jekyll-content-security-policy-generator 1.6.1 → 1.6.10

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/Cover.png +0 -0
  3. data/README.md +32 -5
  4. data/jekyll-content-security-policy-generator.gemspec +12 -8
  5. data/lib/jekyll-content-security-policy-generator/hook.rb +31 -8
  6. data/lib/jekyll-content-security-policy-generator/version.rb +1 -1
  7. metadata +11 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f8e466efa24dc267fb4838ef7330f763d1285cb940b2e43f7b02915d1a1a864f
4
- data.tar.gz: 7ad7db2677f878606cb062ed1b75f81c327027e158a9fccfba56c39cfcc7310b
3
+ metadata.gz: d4c60e7eb8da0e545f4b95bdebd2868b4d8f9bfa9f07352ae549349eb389dcfb
4
+ data.tar.gz: e8322faa009accd48954b155182d06101900ca709985deb5b6c68ff711b5af7a
5
5
  SHA512:
6
- metadata.gz: 5f6fd3f8937956dd53e4a7cb3ad2f733bbb46abb8b5eb855ac6a8b3c6ef287353c7e707de4ebe6f8ee5a1830b7489b2aaecccbdad359ce5eb1485983a9a5cbf3
7
- data.tar.gz: 76cc86776a4dc159939aefb2f774ffbee23d351d752f52f0a75fa3ee2350395fab98f498af5040450eb0d91bf294f1a8a05392961294fe3abf408f6bcc40f645
6
+ metadata.gz: a77bae14674eb6cf7d3aba4c5f5e20673d47de36347eab7723d1502320dca614da472cf2d4ad64345e4d7c218427de46a27b088b02e120aa09024a50f36ee8a0
7
+ data.tar.gz: f502a9cf7ec9b92fca5de81dcd4c493c2e837cad2a58d749a889007879e17a6578e713dfcb57a1e121103a519d52d1b0506549a399de791bd92cb1633f1134a9
data/Cover.png ADDED
Binary file
data/README.md CHANGED
@@ -1,5 +1,7 @@
1
1
  # jekyll-content-security-policy-generator Plugin
2
2
 
3
+ ![Jekyll Image Cover](Cover.png)
4
+
3
5
  This Jekyll plugin automatically builds an HTML content-security-policy for a Jekyll site. The plugin
4
6
  will scan ```.html``` files generated by Jekyll and attempt to locate images, styles, scripts, frames etc and build a
5
7
  content security policy HTML meta tag. The script will also generate SHA256 hashes for inline scripts and styles. If
@@ -21,15 +23,40 @@ To speed up development of Jekyll based sites whilst also helping to generate se
21
23
 
22
24
  ## Installation
23
25
 
24
- Install the gem:
26
+ Add the plugin your Gemfile within the jekyll_plugins group:
27
+
28
+ ```
29
+ group :jekyll_plugins do
30
+ gem 'jekyll-content-security-policy-generator'
31
+ ... other gem files
32
+ end
33
+ ```
34
+
35
+ Then install
36
+
37
+ ```
38
+ bundle install
39
+ ```
40
+
41
+ ## Nokogiri Error on Mac?
42
+
43
+ For some reason, Nokogiri will install with both the ARM (M1) and x86 variants which will confuse bundler. Best way I found to fix this was to open the Gemfile.lock and remove the:
44
+
45
+ ```
46
+ nokogiri (1.11.3-arm64-darwin)
47
+ racc (~> 1.4)
48
+ ```
25
49
 
