Investigate if it is possible to use this module with SSG #108
Comments
|
Hi, you could also implement CSP in SSG via meta tag - https://content-security-policy.com/examples/meta/. There, you can also define a sha256 hash for inline scripts. I think that you need it if you for example use https://github.com/vueuse/schema-org/tree/main/packages/nuxt. Example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' *.google-analytics.com *.analytics.google.com stats.g.doubleclick.net; script-src 'self' *.google-analytics.com *.ampproject.org www.googletagmanager.com www.redditstatic.com www.googleadservices.com 'sha256-kpa1ugj9EicdENqcCozHJu12UuciKaOUQ9lbocqkiMk=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; style-src 'self' 'unsafe-inline'; img-src * data:; frame-src 'self' youtube.com">We can implement that by creating a nitro plugin, where we can use @pi0 or @danielroe |
|
Using render:html / render:response is good idea 👍🏼 You can inject csp config using runtimeConfig to the plugin |
|
Thank you. It works. What do you think about this approach @Baroshem |
|
You can also check the nitro plugin that I have developed for this module for removing the XPoweredBy Header |
|
Sure, I will take a look. I have developed something similar for my company. I will open a PR with proof of concept and then we can collaborate :) |
Is your feature request related to a problem? Please describe.
Technically it should be doable by creating a nitro plugin that would create custom headers of SSG apps. So the middlewares would not work, but only the headers should work then.
Describe the solution you'd like
Describe alternatives you've considered
Additional context
The text was updated successfully, but these errors were encountered: