+    /** Generalize timezone offset and IANA timezone names */
+    timezone?: boolean;
+    /** Anonymize hardware fingerprints: canvas/webgl/audio, plugins/fonts, browser versions, device info */
+    hardware?: boolean;
+}
+/**
+ * Privacy input: `true` = full anonymize, `false` = passthrough (still strips sensitive headers),
+ * or a `ProxyPrivacy` object for granular control (unset flags default to `false` — opt-in).
+ */
+export type ProxyPrivacyInput = boolean | ProxyPrivacy | null;
+/** Resolved privacy with all flags explicitly set. */
+export type ResolvedProxyPrivacy = Required<ProxyPrivacy>;
+/**
+ * Normalize a privacy input to a fully-resolved object.
+ * Privacy is opt-in: unset object flags default to `false`.
+ * Each script in the registry explicitly sets all flags for its needs.
+ * - `true` → all flags true (full anonymize)
+ * - `false` / `undefined` → all flags false (passthrough)
+ * - `{ ip: true, hardware: true }` → only those active, rest off
+ */
+export declare function resolvePrivacy(input?: ProxyPrivacyInput): ResolvedProxyPrivacy;
+/**
+ * Merge privacy settings: `override` fields take precedence over `base` field-by-field.
+ * When `override` is undefined, returns `base` unchanged.
+ * When `override` is a boolean, it fully replaces `base`.
+ * When `override` is an object, only explicitly-set fields override.
+ */
+export declare function mergePrivacy(base: ResolvedProxyPrivacy, override?: ProxyPrivacyInput): ResolvedProxyPrivacy;
+/**
+ * Headers that reveal user IP address - stripped in proxy mode,
+ * anonymized in anonymize mode.
+ */
+export declare const IP_HEADERS: string[];
+/**
+ * Headers that enable fingerprinting - normalized in anonymize mode.
+ */
+export declare const FINGERPRINT_HEADERS: string[];
+/**
+ * Sensitive headers that should never be forwarded to third parties.
+ */
+export declare const SENSITIVE_HEADERS: string[];
+/**
+ * Payload parameters relevant to privacy.
+ *
+ * Note: userId and userData are intentionally NOT modified by stripPayloadFingerprinting.
+ * Analytics services require user identifiers (cid, uid, fbp, etc.) and user data (ud, email)
+ * to function correctly. These are listed here for documentation and param-detection tests only.
+ * The privacy model anonymizes device/browser fingerprinting while preserving user-level analytics IDs.
+ */
+export declare const STRIP_PARAMS: {
+    ip: string[];
+    userId: string[];
+    userData: string[];
+    screen: string[];
+    hardware: string[];
+    platform: string[];
+    version: string[];
+    browserVersion: string[];
+    browserData: string[];
+    location: string[];
+    canvas: string[];
+    deviceInfo: string[];
+};
+/**
+ * Parameters that should be normalized (not stripped).
+ */
+export declare const NORMALIZE_PARAMS: {
+    language: string[];
+    userAgent: string[];
+};
+/**
+ * Anonymize an IP address by zeroing trailing segments.
+ */
+export declare function anonymizeIP(ip: string): string;
+/**
+ * Normalize User-Agent to browser family and major version only.
+ */
+export declare function normalizeUserAgent(ua: string): string;
+/**
+ * Normalize Accept-Language to primary language tag (preserving country).
+ * "en-US,en;q=0.9,fr;q=0.8" → "en-US"
+ */
+export declare function normalizeLanguage(lang: string): string;
+/**
+ * Generalize screen resolution to 3 coarse device-class buckets (mobile / tablet / desktop).
+ * Handles both combined "WxH" strings and individual dimension values (sh, sw).
+ *
+ * When `dimension` is specified, uses the correct bucket for that axis:
+ *   - 'width': [1920, 768, 360]
+ *   - 'height': [1080, 1024, 640]
+ * Without `dimension`, individual values use width thresholds (backward-compatible).
+ */
+export declare function generalizeScreen(value: unknown, dimension?: 'width' | 'height'): string | number;
+/**
+ * Generalize hardware concurrency / device memory to common bucket.
+ */
+export declare function generalizeHardware(value: unknown): number;
+/**
+ * Generalize a version string to major version, preserving the original format.
+ * "6.17.0" → "6.0.0", "143.0.7499.4" → "143.0.0.0"
+ */
+export declare function generalizeVersion(value: unknown): string;
+/**
+ * Generalize browser version list to major versions, preserving segment count.
+ * Handles Snapchat d_bvs format: [,{"brand":"Chrome","version":"143.0.7499.4"}...]
+ * Handles GA uafvl format: HeadlessChrome;143.0.7499.4|Chromium;143.0.7499.4|...
+ */
+export declare function generalizeBrowserVersions(value: unknown): string;
+/**
+ * Generalize timezone to reduce precision.
+ * IANA names → UTC offset string, numeric offsets → bucketed to 3-hour intervals.
+ */
+export declare function generalizeTimezone(value: unknown): string | number;
+/**
+ * Anonymize a combined device-info string (e.g. X/Twitter `dv` param).
+ * Parses the delimited string and generalizes fingerprinting components
+ * (timezone, language, screen dimensions) while keeping low-entropy values.
+ */
+export declare function anonymizeDeviceInfo(value: string): string;
+/**
+ * Recursively anonymize fingerprinting data in payload.
+ * Fields are generalized or normalized rather than stripped, so endpoints
+ * still receive valid data with reduced fingerprinting precision.
+ *
+ * When `privacy` is provided, only categories with their flag set to `true` are processed.
+ * Default (no arg) = all categories active, so existing callers work unchanged.
+ */
+export declare function stripPayloadFingerprinting(payload: Record<string, unknown>, privacy?: ResolvedProxyPrivacy): Record<string, unknown>;

