npm - @nuxt/scripts - Versions diffs - 1.0.0-beta.2 → 1.0.0-beta.21 - Mend

@nuxt/scripts 1.0.0-beta.2 → 1.0.0-beta.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (165) hide show

package/README.md +3 -3
package/dist/client/200.html +1 -1
package/dist/client/404.html +1 -1
package/dist/client/_nuxt/{DvH517bE.js → BlmrFwhD.js} +1 -1
package/dist/client/_nuxt/{DfLgoB--.js → BwCYQWJt.js} +1 -1
package/dist/client/_nuxt/DvbTvDd0.js +162 -0
package/dist/client/_nuxt/{B66N9HCo.js → ZrewjUYk.js} +1 -1
package/dist/client/_nuxt/builds/latest.json +1 -1
package/dist/client/_nuxt/builds/meta/6660a023-888d-415f-b66d-ce774e6f8f11.json +1 -0
package/dist/client/_nuxt/entry.CACgbLJl.css +1 -0
package/dist/client/_nuxt/error-404.CHeaW3dp.css +1 -0
package/dist/client/_nuxt/error-500.DvOvWme_.css +1 -0
package/dist/client/index.html +1 -1
package/dist/module.d.mts +27 -18
package/dist/module.d.ts +178 -0
package/dist/module.json +1 -1
package/dist/module.mjs +763 -526
package/dist/registry.d.ts +6 -0
package/dist/registry.mjs +109 -21
package/dist/runtime/components/GoogleMaps/ScriptGoogleMaps.d.vue.ts +2 -2
package/dist/runtime/components/GoogleMaps/ScriptGoogleMaps.vue +7 -7
package/dist/runtime/components/GoogleMaps/ScriptGoogleMaps.vue.d.ts +2 -2
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsAdvancedMarkerElement.vue +6 -6
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsCircle.vue +7 -7
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsHeatmapLayer.vue +6 -6
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsInfoWindow.vue +12 -12
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsMarker.vue +6 -6
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsMarkerClusterer.d.vue.ts +1 -1
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsMarkerClusterer.vue +6 -6
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsMarkerClusterer.vue.d.ts +1 -1
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsPinElement.vue +5 -5
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsPolygon.vue +7 -7
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsPolyline.vue +7 -7
package/dist/runtime/components/GoogleMaps/ScriptGoogleMapsRectangle.vue +7 -7
package/dist/runtime/components/ScriptCrisp.vue +1 -1
package/dist/runtime/components/ScriptGoogleAdsense.vue +1 -1
package/dist/runtime/components/ScriptGravatar.d.vue.ts +22 -0
package/dist/runtime/components/ScriptGravatar.vue +46 -0
package/dist/runtime/components/ScriptGravatar.vue.d.ts +22 -0
package/dist/runtime/components/ScriptInstagramEmbed.vue +1 -1
package/dist/runtime/components/ScriptIntercom.vue +4 -3
package/dist/runtime/components/ScriptPayPalButtons.d.vue.ts +43 -32
package/dist/runtime/components/ScriptPayPalButtons.vue +48 -79
package/dist/runtime/components/ScriptPayPalButtons.vue.d.ts +43 -32
package/dist/runtime/components/ScriptPayPalMessages.d.vue.ts +37 -23
package/dist/runtime/components/ScriptPayPalMessages.vue +46 -50
package/dist/runtime/components/ScriptPayPalMessages.vue.d.ts +37 -23
package/dist/runtime/components/ScriptStripePricingTable.vue +2 -2
package/dist/runtime/components/ScriptVimeoPlayer.d.vue.ts +9 -0
package/dist/runtime/components/ScriptVimeoPlayer.vue +13 -10
package/dist/runtime/components/ScriptVimeoPlayer.vue.d.ts +9 -0
package/dist/runtime/components/ScriptXEmbed.d.vue.ts +1 -1
package/dist/runtime/components/ScriptXEmbed.vue +1 -1
package/dist/runtime/components/ScriptXEmbed.vue.d.ts +1 -1
package/dist/runtime/components/ScriptYouTubePlayer.d.vue.ts +2 -2
package/dist/runtime/components/ScriptYouTubePlayer.vue +11 -5
package/dist/runtime/components/ScriptYouTubePlayer.vue.d.ts +2 -2
package/dist/runtime/composables/useScript.js +11 -6
package/dist/runtime/composables/useScriptEventPage.js +2 -2
package/dist/runtime/composables/useScriptTriggerConsent.js +1 -1
package/dist/runtime/composables/useScriptTriggerElement.js +1 -1
package/dist/runtime/composables/useScriptTriggerIdleTimeout.js +1 -1
package/dist/runtime/registry/clarity.d.ts +10 -15
package/dist/runtime/registry/clarity.js +22 -31
