Merge pull request #449 from Baroshem/fix/csp-meta-charset-v2

fix(csp): ensure charset meta at top of head

src/runtime/nitro/plugins/60-recombineHtml.ts

@@ -21,7 +21,14 @@ export default defineNitroPlugin((nitroApp) => {
       const csp = structuredClone(rules.headers.contentSecurityPolicy)
       csp['frame-ancestors'] = false
       const headerValue = headerStringFromObject('contentSecurityPolicy', csp)
-      html.head.unshift(`<meta http-equiv="Content-Security-Policy" content="${headerValue}">`)
+
+      // Let's insert the CSP meta tag just after the first tag which should be the charset meta
+      let insertIndex = 0
+      const metaCharsetMatch = html.head[0].match(/^<meta charset="(.*?)">/mdi)
+      if (metaCharsetMatch && metaCharsetMatch.indices) {
+        insertIndex = metaCharsetMatch.indices[0][1]
+      }
+      html.head[0] = html.head[0].slice(0, insertIndex) + `<meta http-equiv="Content-Security-Policy" content="${headerValue}">` + html.head[0].slice(insertIndex) 
     }
   })
 })

test/ssgHashes.test.ts

@@ -217,4 +217,15 @@ describe('[nuxt-security] SSG support of CSP', async () => {
     const metaFrameAncestors = metaCsp!.split(';').find(policy => policy.trim().startsWith('frame-ancestors'))
     expect(metaFrameAncestors).toBeUndefined()
   })
+
+  it('sets CSP meta at top of head after charset meta', async () => {
+    const res = await fetch('/')
+
+    const body = await res.text()
+
+    expect(res).toBeDefined()
+    expect(res).toBeTruthy()
+    expect(body).toBeDefined()
+    expect(body).toMatch(/^<!DOCTYPE html><html><head><meta charset="utf-8"><meta http-equiv="Content-Security-Policy"/)
+  })
 })