fix default-src default value

.stackblitz/.gitignore

@@ -6,4 +6,5 @@ node_modules
 .output
 .env
 dist
-.vercel
+.vercel
+yarn.lock

.stackblitz/package.json

@@ -11,6 +11,6 @@
     "nuxt": "3.9.3"
   },
   "dependencies": {
-    "nuxt-security": "^2.0.0-rc.2"
+    "nuxt-security": "^2.0.0"
   }
 }

docs/.gitignore

@@ -10,3 +10,4 @@ dist
 sw.*
 .env
 .output
+yarn.lock

docs/package.json

@@ -13,7 +13,7 @@
     "@nuxtjs/plausible": "^1.0.0",
     "@nuxtlabs/github-module": "^1.6.3",
     "nuxt": "^3.11.2",
-    "nuxt-security": "^2.0.0-rc.2"
+    "nuxt-security": "^2.0.0"
   },
   "resolutions": {
     "string-width": "4.2.3",

src/defaultConfig.ts

@@ -9,7 +9,7 @@ export const defaultSecurityConfig = (serverlUrl: string): ModuleOptions => ({
     crossOriginEmbedderPolicy: 'require-corp',
     contentSecurityPolicy: {
       'base-uri': ["'none'"],
-      'default-src' : ["'none'"],
+      'default-src' : ["'self'"],
       'font-src': ["'self'", 'https:', 'data:'],
       'form-action': ["'self'"],
       'frame-ancestors': ["'self'"],

test/headers.test.ts

@@ -37,7 +37,7 @@ describe('[nuxt-security] Headers', async () => {
     expect(cspHeaderValue).toBeTruthy()
     expect(nonceValue).toBeDefined()
     expect(nonceValue).toHaveLength(24)
-    expect(cspHeaderValue).toBe(`base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-${nonceValue}'; upgrade-insecure-requests;`)
+    expect(cspHeaderValue).toBe(`base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-${nonceValue}'; upgrade-insecure-requests;`)
   })
 
   it('has `cross-origin-embedder-policy` header set with correct default value', async () => {

test/perRoute.test.ts

@@ -29,7 +29,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-origin')
     expect(coop).toBe('same-origin')
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=31536000; includeSubDomains;')
@@ -67,7 +67,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-origin')
     expect(coop).toBe('same-origin')
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=31536000; includeSubDomains;')
@@ -105,7 +105,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-origin')
     expect(coop).toBe('same-origin')
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=31536000; includeSubDomains;')
@@ -227,7 +227,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-origin')
     expect(coop).toBe('same-origin-allow-popups')
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=31536000; includeSubDomains;')
@@ -265,7 +265,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-origin')
     expect(coop).toBe('same-origin-allow-popups')
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=31536000; includeSubDomains;')
@@ -303,7 +303,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-origin')
     expect(coop).toBeNull()
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBeNull()
     expect(sts).toBe('max-age=31536000; includeSubDomains;')
@@ -341,7 +341,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-origin')
     expect(coop).toBeNull()
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBeNull()
     expect(sts).toBe('max-age=31536000; includeSubDomains;')
@@ -379,7 +379,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBeNull()
     expect(coop).toBe('same-origin')
     expect(coep).toBe('credentialless')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=31536000; includeSubDomains;')
@@ -417,7 +417,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-site')
     expect(coop).toBeNull()
     expect(coep).toBe('credentialless')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=31536000; includeSubDomains;')
@@ -455,7 +455,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('cross-origin')
     expect(coop).toBe('same-origin')
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https:; upgrade-insecure-requests; media-src 'none';")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https:; upgrade-insecure-requests; media-src 'none';")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=1; includeSubDomains; preload;')
@@ -495,7 +495,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-site')
     expect(coop).toBeNull()
     expect(coep).toBe('credentialless')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=2;')
@@ -535,7 +535,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-site')
     expect(coop).toBe('same-origin-allow-popups')
     expect(coep).toBe('credentialless')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer-when-downgrade')
     expect(sts).toBe('max-age=1; preload;')
@@ -576,7 +576,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBeNull()
     expect(coop).toBe('same-origin')
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src https:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self'; upgrade-insecure-requests;")
+    expect(csp).toBe("default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src https:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self'; upgrade-insecure-requests;")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=10; preload;')
@@ -614,7 +614,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     expect(corp).toBe('same-origin')
     expect(coop).toBe('same-origin')
     expect(coep).toBe('require-corp')
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self'; upgrade-insecure-requests; manifest-src 'none';")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self'; upgrade-insecure-requests; manifest-src 'none';")
     expect(oac).toBe('?1')
     expect(rp).toBe('no-referrer')
     expect(sts).toBe('max-age=10; includeSubDomains;')
@@ -662,7 +662,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     const csp = headers.get('content-security-policy')
     const pp = headers.get('permissions-policy')
 
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src blob:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src blob:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     expect(pp).toBe('accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=self, document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), layout-animations=(self), legacy-image-formats=(self), magnetometer=(), microphone=(), midi=(), oversized-images=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), speaker-selection=(), sync-xhr=(self), unoptimized-images=(self), unsized-media=(self), usb=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=()')
   })
 
@@ -958,7 +958,7 @@ describe('[nuxt-security] Per-route Configuration', async () => {
     const { headers } = res
     const csp = headers.get('content-security-policy')
     expect(csp).toBeDefined()
-    expect(csp).toBe("base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
+    expect(csp).toBe("base-uri 'none'; default-src 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; upgrade-insecure-requests;")
     const rp = headers.get('referrer-policy')
     expect(rp).toBeDefined()
     expect(rp).toBe('no-referrer')