package/dist/runtime/server/utils/privacy.js

@@ -0,0 +1,309 @@
+const FULL_PRIVACY = { ip: true, userAgent: true, language: true, screen: true, timezone: true, hardware: true };
+const NO_PRIVACY = { ip: false, userAgent: false, language: false, screen: false, timezone: false, hardware: false };
+export function resolvePrivacy(input) {
+  if (input === true) return { ...FULL_PRIVACY };
+  if (input === false || input === void 0 || input === null) return { ...NO_PRIVACY };
+  return {
+    ip: input.ip ?? false,
+    userAgent: input.userAgent ?? false,
+    language: input.language ?? false,
+    screen: input.screen ?? false,
+    timezone: input.timezone ?? false,
+    hardware: input.hardware ?? false
+  };
+}
+export function mergePrivacy(base, override) {
+  if (override === void 0 || override === null) return base;
+  if (typeof override === "boolean") return resolvePrivacy(override);
+  return {
+    ip: override.ip !== void 0 ? override.ip : base.ip,
+    userAgent: override.userAgent !== void 0 ? override.userAgent : base.userAgent,
+    language: override.language !== void 0 ? override.language : base.language,
+    screen: override.screen !== void 0 ? override.screen : base.screen,
+    timezone: override.timezone !== void 0 ? override.timezone : base.timezone,
+    hardware: override.hardware !== void 0 ? override.hardware : base.hardware
+  };
+}
+export const IP_HEADERS = [
+  "x-forwarded-for",
+  "x-real-ip",
+  "forwarded",
+  "cf-connecting-ip",
+  "true-client-ip",
+  "x-client-ip",
+  "x-cluster-client-ip"
+];
+export const FINGERPRINT_HEADERS = [
+  "user-agent",
+  "accept-language",
+  "accept-encoding",
+  "sec-ch-ua",
+  "sec-ch-ua-platform",
+  "sec-ch-ua-mobile",
+  "sec-ch-ua-full-version-list"
+];
+export const SENSITIVE_HEADERS = [
+  "cookie",
+  "authorization",
+  "proxy-authorization",
+  "x-csrf-token",
+  "www-authenticate"
+];
+export const STRIP_PARAMS = {
+  // IP addresses — anonymized to subnet
+  ip: ["uip", "ip", "client_ip_address", "ip_address", "user_ip", "ipaddress", "context.ip"],
+  // User identifiers — intentionally preserved for analytics functionality
+  userId: ["uid", "user_id", "userid", "external_id", "cid", "_gid", "fbp", "fbc", "sid", "session_id", "sessionid", "pl_id", "p_user_id", "uuid", "anonymousid", "twclid", "u_c1", "u_sclid", "u_scsid"],
+  // User data (PII) — intentionally preserved; hashed by analytics SDKs before sending
+  userData: ["ud", "user_data", "userdata", "email", "phone", "traits.email", "traits.phone"],
+  // Screen/Hardware — generalized to common buckets
+  screen: ["sr", "vp", "sd", "screen", "viewport", "colordepth", "pixelratio", "sh", "sw"],
+  // Hardware capabilities — generalized to common buckets
+  hardware: ["hardwareconcurrency", "devicememory", "cpu", "mem"],
+  // Platform identifiers — low entropy, kept as-is (e.g. "Linux", "x86")
+  platform: ["plat", "platform", "d_a", "d_ot"],
+  // Version strings — generalized to major version only (d_os = Snapchat OS version, uapv = GA platform version)
+  version: ["d_os", "uapv"],
+  // Browser version lists — generalized to major versions (d_bvs = Snapchat, uafvl = GA Client Hints)
+  browserVersion: ["d_bvs", "uafvl"],
+  // Browser data lists — replaced with empty value
+  browserData: ["plugins", "fonts"],
+  // Location/Timezone — generalized
+  location: ["tz", "timezone", "timezoneoffset"],
+  // Canvas/WebGL/Audio fingerprints — replaced with empty value (pure fingerprints, no analytics value)
+  canvas: ["canvas", "webgl", "audiofingerprint"],
+  // Combined device fingerprinting (X/Twitter dv param contains: timezone, locale, vendor, platform, screen, etc.)
+  deviceInfo: ["dv", "device_info", "deviceinfo"]
+};
+export const NORMALIZE_PARAMS = {
+  language: ["ul", "lang", "language", "languages"],
+  userAgent: ["ua", "useragent", "user_agent", "client_user_agent", "context.useragent"]
+};
+export function anonymizeIP(ip) {
+  if (ip.includes(":")) {