package/dist/runtime/registry/cloudflare-web-analytics.d.ts +2 -13
package/dist/runtime/registry/cloudflare-web-analytics.js +2 -14
package/dist/runtime/registry/crisp.d.ts +9 -39
package/dist/runtime/registry/crisp.js +2 -33
package/dist/runtime/registry/databuddy-analytics.d.ts +2 -35
package/dist/runtime/registry/databuddy-analytics.js +20 -45
package/dist/runtime/registry/fathom-analytics.d.ts +6 -25
package/dist/runtime/registry/fathom-analytics.js +2 -24
package/dist/runtime/registry/google-adsense.d.ts +2 -10
package/dist/runtime/registry/google-adsense.js +2 -11
package/dist/runtime/registry/google-analytics.d.ts +3 -5
package/dist/runtime/registry/google-analytics.js +3 -8
package/dist/runtime/registry/google-maps.d.ts +3 -9
package/dist/runtime/registry/google-maps.js +2 -8
package/dist/runtime/registry/google-recaptcha.d.ts +2 -6
package/dist/runtime/registry/google-recaptcha.js +4 -12
package/dist/runtime/registry/google-sign-in.d.ts +2 -13
package/dist/runtime/registry/google-sign-in.js +2 -22
package/dist/runtime/registry/google-tag-manager.d.ts +3 -28
package/dist/runtime/registry/google-tag-manager.js +4 -27
package/dist/runtime/registry/gravatar.d.ts +25 -0
package/dist/runtime/registry/gravatar.js +32 -0
package/dist/runtime/registry/hotjar.d.ts +3 -5
package/dist/runtime/registry/hotjar.js +2 -5
package/dist/runtime/registry/instagram-embed.d.ts +2 -17
package/dist/runtime/registry/instagram-embed.js +4 -19
package/dist/runtime/registry/intercom.d.ts +3 -11
package/dist/runtime/registry/intercom.js +2 -12
package/dist/runtime/registry/matomo-analytics.d.ts +2 -11
package/dist/runtime/registry/matomo-analytics.js +3 -12
package/dist/runtime/registry/meta-pixel.d.ts +3 -5
package/dist/runtime/registry/meta-pixel.js +2 -4
package/dist/runtime/registry/npm.d.ts +2 -6
package/dist/runtime/registry/npm.js +2 -9
package/dist/runtime/registry/paypal.d.ts +4 -25
package/dist/runtime/registry/paypal.js +3 -66
package/dist/runtime/registry/plausible-analytics.js +18 -13
package/dist/runtime/registry/posthog.d.ts +10 -11
package/dist/runtime/registry/posthog.js +7 -20
package/dist/runtime/registry/reddit-pixel.d.ts +4 -5
package/dist/runtime/registry/reddit-pixel.js +2 -4
package/dist/runtime/registry/rybbit-analytics.d.ts +2 -14
package/dist/runtime/registry/rybbit-analytics.js +7 -19
package/dist/runtime/registry/schemas.d.ts +946 -0
package/dist/runtime/registry/schemas.js +901 -0
package/dist/runtime/registry/segment.d.ts +2 -5
package/dist/runtime/registry/segment.js +2 -5
package/dist/runtime/registry/snapchat-pixel.d.ts +3 -32
package/dist/runtime/registry/snapchat-pixel.js +2 -20
package/dist/runtime/registry/stripe.d.ts +3 -4
package/dist/runtime/registry/stripe.js +2 -4
package/dist/runtime/registry/tiktok-pixel.d.ts +3 -6
package/dist/runtime/registry/tiktok-pixel.js +2 -6
package/dist/runtime/registry/umami-analytics.d.ts +2 -31
package/dist/runtime/registry/umami-analytics.js +2 -36
package/dist/runtime/registry/vercel-analytics.d.ts +29 -0
package/dist/runtime/registry/vercel-analytics.js +84 -0
package/dist/runtime/registry/vimeo-player.d.ts +2 -2
package/dist/runtime/registry/vimeo-player.js +1 -1
package/dist/runtime/registry/x-embed.d.ts +2 -16
package/dist/runtime/registry/x-embed.js +2 -17
package/dist/runtime/registry/x-pixel.d.ts +3 -6
package/dist/runtime/registry/x-pixel.js +2 -5
package/dist/runtime/registry/youtube-player.d.ts +7 -7
package/dist/runtime/registry/youtube-player.js +1 -1
package/dist/runtime/server/google-static-maps-proxy.js +1 -1
package/dist/runtime/server/{sw-handler.d.ts → gravatar-proxy.d.ts} +1 -1
package/dist/runtime/server/gravatar-proxy.js +62 -0
package/dist/runtime/server/instagram-embed-asset.js +2 -1
package/dist/runtime/server/instagram-embed-image.js +2 -1
package/dist/runtime/server/instagram-embed.js +22 -13
package/dist/runtime/server/proxy-handler.js +161 -117
package/dist/runtime/server/utils/privacy.d.ts +45 -1
package/dist/runtime/server/utils/privacy.js +103 -40
package/dist/runtime/server/x-embed.js +3 -2
package/dist/runtime/types.d.ts +35 -24
package/dist/runtime/utils/pure.d.ts +0 -4