26
- ```gem install jekyll-content-security-policy-generator```
50
+ Or the x86 if you have an M1 mac.
27
51
 
28
- Then add this to your _config.yml:
52
+ Alternatively, you can add ```nokogiri``` to your Gemfile, like so:
29
53
 
30
54
  ```
31
- plugins:
32
- - jekyll-content-security-policy-generator
55
+ group :jekyll_plugins do
56
+ gem 'nokogiri'
57
+ gem 'jekyll-content-security-policy-generator'
58
+ ... other gem files
59
+ end
33
60
  ```
34
61
 
35
62
  ## Support
data/jekyll-content-security-policy-generator.gemspec CHANGED
@@ -1,10 +1,15 @@
1
1
  lib = File.expand_path("../lib", __FILE__)
2
+
2
3
  $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
3
4
  require "jekyll-content-security-policy-generator/version"
5
+
4
6
  Gem::Specification.new do |spec|
5
7
  spec.name = "jekyll-content-security-policy-generator"
6
8
  spec.summary = "Helps generate a content security policy."
7
- spec.description = "Helps generate a content security policy. Locates inline scripts, images, frames etc."
9
+ spec.description = "Will generate a content-security-policy based on images, scripts, stylesheets, frames and"\
10
+ "others on each generated page. This script assumes that all your linked resources as 'safe'."\
11
+ "Style attributes will also be converted into <style> elements and SHA256 hashes will be"\
12
+ "generated for inline styles/scripts."
8
13
  spec.version = JekyllContentSecurityPolicyGenerator::VERSION
9
14
  spec.authors = ["strongscot"]
10
15
  spec.email = ["mail@strongscot.com"]
@@ -12,11 +17,10 @@ Gem::Specification.new do |spec|
12
17
  spec.licenses = ["MIT"]
13
18
  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r!^(test|spec|features)/!) }
14
19
  spec.require_paths = ["lib"]
15
- spec.add_dependency "jekyll"
16
-
17
- spec.add_development_dependency "rake"
18
- spec.add_development_dependency "nokogiri"
19
- spec.add_development_dependency "digest"
20
- spec.add_development_dependency "rspec"
21
- spec.add_development_dependency "rubocop"
20
+ spec.add_dependency 'jekyll'
21
+ spec.add_dependency 'digest'
22
+ spec.add_dependency 'nokogiri'
23
+ spec.add_development_dependency 'rake'
24
+ spec.add_development_dependency 'rspec'
25
+ spec.add_development_dependency 'rubocop'
22
26
  end
data/lib/jekyll-content-security-policy-generator/hook.rb CHANGED
@@ -2,6 +2,7 @@ require 'jekyll'
2
2
  require 'nokogiri'
3
3
  require 'digest'
4
4
  require 'open-uri'
5
+ require 'uri'
5
6
 
6
7
  ##
7
8
  # Provides the ability to generate a content security policy for inline scripts and styles.
@@ -30,11 +31,19 @@ module Jekyll
30
31
  def generate_convert_security_policy_meta_tag
31
32
  meta_content = ""
32
33
 
34
+ @csp_script_src = @csp_script_src.uniq
35
+ @csp_image_src = @csp_image_src.uniq
36
+ @csp_style_src = @csp_style_src.uniq
37
+ @csp_script_src = @csp_script_src.uniq
38
+ @csp_unknown = @csp_unknown.uniq
39
+
33
40
  if @csp_frame_src.length > 0
41
+ @csp_script_src.uniq
34
42
  meta_content += "frame-src " + @csp_frame_src.join(' ') + '; '
35
43
  end
36
44
 
37
45
  if @csp_image_src.length > 0
46
+ Jekyll.logger.warn @csp_image_src
38
47
  meta_content += "img-src " + @csp_image_src.join(' ') + '; '
39
48
  end
40
49
 
@@ -55,10 +64,10 @@ module Jekyll
55
64
  end
56
65
 
57
66
  if @nokogiri.at("head")
58
- Jekyll.logger.info "Generated content security policy, inserted in HEAD."
67
+ #Jekyll.logger.info "Generated content security policy, inserted in HEAD."
59
68
  @nokogiri.at("head") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
60
69
  elsif @nokogiri.at("body")
61
- Jekyll.logger.info "Generated content security policy, inserted in BODY."
70
+ #Jekyll.logger.info "Generated content security policy, inserted in BODY."
62
71
  @nokogiri.at("body") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
63
72
  else
64
73
  Jekyll.logger.error "Generated content security policy but found no-where to insert it."
@@ -84,16 +93,12 @@ module Jekyll
84
93
 
85
94
  if policy_parts[0] == 'script-src'
86
95
  @csp_script_src.concat(policy_parts.drop(1))
87
- @csp_script_src = @csp_script_src.uniq
88
96
  elsif policy_parts[0] == 'style-src'