+    return ip.split(":").slice(0, 3).join(":") + "::";
+  }
+  const parts = ip.split(".");
+  if (parts.length === 4) {
+    parts[3] = "0";
+    return parts.join(".");
+  }
+  return ip;
+}
+export function normalizeUserAgent(ua) {
+  const tokens = [
+    ["Edg/", "Edge"],
+    ["OPR/", "Opera"],
+    ["Opera/", "Opera"],
+    ["Firefox/", "Firefox"],
+    ["Chrome/", "Chrome"],
+    ["Safari/", "Safari"]
+  ];
+  for (const [pattern, family] of tokens) {
+    const idx = ua.indexOf(pattern);
+    if (idx !== -1) {
+      const versionStart = idx + pattern.length;
+      const majorVersion = ua.slice(versionStart).match(/^(\d+)/)?.[1];
+      if (majorVersion)
+        return `Mozilla/5.0 (compatible; ${family}/${majorVersion}.0)`;
+    }
+  }
+  return "Mozilla/5.0 (compatible)";
+}
+export function normalizeLanguage(lang) {
+  return lang.split(",")[0]?.split(";")[0]?.trim() || "en";
+}
+const SCREEN_BUCKETS = {
+  desktop: { w: 1920, h: 1080 },
+  tablet: { w: 768, h: 1024 },
+  mobile: { w: 360, h: 640 }
+};
+function getDeviceClass(width) {
+  if (width >= 1200) return "desktop";
+  if (width >= 700) return "tablet";
+  return "mobile";
+}
+export function generalizeScreen(value, dimension) {
+  if (typeof value === "string" && value.includes("x")) {
+    const width = Number.parseInt(value.split("x")[0] || "0");
+    const cls = getDeviceClass(width);
+    return `${SCREEN_BUCKETS[cls].w}x${SCREEN_BUCKETS[cls].h}`;
+  }
+  const num = typeof value === "number" ? value : Number(value);
+  if (!Number.isNaN(num)) {
+    const cls = getDeviceClass(num);
+    const bucketed = dimension === "height" ? SCREEN_BUCKETS[cls].h : SCREEN_BUCKETS[cls].w;
+    return typeof value === "number" ? bucketed : String(bucketed);
+  }
+  return "1920x1080";
+}
+export function generalizeHardware(value) {
+  const num = typeof value === "number" ? value : Number(value);
+  if (Number.isNaN(num)) return 4;
+  if (num >= 16) return 16;
+  if (num >= 8) return 8;
+  if (num >= 4) return 4;
+  return 2;
+}
+export function generalizeVersion(value) {
+  if (typeof value !== "string") return String(value);
+  const match = value.match(/^(\d+)(([.\-_])\d+)*/);
+  if (!match) return String(value);
+  const major = match[1];
+  const sep = match[3] || ".";
+  const segmentCount = value.split(/[.\-_]/).length;
+  return major + (sep + "0").repeat(segmentCount - 1);
+}
+export function generalizeBrowserVersions(value) {
+  if (typeof value !== "string") return String(value);
+  const zeroSegments = (ver) => {
+    const parts = ver.split(".");
+    return parts[0] + parts.slice(1).map(() => ".0").join("");
+  };
+  if (value.includes('"version"'))
+    return value.replace(/("version"\s*:\s*")(\d+(?:\.\d+)*)/g, (_, prefix, ver) => prefix + zeroSegments(ver));
+  if (value.includes(";"))
+    return value.replace(/;(\d+(?:\.\d+)*)/g, (_, ver) => ";" + zeroSegments(ver));
+  return value;
+}
+export function generalizeTimezone(value) {
+  if (typeof value === "number") {
+    return Math.round(value / 180) * 180;
+  }
+  if (typeof value === "string") {
+    return "UTC";
+  }
+  return 0;
+}
+export function anonymizeDeviceInfo(value) {
+  const sep = value.includes("|") ? "|" : "&";
+  const parts = value.split(sep);
+  if (parts.length < 4) return value;
+  const result = [...parts];
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    if (part.includes("/") && /^[A-Z]/.test(part)) {
+      result[i] = String(generalizeTimezone(part));
+      continue;
+    }
+    if (/^[a-z]{2}(?:-[a-z]{2,})?$/i.test(part)) {
+      result[i] = normalizeLanguage(part);
+      continue;
+    }
+    const num = Number(part);
+    if (!Number.isNaN(num) && num >= 300 && num <= 1e4) {
+      const nextNum = Number(parts[i + 1]);
+      if (!Number.isNaN(nextNum) && nextNum >= 300 && nextNum <= 1e4) {
+        const cls = getDeviceClass(num);
+        result[i] = String(SCREEN_BUCKETS[cls].w);