package/dist/runtime/utils/pure.js +0 -67
package/dist/runtime/utils.d.ts +3 -3
package/dist/runtime/utils.js +12 -7
package/dist/shared/scripts.Crpn87WB.mjs +318 -0
package/dist/stats.d.mts +39 -0
package/dist/stats.d.ts +39 -0
package/dist/stats.mjs +772 -0
package/dist/types-source.d.mts +19 -0
package/dist/types-source.d.ts +19 -0
package/dist/types-source.mjs +975 -0
package/package.json +42 -31
package/dist/client/_nuxt/B8XOar-X.js +0 -162
package/dist/client/_nuxt/builds/meta/133a46c5-a5c1-4a63-87d1-037947a5bcdb.json +0 -1
package/dist/client/_nuxt/entry.D45OuV0w.css +0 -1
package/dist/client/_nuxt/error-404.B57D-jUQ.css +0 -1
package/dist/client/_nuxt/error-500.DTHUW7BI.css +0 -1
package/dist/runtime/components/ScriptPayPalMarks.d.vue.ts +0 -52
package/dist/runtime/components/ScriptPayPalMarks.vue +0 -69
package/dist/runtime/components/ScriptPayPalMarks.vue.d.ts +0 -52
package/dist/runtime/plugins/sw-register.client.d.ts +0 -2
package/dist/runtime/plugins/sw-register.client.js +0 -12
package/dist/runtime/server/sw-handler.js +0 -25
package/dist/runtime/sw/proxy-sw.template.d.ts +0 -1
package/dist/runtime/sw/proxy-sw.template.js +0 -54

package/dist/runtime/server/instagram-embed.js CHANGED Viewed

@@ -1,5 +1,16 @@
 import { createError, defineEventHandler, getQuery, setHeader } from "h3";
 import { $fetch } from "ofetch";
+const LINK_RE = /<link[^>]+rel=["']stylesheet["'][^>]+href=["']([^"']+)["'][^>]*>/gi;
+const LINK_RE_2 = /<link[^>]+href=["']([^"']+)["'][^>]+rel=["']stylesheet["'][^>]*>/gi;
+const RSRC_RE = /url\(\/rsrc\.php([^)]+)\)/g;
+const SCRIPT_RE = /<script[\s\S]*?<\/script>/gi;
+const STYLESHEET_RE = /<link[^>]+rel=["']stylesheet["'][^>]*>/gi;
+const CSS_RE = /<link[^>]+href=["'][^"']+\.css[^"']*["'][^>]*>/gi;
+const NOSCRIPT_RE = /<noscript>[\s\S]*?<\/noscript>/gi;
+const SCONTENT_RE = /https:\/\/scontent[^"'\s),]+\.cdninstagram\.com[^"'\s),]+/g;
+const STATIC_CDN_RE = /https:\/\/static\.cdninstagram\.com[^"'\s),]+/g;
+const LOOKASIDE_RE = /https:\/\/lookaside\.instagram\.com[^"'\s),]+/g;
+const AMP_RE = /&amp;/g;
 export default defineEventHandler(async (event) => {
   const query = getQuery(event);
   const postUrl = query.url;
@@ -27,7 +38,7 @@ export default defineEventHandler(async (event) => {
   }
   const pathname = parsedUrl.pathname.endsWith("/") ? parsedUrl.pathname : `${parsedUrl.pathname}/`;
   const cleanUrl = parsedUrl.origin + pathname;
-  const embedUrl = cleanUrl + "embed/" + (captions ? "captioned/" : "");
+  const embedUrl = `${cleanUrl}embed/${captions ? "captioned/" : ""}`;
   const html = await $fetch(embedUrl, {
     headers: {
       "Accept": "text/html",
@@ -41,14 +52,12 @@ export default defineEventHandler(async (event) => {
     });
   });
   const cssUrls = [];
-  const linkRegex = /<link[^>]+rel=["']stylesheet["'][^>]+href=["']([^"']+)["'][^>]*>/gi;
   let match;
-  while ((match = linkRegex.exec(html)) !== null) {
+  while ((match = LINK_RE.exec(html)) !== null) {
     if (match[1])
       cssUrls.push(match[1]);
   }
-  const linkRegex2 = /<link[^>]+href=["']([^"']+)["'][^>]+rel=["']stylesheet["'][^>]*>/gi;
-  while ((match = linkRegex2.exec(html)) !== null) {
+  while ((match = LINK_RE_2.exec(html)) !== null) {
     if (match[1])
       cssUrls.push(match[1]);
   }
@@ -61,7 +70,7 @@ export default defineEventHandler(async (event) => {
   );
   let combinedCss = cssContents.join("\n");
   combinedCss = combinedCss.replace(
-    /url\(\/rsrc\.php([^)]+)\)/g,
+    RSRC_RE,
     (_m, path) => `url(/api/_scripts/instagram-embed-asset?url=${encodeURIComponent(`https://static.cdninstagram.com/rsrc.php${path}`)})`
   );
   const baseStyles = `
@@ -70,15 +79,15 @@ export default defineEventHandler(async (event) => {
     .Embed { opacity: 1 !important; visibility: visible !important; }
     .EmbeddedMedia, .EmbeddedMediaImage { display: block !important; visibility: visible !important; }
   `;
-  let rewrittenHtml = html.replace(/<script[\s\S]*?<\/script>/gi, "").replace(/<link[^>]+rel=["']stylesheet["'][^>]*>/gi, "").replace(/<link[^>]+href=["'][^"']+\.css[^"']*["'][^>]*>/gi, "").replace(/<noscript>[\s\S]*?<\/noscript>/gi, "").replace(
