Tighten CSP (object-src) and Permissions-Policy; allow Vercel Analytics origin

[lwwmanning]

Summary

• CSP object-src 'none' — explicitly deny <object>, <embed>, <applet> content. The site doesn't use any of these; this is a free defensive directive.
• CSP script-src adds va.vercel-scripts.com — @vercel/analytics v2 loads its bootstrap script from this origin. Without an explicit allow, the script is blocked by CSP and analytics events stop reaching vitals.vercel-insights.com.
• Permissions-Policy expanded — adds gyroscope=(), usb=(), magnetometer=(), accelerometer=() alongside the existing camera/microphone/geolocation/payment denials. None of these APIs are used by the site; broader denial reduces the risk surface if a third-party script is ever introduced.

No behavioral change to first-party flows. Plausible analytics, the WebGL hero, and the velite blog all continue to work under the existing 'self' 'unsafe-inline' plausible.io script policy. The new Function() eval in MDXRenderer runs server-side, so 'unsafe-eval' remains correctly absent.

Test plan

• CI green (verify.ts + lint + build + typecheck)
• Vercel preview: load /, /blog, /blog/<slug>, /404 with DevTools open — no CSP violations in console
• Vercel preview: Vercel Analytics events succeed (DevTools → Network → request to vitals.vercel-insights.com returns 200)
• curl -sI <preview-url>/ shows the new Permissions-Policy directives and object-src 'none' in the CSP header

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
vortex	Ready	Preview, Comment	May 4, 2026 6:29pm