From f02eb396db1f6f85552c44354bcab2e0c3916590 Mon Sep 17 00:00:00 2001
From: rygrit <ry_grit@sina.com>
Date: Mon, 30 Mar 2026 20:45:04 +0800
Subject: [PATCH] fix: skip security headers when devtools is active

---
 modules/security-headers.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/security-headers.ts b/modules/security-headers.ts
index 748e5ac6c..8ffc30030 100644
--- a/modules/security-headers.ts
+++ b/modules/security-headers.ts
@@ -20,6 +20,13 @@ import { TRUSTED_IMAGE_DOMAINS } from '#server/utils/image-proxy'
 export default defineNuxtModule({
   meta: { name: 'security-headers' },
   setup(_, nuxt) {
+    const isDevtoolsRuntime =
+      nuxt.options.dev && nuxt.options.devtools !== false && !process.env.TEST
+
+    // Nuxt DevTools relies on injected client assets and an iframe-based UI in dev.
+    // Keep strict CSP/frame restrictions for non-dev environments.
+    if (isDevtoolsRuntime) return
+
     // These assets are embedded directly on blog pages and should not affect image-proxy trust.
     const cspOnlyImgOrigins = ['https://api.star-history.com', 'https://cdn.bsky.app']
     const imgSrc = [