-    /https:\/\/scontent[^"'\s),]+\.cdninstagram\.com[^"'\s),]+/g,
-    (m) => `/api/_scripts/instagram-embed-image?url=${encodeURIComponent(m.replace(/&amp;/g, "&"))}`
+  let rewrittenHtml = html.replace(SCRIPT_RE, "").replace(STYLESHEET_RE, "").replace(CSS_RE, "").replace(NOSCRIPT_RE, "").replace(
+    SCONTENT_RE,
+    (m) => `/api/_scripts/instagram-embed-image?url=${encodeURIComponent(m.replace(AMP_RE, "&"))}`
   ).replace(
-    /https:\/\/static\.cdninstagram\.com[^"'\s),]+/g,
-    (m) => `/api/_scripts/instagram-embed-asset?url=${encodeURIComponent(m.replace(/&amp;/g, "&"))}`
+    STATIC_CDN_RE,
+    (m) => `/api/_scripts/instagram-embed-asset?url=${encodeURIComponent(m.replace(AMP_RE, "&"))}`
   ).replace(
-    /https:\/\/lookaside\.instagram\.com[^"'\s),]+/g,
-    (m) => `/api/_scripts/instagram-embed-image?url=${encodeURIComponent(m.replace(/&amp;/g, "&"))}`
+    LOOKASIDE_RE,
+    (m) => `/api/_scripts/instagram-embed-image?url=${encodeURIComponent(m.replace(AMP_RE, "&"))}`
   );
   rewrittenHtml = rewrittenHtml.replace(
     "</head>",

package/dist/runtime/server/proxy-handler.js CHANGED Viewed

@@ -1,30 +1,40 @@
-import { defineEventHandler, getHeaders, getRequestIP, readBody, getQuery, setResponseHeader, createError } from "h3";
 import { useRuntimeConfig } from "#imports";
-import { useStorage, useNitroApp } from "nitropack/runtime";
-import { hash } from "ohash";
-import { rewriteScriptUrls } from "../utils/pure.js";
+import { createError, defineEventHandler, getHeaders, getQuery, getRequestIP, getRequestWebStream, readBody, setResponseHeader } from "h3";
+import { useNitroApp } from "nitropack/runtime";
 import {
-  FINGERPRINT_HEADERS,
-  IP_HEADERS,
-  SENSITIVE_HEADERS,
   anonymizeIP,
+  mergePrivacy,
   normalizeLanguage,
   normalizeUserAgent,
+  resolvePrivacy,
+  SENSITIVE_HEADERS,
   stripPayloadFingerprinting
 } from "./utils/privacy.js";
-function stripQueryFingerprinting(query) {
-  const stripped = stripPayloadFingerprinting(query);
+const COMPRESSION_RE = /gzip|deflate|br|compress|base64/i;
+const ROUTE_WILDCARD_RE = /\/\*\*$/;
+const CLIENT_HINT_VERSION_RE = /;v="(\d+)\.[^"]*"/g;
+const SKIP_RESPONSE_HEADERS = /* @__PURE__ */ new Set(["set-cookie", "transfer-encoding", "content-encoding", "content-length"]);
+let sortedRoutesCache;
+function getSortedRoutes(routes) {
+  const key = JSON.stringify(routes);
+  if (sortedRoutesCache?.key === key)
+    return sortedRoutesCache.sorted;
+  const sorted = Object.entries(routes).sort((a, b) => b[0].length - a[0].length);
+  sortedRoutesCache = { key, sorted };
+  return sorted;
+}
+function stripQueryFingerprinting(query, privacy) {
+  const stripped = stripPayloadFingerprinting(query, privacy);
   const params = new URLSearchParams();
   for (const [key, value] of Object.entries(stripped)) {
     if (value !== void 0 && value !== null) {
-      params.set(key, String(value));
+      params.set(key, typeof value === "object" ? JSON.stringify(value) : String(value));
     }
   }
-  return params.toString();
+  return { queryString: params.toString(), stripped };
 }
 export default defineEventHandler(async (event) => {
   const config = useRuntimeConfig();
-  const nitro = useNitroApp();
   const proxyConfig = config["nuxt-scripts-proxy"];
   if (!proxyConfig) {
     throw createError({
@@ -32,7 +42,7 @@ export default defineEventHandler(async (event) => {
       statusMessage: "First-party proxy not configured"
     });
   }
-  const { routes, privacy, cacheTtl = 3600, debug = import.meta.dev } = proxyConfig;
+  const { routes, privacy: globalPrivacy, routePrivacy, debug = import.meta.dev } = proxyConfig;
   const path = event.path;
   const log = debug ? (message, ...args) => {
     console.debug(message, ...args);
@@ -40,17 +50,18 @@ export default defineEventHandler(async (event) => {
   };
   let targetBase;
   let matchedPrefix;
-  const sortedRoutes = Object.entries(routes).sort((a, b) => b[0].length - a[0].length);
-  for (const [routePattern, target] of sortedRoutes) {