+        result[i + 1] = String(SCREEN_BUCKETS[cls].h);
+        i++;
+        continue;
+      }
+      result[i] = String(generalizeScreen(num));
+      continue;
+    }
+    if (!Number.isNaN(num) && num < -60) {
+      result[i] = String(generalizeTimezone(num));
+    }
+  }
+  return result.join(sep);
+}
+export function stripPayloadFingerprinting(payload, privacy) {
+  const p = privacy || FULL_PRIVACY;
+  const result = {};
+  let deviceClass;
+  for (const [key, value] of Object.entries(payload)) {
+    if (key.toLowerCase() === "sw") {
+      const num = typeof value === "number" ? value : Number(value);
+      if (!Number.isNaN(num)) deviceClass = getDeviceClass(num);
+    }
+  }
+  for (const [key, value] of Object.entries(payload)) {
+    const lowerKey = key.toLowerCase();
+    const matchesParam = (key2, params) => {
+      const lk = key2.toLowerCase();
+      return params.some((pm) => {
+        const lp = pm.toLowerCase();
+        return lk === lp || lk.startsWith(lp + "[");
+      });
+    };
+    const isLanguageParam = NORMALIZE_PARAMS.language.some((pm) => lowerKey === pm.toLowerCase());
+    if (isLanguageParam) {
+      if (Array.isArray(value)) {
+        result[key] = p.language ? value.map((v) => typeof v === "string" ? normalizeLanguage(v) : v) : value;
+      } else if (typeof value === "string") {
+        result[key] = p.language ? normalizeLanguage(value) : value;
+      } else {
+        result[key] = value;
+      }
+      continue;
+    }
+    const isUserAgentParam = NORMALIZE_PARAMS.userAgent.some((pm) => lowerKey === pm.toLowerCase());
+    if (isUserAgentParam && typeof value === "string") {
+      result[key] = p.userAgent ? normalizeUserAgent(value) : value;
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.ip) && typeof value === "string") {
+      result[key] = p.ip ? anonymizeIP(value) : value;
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.screen)) {
+      if (!p.screen) {
+        result[key] = value;
+        continue;
+      }
+      if (["sd", "colordepth", "pixelratio"].includes(lowerKey)) {
+        result[key] = value;
+      } else if (lowerKey === "sh" && deviceClass) {
+        const paired = SCREEN_BUCKETS[deviceClass].h;
+        result[key] = typeof value === "number" ? paired : String(paired);
+      } else {
+        result[key] = generalizeScreen(value, lowerKey === "sw" ? "width" : lowerKey === "sh" ? "height" : void 0);
+      }
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.hardware)) {
+      result[key] = p.screen ? generalizeHardware(value) : value;
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.version)) {
+      result[key] = p.hardware ? generalizeVersion(value) : value;
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.browserVersion)) {
+      result[key] = p.hardware ? generalizeBrowserVersions(value) : value;
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.location)) {
+      result[key] = p.timezone ? generalizeTimezone(value) : value;
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.browserData)) {
+      result[key] = p.hardware ? Array.isArray(value) ? [] : "" : value;
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.canvas)) {
+      result[key] = p.hardware ? typeof value === "number" ? 0 : typeof value === "object" ? {} : "" : value;
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.deviceInfo)) {
+      result[key] = p.hardware ? typeof value === "string" ? anonymizeDeviceInfo(value) : "" : value;
+      continue;
+    }
+    if (matchesParam(key, STRIP_PARAMS.platform)) {
+      result[key] = value;
+      continue;
+    }
+    if (Array.isArray(value)) {
+      result[key] = value.map(
+        (item) => typeof item === "object" && item !== null ? stripPayloadFingerprinting(item, privacy) : item
+      );
+    } else if (typeof value === "object" && value !== null) {
+      result[key] = stripPayloadFingerprinting(value, privacy);
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}