89
97
  @csp_style_src.concat(policy_parts.drop(1))
90
- @csp_style_src = @csp_style_src.uniq
91
98
  elsif policy_parts[0] == 'image-src'
92
99
  @csp_image_src.concat(policy_parts.drop(1))
93
- @csp_image_src = @csp_image_src.uniq
94
100
  elsif policy_parts[0] == 'frame-src'
95
101
  @csp_frame_src.concat(policy_parts.drop(1))
96
- @csp_frame_src = @csp_frame_src.uniq
97
102
  else
98
103
  @csp_unknown.concat([policy_parts])
99
104
  end
@@ -124,11 +129,11 @@ module Jekyll
124
129
 
125
130
  if @nokogiri.at('head')
126
131
  @nokogiri.at('head') << new_element
127
- Jekyll.logger.info'Converting style attribute to inline style, inserted into HEAD.'
132
+ #Jekyll.logger.info'Converting style attribute to inline style, inserted into HEAD.'
128
133
  else
129
134
  if @nokogiri.at('body')
130
135
  @nokogiri.at('body') << new_element
131
- Jekyll.logger.info'Converting style attribute to inline style, inserted into BODY.'
136
+ #Jekyll.logger.info'Converting style attribute to inline style, inserted into BODY.'
132
137
  else
133
138
  Jekyll.logger.warn'Unable to convert style attribute to inline style, no HEAD or BODY found.'
134
139
  end
@@ -147,6 +152,19 @@ module Jekyll
147
152
  @csp_image_src.push find_src.match(/(.*\/)+(.*$)/)[1]
148
153
  end
149
154
  end
155
+
156
+ @nokogiri.css('style').each do |find|
157
+ finds = find.content.scan(/url\(([^\)]+)\)/)
158
+
159
+ finds.each do |innerFind|
160
+ innerFind = innerFind[0]
161
+ innerFind = innerFind.tr('\'"', '')
162
+ if innerFind.start_with?('http', 'https')
163
+ @csp_image_src.push self.get_domain(innerFind)
164
+ end
165
+ end
166
+ end
167
+
150
168
  end
151
169
 
152
170
  ##
@@ -195,6 +213,11 @@ module Jekyll
195
213
  end
196
214
  end
197
215
 
216
+ def get_domain(url)
217
+ uri = URI.parse(url)
218
+ "#{uri.scheme}://#{uri.host}"
219
+ end
220
+
198
221
  ##
199
222
  # Generate a content hash
200
223
  def generate_sha256_content_hash(content)
data/lib/jekyll-content-security-policy-generator/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module JekyllContentSecurityPolicyGenerator
2
- VERSION = "1.6.1".freeze
2
+ VERSION = "1.6.10".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jekyll-content-security-policy-generator
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.6.1
4
+ version: 1.6.10
5
5
  platform: ruby
6
6
  authors:
7
7
  - strongscot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-04-11 00:00:00.000000000 Z
11
+ date: 2021-04-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: jekyll
@@ -25,13 +25,13 @@ dependencies:
25
25
  - !ruby/object:Gem::Version
26
26
  version: '0'
27
27
  - !ruby/object:Gem::Dependency
28
- name: rake
28
+ name: digest
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - ">="
32
32
  - !ruby/object:Gem::Version
33
33
  version: '0'
34
- type: :development
34
+ type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
@@ -45,7 +45,7 @@ dependencies:
45
45
  - - ">="
46
46
  - !ruby/object:Gem::Version
47
47
  version: '0'
48
- type: :development
48
+ type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
@@ -53,7 +53,7 @@ dependencies:
53
53
  - !ruby/object:Gem::Version
54
54
  version: '0'
55
55
  - !ruby/object:Gem::Dependency
56
- name: digest
56
+ name: rake
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - ">="
@@ -94,8 +94,10 @@ dependencies:
94
94
  - - ">="
95
95
  - !ruby/object:Gem::Version
96
96
  version: '0'
97
- description: Helps generate a content security policy. Locates inline scripts, images,
98
- frames etc.
97
+ description: Will generate a content-security-policy based on images, scripts, stylesheets,
98
+ frames andothers on each generated page. This script assumes that all your linked
99
+ resources as 'safe'.Style attributes will also be converted into <style> elements
100
+ and SHA256 hashes will begenerated for inline styles/scripts.
99
101
  email:
100
102
  - mail@strongscot.com
101
103
  executables: []
@@ -103,6 +105,7 @@ extensions: []
103
105
  extra_rdoc_files: []
104
106
  files:
105
107
  - ".gitignore"
108
+ - Cover.png
106
109
  - LICENSE
107
110
  - Makefile
108
111
  - README.md