-    const prefix = routePattern.replace(/\/\*\*$/, "");
+  let matchedRoutePattern;
+  for (const [routePattern, target] of getSortedRoutes(routes)) {
+    const prefix = routePattern.replace(ROUTE_WILDCARD_RE, "");
     if (path.startsWith(prefix)) {
-      targetBase = target.replace(/\/\*\*$/, "");
+      targetBase = target.replace(ROUTE_WILDCARD_RE, "");
       matchedPrefix = prefix;
+      matchedRoutePattern = routePattern;
       log("[proxy] Matched:", prefix, "->", targetBase);
       break;
     }
   }
-  if (!targetBase || !matchedPrefix) {
+  if (!targetBase || !matchedPrefix || !matchedRoutePattern) {
     log("[proxy] No match for path:", path);
     throw createError({
       statusCode: 404,
@@ -58,149 +69,197 @@ export default defineEventHandler(async (event) => {
       message: `No proxy target found for path: ${path}`
     });
   }
+  const perScriptInput = routePrivacy[matchedRoutePattern];
+  if (debug && perScriptInput === void 0) {
+    log("[proxy] WARNING: No privacy config for route", matchedRoutePattern, "\u2014 defaulting to full anonymization");
+  }
+  const perScriptResolved = resolvePrivacy(perScriptInput ?? true);
+  const privacy = globalPrivacy !== void 0 ? mergePrivacy(perScriptResolved, globalPrivacy) : perScriptResolved;
+  const anyPrivacy = privacy.ip || privacy.userAgent || privacy.language || privacy.screen || privacy.timezone || privacy.hardware;
+  const originalHeaders = getHeaders(event);
+  const originalQuery = getQuery(event);
+  const contentType = originalHeaders["content-type"] || "";
+  const compressionParam = originalQuery.compression || "";
+  const isBinaryBody = Boolean(
+    originalHeaders["content-encoding"] || contentType.includes("octet-stream") || compressionParam && COMPRESSION_RE.test(compressionParam)
+  );
   let targetPath = path.slice(matchedPrefix.length);
   if (targetPath && !targetPath.startsWith("/")) {
-    targetPath = "/" + targetPath;
+    targetPath = `/${targetPath}`;
   }
   let targetUrl = targetBase + targetPath;
-  if (privacy === "anonymize") {
-    const query = getQuery(event);
-    if (Object.keys(query).length > 0) {
-      const strippedQuery = stripQueryFingerprinting(query);
+  let strippedQueryRecord;
+  if (anyPrivacy) {
+    if (Object.keys(originalQuery).length > 0) {
+      const { queryString, stripped } = stripQueryFingerprinting(originalQuery, privacy);
+      strippedQueryRecord = stripped;
       const basePath = targetUrl.split("?")[0] || targetUrl;
-      targetUrl = strippedQuery ? `${basePath}?${strippedQuery}` : basePath;
+      targetUrl = queryString ? `${basePath}?${queryString}` : basePath;
     }
   }
-  const originalHeaders = getHeaders(event);
   const headers = {};
-  if (privacy === "proxy") {
-    for (const [key, value] of Object.entries(originalHeaders)) {
-      if (!value) continue;
-      if (SENSITIVE_HEADERS.includes(key.toLowerCase())) continue;
-      headers[key] = value;
-    }
-  } else {
-    for (const [key, value] of Object.entries(originalHeaders)) {
-      if (!value)
-        continue;
-      const lowerKey = key.toLowerCase();
-      if (IP_HEADERS.includes(lowerKey))
+  for (const [key, value] of Object.entries(originalHeaders)) {
+    if (!value)
+      continue;
+    const lowerKey = key.toLowerCase();
+    if (lowerKey === "host")
+      continue;
+    if (SENSITIVE_HEADERS.includes(lowerKey))
+      continue;
+    if (lowerKey === "content-length") {
+      if (anyPrivacy && !isBinaryBody)
         continue;
-      if (SENSITIVE_HEADERS.includes(lowerKey))
+      headers[lowerKey] = value;
+      continue;
+    }
+    if (lowerKey === "x-forwarded-for" || lowerKey === "x-real-ip" || lowerKey === "forwarded" || lowerKey === "cf-connecting-ip" || lowerKey === "true-client-ip" || lowerKey === "x-client-ip" || lowerKey === "x-cluster-client-ip") {
+      if (privacy.ip)
         continue;
-      if (lowerKey === "content-length")
+      headers[lowerKey] = value;
+      continue;
+    }
+    if (lowerKey === "user-agent") {
+      headers[key] = privacy.userAgent ? normalizeUserAgent(value) : value;
