prefer explicit CSP directives

docs/content/1.documentation/1.getting-started/2.configuration.md

@@ -45,15 +45,21 @@ security: {
     crossOriginEmbedderPolicy: 'require-corp',
     contentSecurityPolicy: {
       'base-uri': ["'none'"],
-      'default-src': ["'self'"],
+      'default-src' : ["'none'"],
       'connect-src': ["'self'", 'https:'],
       'font-src': ["'self'", 'https:', 'data:'],
+      'form-action': ["'self'"],
+      'frame-ancestors': ["'self'"],
+      'frame-src': ["'self'"],
       'img-src': ["'self'", 'data:'],
+      'manifest-src': ["'self'"],
+      'media-src': ["'self'"],
       'object-src': ["'none'"],
       'script-src-attr': ["'none'"],
       'style-src': ["'self'", 'https:', "'unsafe-inline'"],
       'script-src': ["'self'", 'https:', "'unsafe-inline'", "'strict-dynamic'", "'nonce-{{nonce}}'"],
-      'upgrade-insecure-requests': true
+      'upgrade-insecure-requests': true,
+      'worker-src': ["'self'"],
     },
     originAgentCluster: '?1',
     referrerPolicy: 'no-referrer',

docs/content/1.documentation/2.headers/1.csp.md

@@ -45,7 +45,7 @@ You can also disable this header by `contentSecurityPolicy: false`.
 By default, Nuxt Security will set following value for this header:
 
 ```http
-Content-Security-Policy: base-uri 'none'; default-src 'self'; connect-src 'self', https:; font-src 'self' https: data:; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-{{nonce}}'; upgrade-insecure-requests;
+Content-Security-Policy: base-uri 'none'; default-src 'none'; connect-src 'self' https:; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-{{nonce}}'; upgrade-insecure-requests; worker-src 'self';
 ```
 
 ## Available values

docs/nuxt.config.ts

@@ -16,8 +16,12 @@ export default defineNuxtConfig({
     headers: {
       contentSecurityPolicy: {
         'img-src': ["'self'", "data:", 'https:'], // Allow https: external images
-        'connect-src': process.env.NODE_ENV === 'development' ? ["'self'", 'https:', 'ws:'] : ["'self'", 'https:'], // Allow self and image api
-        'frame-src': ['https://www.youtube-nocookie.com', 'https://stackblitz.com'], // Allow self and youtube and stackblitz iframes
+        'connect-src': process.env.NODE_ENV === 'development' ? ["'self'", 'https:', 'ws:'] : ["'self'", 'https:'], // Allow websocket in dev mode
+        'frame-src': ['https://www.youtube-nocookie.com', 'https://stackblitz.com'], // Allow youtube and stackblitz iframes
+      },
+      permissionsPolicy: {
+        "picture-in-picture": ['self', '"https://www.youtube-nocookie.com"'], // Allow picture-in-picture for youtube
+        "fullscreen": ['self', '"https://www.youtube-nocookie.com"'], // Allow fullscreen for youtube
       },
       crossOriginEmbedderPolicy: 'unsafe-none', // Allow youtube and stackblitz iframes
     }

src/defaultConfig.ts

@@ -9,15 +9,21 @@ export const defaultSecurityConfig = (serverlUrl: string): ModuleOptions => ({
     crossOriginEmbedderPolicy: 'require-corp',
     contentSecurityPolicy: {
       'base-uri': ["'none'"],
-      'default-src' : ["'self'"],
+      'default-src' : ["'none'"],
       'connect-src': ["'self'", 'https:'],
       'font-src': ["'self'", 'https:', 'data:'],
+      'form-action': ["'self'"],
+      'frame-ancestors': ["'self'"],
+      'frame-src': ["'self'"],
       'img-src': ["'self'", 'data:'],
+      'manifest-src': ["'self'"],
+      'media-src': ["'self'"],
       'object-src': ["'none'"],
       'script-src-attr': ["'none'"],
       'style-src': ["'self'", 'https:', "'unsafe-inline'"],
       'script-src': ["'self'", 'https:', "'unsafe-inline'", "'strict-dynamic'", "'nonce-{{nonce}}'"],
-      'upgrade-insecure-requests': true
+      'upgrade-insecure-requests': true,
+      'worker-src': ["'self'"],
     },
     originAgentCluster: '?1',
     referrerPolicy: 'no-referrer',

test/headers.test.ts

@@ -37,7 +37,7 @@ describe('[nuxt-security] Headers', async () => {
     expect(cspHeaderValue).toBeTruthy()
     expect(nonceValue).toBeDefined()
     expect(nonceValue).toHaveLength(24)
-    expect(cspHeaderValue).toBe(`base-uri 'none'; default-src 'self'; connect-src 'self' https:; font-src 'self' https: data:; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-${nonceValue}'; upgrade-insecure-requests;`)
+    expect(cspHeaderValue).toBe(`base-uri 'none'; default-src 'none'; connect-src 'self' https:; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-${nonceValue}'; upgrade-insecure-requests; worker-src 'self';`)
   })
 
   it('has `cross-origin-embedder-policy` header set with correct default value', async () => {