From b0ecb52b59232ba12939c358267faaaa48a05887 Mon Sep 17 00:00:00 2001
From: Ambroise Maupate <ambroise@rezo-zero.com>
Date: Tue, 2 Apr 2024 17:02:31 +0200
Subject: [PATCH] feat: Added configuration example for Permission-Policy and
 Content-Security-Policy

---
 nuxt.config.ts | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/nuxt.config.ts b/nuxt.config.ts
index 34ecc31..7a500b5 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -70,6 +70,26 @@ export default defineNuxtConfig({
             }),
         ],
     },
+    nitro: {
+        routeRules: {
+            '/**': {
+                headers: {
+                    // https://web.dev/articles/floc?hl=fr#can_websites_opt_out_of_being_included_in_the_floc_computation
+                    'Permissions-Policy': 'interest-cohort=()',
+                    // Hardening client security policies
+                    // https://developer.mozilla.org/fr/docs/Web/HTTP/CSP
+                    'Content-Security-Policy': [
+                        // Only allows these iframe origins
+                        "frame-src 'self' *.youtube.com *.vimeo.com *.instagram.com *.soundcloud.com",
+                        // Only allows these script origins
+                        //"script-src 'self' 'unsafe-inline' *.google.com *.googleapis.com *.gstatic.com",
+                        // Only allows these images origins
+                        //"img-src 'self' 'unsafe-inline' *.googleapis.com *.gstatic.com",
+                    ].join('; '),
+                },
+            },
+        },
+    },,
     // https://github.com/nuxt-modules/svg-sprite#options
     svgSprite: {
         input: '~/assets/images/icons',