package/dist/runtime/server/x-embed-image.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+export default _default;

package/dist/runtime/server/x-embed-image.js

@@ -0,0 +1,53 @@
+import { createError, defineEventHandler, getQuery, setHeader } from "h3";
+import { $fetch } from "ofetch";
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  const url = query.url;
+  if (!url) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Image URL is required"
+    });
+  }
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Invalid image URL"
+    });
+  }
+  if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Invalid URL scheme"
+    });
+  }
+  const allowedDomains = [
+    "pbs.twimg.com",
+    "abs.twimg.com",
+    "video.twimg.com"
+  ];
+  if (!allowedDomains.includes(parsedUrl.hostname)) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Domain not allowed"
+    });
+  }
+  const response = await $fetch.raw(url, {
+    timeout: 5e3,
+    headers: {
+      "Accept": "image/webp,image/jpeg,image/png,image/*,*/*;q=0.8",
+      "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
+    }
+  }).catch((error) => {
+    throw createError({
+      statusCode: error.statusCode || 500,
+      statusMessage: error.statusMessage || "Failed to fetch image"
+    });
+  });
+  setHeader(event, "Content-Type", response.headers.get("content-type") || "image/jpeg");
+  setHeader(event, "Cache-Control", "public, max-age=3600, s-maxage=3600");
+  return response._data;
+});