+      continue;
+    }
+    if (lowerKey === "accept-language") {
+      headers[key] = privacy.language ? normalizeLanguage(value) : value;
+      continue;
+    }
+    if (lowerKey === "sec-ch-ua" || lowerKey === "sec-ch-ua-full-version-list") {
+      headers[lowerKey] = privacy.hardware ? value.replace(CLIENT_HINT_VERSION_RE, ';v="$1"') : value;
+      continue;
+    }
+    if (lowerKey === "sec-ch-ua-platform-version" || lowerKey === "sec-ch-ua-arch" || lowerKey === "sec-ch-ua-model" || lowerKey === "sec-ch-ua-bitness") {
+      if (privacy.hardware)
         continue;
-      if (lowerKey === "user-agent") {
-        headers[key] = normalizeUserAgent(value);
-      } else if (lowerKey === "accept-language") {
-        headers[key] = normalizeLanguage(value);
-      } else if (lowerKey === "sec-ch-ua" || lowerKey === "sec-ch-ua-full-version-list") {
-        headers[key] = value.replace(/;v="(\d+)\.[^"]*"/g, ';v="$1"');
-      } else if (FINGERPRINT_HEADERS.includes(lowerKey)) {
-        headers[key] = value;
-      } else {
-        headers[key] = value;
-      }
+      headers[lowerKey] = value;
+      continue;
     }
+    headers[key] = value;
+  }
+  if (!headers["x-forwarded-for"]) {
     const clientIP = getRequestIP(event, { xForwardedFor: true });
     if (clientIP) {
-      headers["x-forwarded-for"] = anonymizeIP(clientIP);
+      if (privacy.ip) {
+        headers["x-forwarded-for"] = anonymizeIP(clientIP);
+      } else {
+        headers["x-forwarded-for"] = clientIP;
+      }
     }
+  } else if (privacy.ip) {
+    headers["x-forwarded-for"] = headers["x-forwarded-for"].split(",").map((ip) => anonymizeIP(ip.trim())).join(", ");
   }
   let body;
   let rawBody;
-  const contentType = originalHeaders["content-type"] || "";
+  let passthroughBody = false;
   const method = event.method?.toUpperCase();
-  const originalQuery = getQuery(event);
-  if (method === "POST" || method === "PUT" || method === "PATCH") {
-    rawBody = await readBody(event);
-    if (privacy === "anonymize" && rawBody) {
-      if (typeof rawBody === "object") {
-        body = stripPayloadFingerprinting(rawBody);
-      } else if (typeof rawBody === "string") {
-        if (rawBody.startsWith("{") || rawBody.startsWith("[")) {
-          let parsed = null;
-          try {
-            parsed = JSON.parse(rawBody);
-          } catch {
-          }
-          if (parsed && typeof parsed === "object") {
-            body = stripPayloadFingerprinting(parsed);
+  const isWriteMethod = method === "POST" || method === "PUT" || method === "PATCH";
+  if (isWriteMethod) {
+    if (isBinaryBody || !anyPrivacy) {
+      passthroughBody = true;
+    } else {
+      rawBody = await readBody(event);
+      if (rawBody != null) {
+        if (Array.isArray(rawBody)) {
+          body = rawBody.map(
+            (item) => item && typeof item === "object" && !Array.isArray(item) ? stripPayloadFingerprinting(item, privacy) : item
+          );
+        } else if (typeof rawBody === "object") {
+          body = stripPayloadFingerprinting(rawBody, privacy);
+        } else if (typeof rawBody === "string") {
+          if (rawBody.startsWith("{") || rawBody.startsWith("[")) {
+            let parsed = null;
+            try {
+              parsed = JSON.parse(rawBody);
+            } catch {
+            }
+            if (Array.isArray(parsed)) {
+              body = parsed.map(
+                (item) => item && typeof item === "object" && !Array.isArray(item) ? stripPayloadFingerprinting(item, privacy) : item
+              );
+            } else if (parsed && typeof parsed === "object") {
+              body = stripPayloadFingerprinting(parsed, privacy);
+            } else {
+              body = rawBody;
+            }
+          } else if (contentType.includes("application/x-www-form-urlencoded")) {
+            const params = new URLSearchParams(rawBody);
+            const obj = {};
+            params.forEach((value, key) => {
+              obj[key] = value;
+            });
+            const stripped = stripPayloadFingerprinting(obj, privacy);
