jekyll-content-security-policy-generator 1.6.2 → 1.6.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dc3017347d7d66db1c62f2b30d65b65ecdda0977d08c608d4d32ae8e44029160
-  data.tar.gz: d0ae7507c626512b6b7dfaf965416eda4f1bec47528f12b424700eda462919b4
+  metadata.gz: 2033feca49aeb4a10933f1c7fd8f628b3053030c3e89017f4eff63e716a74afc
+  data.tar.gz: c0ec4dd232b0fa6daad0e73ca20bbd7b69b6ff6738620329b55a66f6ba748faf
 SHA512:
-  metadata.gz: c4bdaa964ad16cf409231e5c1f7a4cf70aba062a65329ccb2763883963c505330167409f918cbbc2fe1c2b7c3c8da7f9a028afd6cdd80bba247763ce28946166
-  data.tar.gz: efa5b000702d5fee29b8419a802fa681b68ada12bca097f5f57e1339227a5707477782aeb245e3ed7817b83ef1d43338f436535b07603cec23d5326274d9ad71
+  metadata.gz: 65f682c0f7d2b5c8e59918e3a93afb4c2f53ea3c933a860a52aec44325a931cf236d09ff900f3c4d2ad97889d10bc13a6d568710ba363364191de3a5e4b3a699
+  data.tar.gz: fbdbd9a95672881e602c0445a1030754cfdca0eefc7c931ecb09903250da3cadf6a95e6f9d87c83ac7091392f9ed9978b821a8b5ea561bf60f0811a97f12cb46

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

data/README.md

@@ -1,5 +1,7 @@
 # jekyll-content-security-policy-generator Plugin
 
+![Jekyll Image Cover](Cover.png)
+
 This Jekyll plugin automatically builds an HTML content-security-policy for a Jekyll site. The plugin
 will scan ```.html``` files generated by Jekyll and attempt to locate images, styles, scripts, frames etc and build a
 content security policy HTML meta tag. The script will also generate SHA256 hashes for inline scripts and styles. If
@@ -18,18 +20,51 @@ To speed up development of Jekyll based sites whilst also helping to generate se
 * Creates or reuses an HTTP meta tag for the content security policy.
 * Finds all images, styles, scripts and frames with external URLs and builds CSP.
 * Converts style attributes into ```<style>``` elements.
+* If a page already has a content-security-policy tag, (such as your index.html file), the script will reuse it.
+* Image URLs such as https://strongscot.com/images/logo.svg will have a rule such as https://strongscot.com/images/
+
+## Upcoming Features
+
+* Ability to specify how lax the domain rules can be. For example, ```https://strongscot.com/images/logo.svg``` would be converted to
+```https://strongscot.com/images/``` under strict and ```https://strongscot.com``` under relaxed.
+* Ability in site.yaml file to specify what files it should parse, at the moment its only ```.html```.
 
 ## Installation
 
-Install the gem:
+Add the plugin your Gemfile within the jekyll_plugins group:
+
+```
+group :jekyll_plugins do
+  gem 'jekyll-content-security-policy-generator'
+  ... other gem files
+end
+```
+
+Then install
+
+```
+bundle install
+```
+
+## Nokogiri Error on Mac?
+
+For some reason, Nokogiri will install with both the ARM (M1) and x86 variants which will confuse bundler. Best way I found to fix this was to open the Gemfile.lock and remove the:
+
+```
+nokogiri (1.11.3-arm64-darwin)
+  racc (~> 1.4)
+```
 
-```gem install jekyll-content-security-policy-generator```
+Or the x86 if you have an M1 mac.
 
-Then add this to your _config.yml:
+Alternatively, you can add ```nokogiri``` to your Gemfile, like so:
 
 ```
-plugins:
-  - jekyll-content-security-policy-generator
+group :jekyll_plugins do
+  gem 'nokogiri'
+  gem 'jekyll-content-security-policy-generator'
+  ... other gem files
+end
 ```
 
 ## Support

data/jekyll-content-security-policy-generator.gemspec

@@ -1,10 +1,15 @@
 lib = File.expand_path("../lib", __FILE__)
+
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "jekyll-content-security-policy-generator/version"
+
 Gem::Specification.new do |spec|
   spec.name          = "jekyll-content-security-policy-generator"
   spec.summary       = "Helps generate a content security policy."
-  spec.description   = "Helps generate a content security policy. Locates inline scripts, images, frames etc."
+  spec.description   = "Will generate a content-security-policy based on images, scripts, stylesheets, frames and"\
+                       "others on each generated page. This script assumes that all your linked resources as 'safe'."\
+                       "Style attributes will also be converted into <style> elements and SHA256 hashes will be"\
+                       "generated for inline styles/scripts."
   spec.version       = JekyllContentSecurityPolicyGenerator::VERSION
   spec.authors       = ["strongscot"]
   spec.email         = ["mail@strongscot.com"]
@@ -12,12 +17,10 @@ Gem::Specification.new do |spec|
   spec.licenses      = ["MIT"]
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r!^(test|spec|features)/!)  }
   spec.require_paths = ["lib"]
-  spec.add_dependency "jekyll"
-  spec.add_dependency "nokogiri"
-  spec.add_dependency "digest"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec"
-  spec.add_development_dependency "rubocop"
-  spec.add_development_dependency "nokogiri"
-  spec.add_development_dependency "digest"
+  spec.add_dependency 'jekyll'
+  spec.add_dependency 'digest'
+  spec.add_dependency 'nokogiri'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop'
 end

data/lib/jekyll-content-security-policy-generator/hook.rb

@@ -2,6 +2,7 @@ require 'jekyll'
 require 'nokogiri'
 require 'digest'
 require 'open-uri'
+require 'uri'
 