package/dist/runtime/server/x-embed.d.ts

@@ -0,0 +1,49 @@
+interface TweetData {
+    id_str: string;
+    text: string;
+    created_at: string;
+    favorite_count: number;
+    conversation_count: number;
+    user: {
+        name: string;
+        screen_name: string;
+        profile_image_url_https: string;
+        verified?: boolean;
+        is_blue_verified?: boolean;
+    };
+    entities?: {
+        media?: Array<{
+            media_url_https: string;
+            type: string;
+            sizes: Record<string, {
+                w: number;
+                h: number;
+            }>;
+        }>;
+        urls?: Array<{
+            url: string;
+            expanded_url: string;
+            display_url: string;
+        }>;
+    };
+    photos?: Array<{
+        url: string;
+        width: number;
+        height: number;
+    }>;
+    video?: {
+        poster: string;
+        variants: Array<{
+            type: string;
+            src: string;
+        }>;
+    };
+    quoted_tweet?: TweetData;
+    parent?: {
+        user: {
+            screen_name: string;
+        };
+    };
+}
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<TweetData>>;
+export default _default;

package/dist/runtime/server/x-embed.js

@@ -0,0 +1,31 @@
+import { createError, defineEventHandler, getQuery, setHeader } from "h3";
+import { $fetch } from "ofetch";
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  const tweetId = query.id;
+  if (!tweetId || !/^\d+$/.test(tweetId)) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Valid Tweet ID is required"
+    });
+  }
+  const randomToken = [...Array(11)].map(() => (Math.random() * 36).toString(36)[2]).join("");
+  const params = new URLSearchParams({ id: tweetId, token: randomToken });
+  const tweetData = await $fetch(
+    `https://cdn.syndication.twimg.com/tweet-result?${params.toString()}`,
+    {
+      headers: {
+        "Accept": "application/json",
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
+      }
+    }
+  ).catch((error) => {
+    throw createError({
+      statusCode: error.statusCode || 500,
+      statusMessage: error.statusMessage || "Failed to fetch tweet"
+    });
+  });
+  setHeader(event, "Content-Type", "application/json");
+  setHeader(event, "Cache-Control", "public, max-age=600, s-maxage=600");
+  return tweetData;
+});

package/dist/runtime/sw/proxy-sw.template.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/runtime/sw/proxy-sw.template.js

@@ -0,0 +1,54 @@
+/**
+ * Nuxt Scripts Service Worker - intercepts analytics requests
+ *
+ * Injected at runtime:
+ * - INTERCEPT_RULES: Array<{ pattern: string, pathPrefix: string, target: string }>
+ */
+
+/* global INTERCEPT_RULES */
+
+self.addEventListener('install', () => {
+  // console.log('[nuxt-scripts-sw] Installing...');
+  self.skipWaiting()
+})
+
+self.addEventListener('activate', (event) => {
+  // console.log('[nuxt-scripts-sw] Activating...');
+  event.waitUntil(self.clients.claim())
+})
+
+self.addEventListener('fetch', (event) => {
+  const url = new URL(event.request.url)
+
+  // Only intercept cross-origin requests
+  if (url.origin === self.location.origin) return
+
+  for (const rule of INTERCEPT_RULES) {
+    const hostMatches = url.host === rule.pattern || url.host.endsWith('.' + rule.pattern)
+    // Check if path prefix matches (if one is required)
+    const pathMatches = !rule.pathPrefix || url.pathname.startsWith(rule.pathPrefix)
+
+    if (hostMatches && pathMatches) {
+      // Strip path prefix from the original URL path before building proxy URL
+      const strippedPath = rule.pathPrefix
+        ? url.pathname.slice(rule.pathPrefix.length) || '/'
+        : url.pathname
+
+      // console.log('[nuxt-scripts-sw] Intercepting:', url.href, '->', rule.target + strippedPath);
+
+      const separator = strippedPath.startsWith('/') ? '' : '/'
+      const proxyUrl = new URL(rule.target + separator + strippedPath + url.search, self.location.origin)
+      const clonedRequest = event.request.clone()
+      event.respondWith(
+        fetch(proxyUrl.href, {
+          method: clonedRequest.method,
+          headers: clonedRequest.headers,
+          body: clonedRequest.method !== 'GET' && clonedRequest.method !== 'HEAD' ? clonedRequest.body : undefined,
+          credentials: 'same-origin',
+          redirect: 'follow',
+        }),
+      )
+      return
+    }
+  }
+})