+            const stringified = {};
+            for (const [k, v] of Object.entries(stripped)) {
+              if (v === void 0 || v === null)
+                continue;
+              stringified[k] = typeof v === "string" ? v : JSON.stringify(v);
+            }
+            body = new URLSearchParams(stringified).toString();
           } else {
             body = rawBody;
           }
-        } else if (contentType.includes("application/x-www-form-urlencoded")) {
-          const params = new URLSearchParams(rawBody);
-          const obj = {};
-          params.forEach((value, key) => {
-            obj[key] = value;
-          });
-          const stripped = stripPayloadFingerprinting(obj);
-          const stringified = {};
-          for (const [k, v] of Object.entries(stripped)) {
-            if (v === void 0 || v === null) continue;
-            stringified[k] = typeof v === "string" ? v : JSON.stringify(v);
-          }
-          body = new URLSearchParams(stringified).toString();
         } else {
           body = rawBody;
         }
-      } else {
-        body = rawBody;
       }
-    } else {
-      body = rawBody;
     }
   }
+  const nitro = useNitroApp();
   await nitro.hooks.callHook("nuxt-scripts:proxy", {
     timestamp: Date.now(),
     path: event.path,
     targetUrl,
     method: method || "GET",
     privacy,
+    passthroughBody,
     original: {
       headers: { ...originalHeaders },
       query: originalQuery,
-      body: rawBody ?? null
+      body: passthroughBody ? "<passthrough>" : rawBody ?? null
     },
     stripped: {
       headers,
-      query: privacy === "anonymize" ? stripPayloadFingerprinting(originalQuery) : originalQuery,
-      body: body ?? null
+      query: strippedQueryRecord ?? originalQuery,
+      body: passthroughBody ? "<passthrough>" : body ?? null
     }
   });
   log("[proxy] Fetching:", targetUrl);
   const controller = new AbortController();
   const timeoutId = setTimeout(() => controller.abort(), 15e3);
+  let fetchBody;
+  if (passthroughBody) {
+    fetchBody = getRequestWebStream(event);
+  } else if (body !== void 0) {
+    fetchBody = typeof body === "string" ? body : JSON.stringify(body);
+  }
   let response;
   try {
     response = await fetch(targetUrl, {
       method: method || "GET",
       headers,
-      body: body ? typeof body === "string" ? body : JSON.stringify(body) : void 0,
+      body: fetchBody,
       credentials: "omit",
       // Don't send cookies to third parties
-      signal: controller.signal
+      signal: controller.signal,
+      // @ts-expect-error Node fetch supports duplex for streaming request bodies
+      duplex: passthroughBody ? "half" : void 0
     });
   } catch (err) {
     clearTimeout(timeoutId);
-    log("[proxy] Fetch error:", err instanceof Error ? err.message : err);
-    if (path.includes("/collect") || path.includes("/tr") || path.includes("/events")) {
-      event.node.res.statusCode = 204;
-      return "";
-    }
-    const isTimeout = err instanceof Error && (err.message.includes("aborted") || err.message.includes("timeout"));
+    log("[proxy] Upstream error:", err);
     throw createError({
-      statusCode: isTimeout ? 504 : 502,
-      statusMessage: isTimeout ? "Upstream timeout" : "Bad Gateway",
-      message: "Failed to reach upstream"
+      statusCode: 502,
+      statusMessage: "Bad Gateway",
+      message: `Proxy upstream request failed: ${targetUrl}`
     });
+  } finally {
+    clearTimeout(timeoutId);
   }
-  clearTimeout(timeoutId);
   log("[proxy] Response:", response.status, response.statusText);
-  const skipHeaders = ["set-cookie", "transfer-encoding", "content-encoding", "content-length"];
   response.headers.forEach((value, key) => {
-    if (!skipHeaders.includes(key.toLowerCase())) {
+    if (!SKIP_RESPONSE_HEADERS.has(key.toLowerCase())) {
       setResponseHeader(event, key, value);
     }
   });
@@ -209,22 +268,7 @@ export default defineEventHandler(async (event) => {
   const responseContentType = response.headers.get("content-type") || "";
