fix(nginx,csp): use absolute URLs in blog rewrites, add unsafe-eval to CSP

Nginx rewrite with relative $1 appends :8443 port. Use full domain URLs.
Add 'unsafe-eval' to CSP script-src for @unhead/vue compatibility.

Author: mephistofox

configs/nginx.example.conf

@@ -102,7 +102,7 @@ server {
 
     # /en/blog/* → strip prefix, stay on fxtun.dev
     location /en/blog/ {
-        rewrite ^/en(/blog/.*)$ $1 redirect;
+        rewrite ^/en(/blog/.*)$ https://fxtun.dev$1 redirect;
     }
     location = /en/blog {
         return 302 https://fxtun.dev/blog/;

internal/api/middleware_security.go

@@ -7,7 +7,7 @@ func securityHeadersMiddleware(next http.Handler) http.Handler {
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("X-Frame-Options", "DENY")
 		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
-		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-ancestors 'none'")
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-ancestors 'none'")
 		w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 		w.Header().Set("Permissions-Policy", "camera=(), microphone=(), geolocation=()")
 		next.ServeHTTP(w, r)