feat(csp): flag missing base-uri directive

[dmchaledev]

Summary

• base-uri does not inherit from default-src (same gap as form-action, which is already checked), so its absence silently leaves <base> injection unrestricted
• An attacker who can inject a <base href="…"> element can redirect relative nonce sources to a controlled host, bypassing nonce-based CSP
• Added a −2 point deduction + finding/recommendation for missing base-uri, matching the style of the existing form-action check
• Full CSP score (20/30) now requires default-src, form-action, and base-uri to be explicitly set

What changed

src/rules.ts — after the form-action check in checkCSP, added:

if (extractCspDirective(raw, 'base-uri') === undefined) {
  score -= 2;
  findings.push("No base-uri directive — <base> injection can redirect relative nonce sources (base-uri does not inherit from default-src)");
  recommendations.push("Add base-uri 'self' or base-uri 'none' to prevent <base> injection");
}

test/analyzer.test.ts — updated score assertions for existing tests affected by the new deduction, and added three dedicated base-uri test cases.

Test plan

• npx vitest run — all 82 tests pass (3 new tests added)
• Verify base-uri 'none' and base-uri 'self' both satisfy the check (no finding, score 20)
• Verify a CSP without base-uri emits the finding and loses 2 points
• Verify grade A+ still achievable with a fully-specified CSP (default-src, form-action, base-uri)

https://claude.ai/code/session_01JH6HiZVtPYVDWeankB34ng

---

Generated by Claude Code