   const isTextContent = responseContentType.includes("text") || responseContentType.includes("javascript") || responseContentType.includes("json");
   if (isTextContent) {
-    let content = await response.text();
-    if (responseContentType.includes("javascript") && proxyConfig?.rewrites?.length) {
-      const cacheKey = `nuxt-scripts:proxy:${hash(targetUrl + JSON.stringify(proxyConfig.rewrites))}`;
-      const storage = useStorage("cache");
-      const cached = await storage.getItem(cacheKey);
-      if (cached && typeof cached === "string") {
-        log("[proxy] Serving rewritten script from cache");
-        content = cached;
-      } else {
-        content = rewriteScriptUrls(content, proxyConfig.rewrites);
-        await storage.setItem(cacheKey, content, { ttl: cacheTtl });
-        log("[proxy] Rewrote URLs in JavaScript response and cached");
-      }
-      setResponseHeader(event, "cache-control", `public, max-age=${cacheTtl}, stale-while-revalidate=${cacheTtl * 2}`);
-    }
-    return content;
+    return await response.text();
   }
   return Buffer.from(await response.arrayBuffer());
 });

package/dist/runtime/server/utils/privacy.d.ts CHANGED Viewed

@@ -1,3 +1,44 @@
+/**
+ * Granular privacy controls for the first-party proxy.
+ * Each flag controls both headers AND body/query params for its domain.
+ */
+export interface ProxyPrivacy {
+    /** Anonymize IP (headers + body). When false, real IP is forwarded via x-forwarded-for. */
+    ip?: boolean;
+    /** Normalize User-Agent (headers + body) */
+    userAgent?: boolean;
+    /** Normalize Accept-Language (headers + body) */
+    language?: boolean;
+    /** Generalize screen resolution, viewport, hardware concurrency, device memory */
+    screen?: boolean;
+    /** Generalize timezone offset and IANA timezone names */
+    timezone?: boolean;
+    /** Anonymize hardware fingerprints: canvas/webgl/audio, plugins/fonts, browser versions, device info */
+    hardware?: boolean;
+}
+/**
+ * Privacy input: `true` = full anonymize, `false` = passthrough (still strips sensitive headers),
+ * or a `ProxyPrivacy` object for granular control (unset flags default to `false` — opt-in).
+ */
+export type ProxyPrivacyInput = boolean | ProxyPrivacy | null;
+/** Resolved privacy with all flags explicitly set. */
+export type ResolvedProxyPrivacy = Required<ProxyPrivacy>;
+/**
+ * Normalize a privacy input to a fully-resolved object.
+ * Privacy is opt-in: unset object flags default to `false`.
+ * Each script in the registry explicitly sets all flags for its needs.
+ * - `true` → all flags true (full anonymize)
+ * - `false` / `undefined` → all flags false (passthrough)
+ * - `{ ip: true, hardware: true }` → only those active, rest off
+ */
+export declare function resolvePrivacy(input?: ProxyPrivacyInput): ResolvedProxyPrivacy;
+/**
+ * Merge privacy settings: `override` fields take precedence over `base` field-by-field.
+ * When `override` is undefined, returns `base` unchanged.
+ * When `override` is a boolean, it fully replaces `base`.
+ * When `override` is an object, only explicitly-set fields override.
+ */
+export declare function mergePrivacy(base: ResolvedProxyPrivacy, override?: ProxyPrivacyInput): ResolvedProxyPrivacy;
 /**
  * Headers that reveal user IP address - stripped in proxy mode,
  * anonymized in anonymize mode.
@@ -93,5 +134,8 @@ export declare function anonymizeDeviceInfo(value: string): string;
  * Recursively anonymize fingerprinting data in payload.
  * Fields are generalized or normalized rather than stripped, so endpoints
  * still receive valid data with reduced fingerprinting precision.
+ *
+ * When `privacy` is provided, only categories with their flag set to `true` are processed.
+ * Default (no arg) = all categories active, so existing callers work unchanged.
  */
-export declare function stripPayloadFingerprinting(payload: Record<string, unknown>): Record<string, unknown>;
+export declare function stripPayloadFingerprinting(payload: Record<string, unknown>, privacy?: ResolvedProxyPrivacy): Record<string, unknown>;