 ##
 # Provides the ability to generate a content security policy for inline scripts and styles.
@@ -30,11 +31,19 @@ module Jekyll
       def generate_convert_security_policy_meta_tag
         meta_content = ""
 
+        @csp_script_src = @csp_script_src.uniq
+        @csp_image_src = @csp_image_src.uniq
+        @csp_style_src = @csp_style_src.uniq
+        @csp_script_src = @csp_script_src.uniq
+        @csp_unknown = @csp_unknown.uniq
+
         if @csp_frame_src.length > 0
+          @csp_script_src.uniq
           meta_content += "frame-src " + @csp_frame_src.join(' ') + '; '
         end
 
         if @csp_image_src.length > 0
+          Jekyll.logger.warn @csp_image_src
           meta_content += "img-src " + @csp_image_src.join(' ') + '; '
         end
 
@@ -55,10 +64,10 @@ module Jekyll
         end
 
         if @nokogiri.at("head")
-          Jekyll.logger.info "Generated content security policy, inserted in HEAD."
+          #Jekyll.logger.info "Generated content security policy, inserted in HEAD."
           @nokogiri.at("head") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
         elsif @nokogiri.at("body")
-          Jekyll.logger.info "Generated content security policy, inserted in BODY."
+          #Jekyll.logger.info "Generated content security policy, inserted in BODY."
           @nokogiri.at("body") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
         else
           Jekyll.logger.error "Generated content security policy but found no-where to insert it."
@@ -84,16 +93,12 @@ module Jekyll
 
               if policy_parts[0] == 'script-src'
                 @csp_script_src.concat(policy_parts.drop(1))
-                @csp_script_src = @csp_script_src.uniq
               elsif policy_parts[0] == 'style-src'
                 @csp_style_src.concat(policy_parts.drop(1))
-                @csp_style_src = @csp_style_src.uniq
-              elsif policy_parts[0] == 'image-src'
+              elsif policy_parts[0] == 'img-src'
                 @csp_image_src.concat(policy_parts.drop(1))
-                @csp_image_src = @csp_image_src.uniq
               elsif policy_parts[0] == 'frame-src'
                 @csp_frame_src.concat(policy_parts.drop(1))
-                @csp_frame_src = @csp_frame_src.uniq
               else
                 @csp_unknown.concat([policy_parts])
               end
@@ -102,6 +107,10 @@ module Jekyll
               Jekyll.logger.warn "Incorrect existing content security policy meta tag found, skipping."
             end
           end
+
+          @nokogiri.search('meta[http-equiv="Content-Security-Policy"]').each do |el|
+            el.remove
+          end
         end
       end
 
@@ -115,7 +124,8 @@ module Jekyll
             if find.attr('id')
               element_id = find.attr('id')
             else
-              element_id = Digest::MD5.hexdigest find_src + "#{Random.rand(11)}"
+              hash = Digest::MD5.hexdigest find_src + "#{Random.rand(11)}"
+              element_id = "csp-gen-" + hash
               find["id"] = element_id
             end
 
@@ -124,11 +134,11 @@ module Jekyll
 
             if @nokogiri.at('head')
               @nokogiri.at('head') << new_element
-              Jekyll.logger.info'Converting style attribute to inline style, inserted into HEAD.'
+              #Jekyll.logger.info'Converting style attribute to inline style, inserted into HEAD.'
             else
               if @nokogiri.at('body')
                 @nokogiri.at('body') << new_element
-                Jekyll.logger.info'Converting style attribute to inline style, inserted into BODY.'
+                #Jekyll.logger.info'Converting style attribute to inline style, inserted into BODY.'
               else
                 Jekyll.logger.warn'Unable to convert style attribute to inline style, no HEAD or BODY found.'
               end
@@ -143,10 +153,23 @@ module Jekyll
         @nokogiri.css('img').each do |find|
           find_src = find.attr('src')
 
-          if find_src.start_with?('http', 'https')
+          if find_src and find_src.start_with?('http', 'https')
             @csp_image_src.push find_src.match(/(.*\/)+(.*$)/)[1]
           end
         end
+
+        @nokogiri.css('style').each do |find|
+          finds = find.content.scan(/url\(([^\)]+)\)/)
+
+          finds.each do |innerFind|
+            innerFind = innerFind[0]
+            innerFind = innerFind.tr('\'"', '')
+            if innerFind.start_with?('http', 'https')
+              @csp_image_src.push self.get_domain(innerFind)
+            end
+          end
+        end
+
       end
 
       ##
@@ -156,7 +179,7 @@ module Jekyll
           if find.attr('src')
             find_src = find.attr('src')
 
-            if find_src.start_with?('http', 'https')
+            if find_src and find_src.start_with?('http', 'https')
               @csp_script_src.push find_src.match(/(.*\/)+(.*$)/)[1]
             end
 
@@ -173,7 +196,7 @@ module Jekyll
           if find.attr('src')
             find_src = find.attr('src')
 
-            if find_src.start_with?('http', 'https')
+            if find_src and find_src.start_with?('http', 'https')
               @csp_style_src.push find_src.match(/(.*\/)+(.*$)/)[1]
             end
 
@@ -189,12 +212,17 @@ module Jekyll
         @nokogiri.css('iframe').each do |find|
           find_src = find.attr('src')
 
-          if find_src.start_with?('http', 'https')
+          if find_src and find_src.start_with?('http', 'https')
             @csp_frame_src.push find_src.match(/(.*\/)+(.*$)/)[1]
           end
         end
       end
 
+      def get_domain(url)
+        uri = URI.parse(url)
+        "#{uri.scheme}://#{uri.host}"
+      end
+
       ##
       # Generate a content hash
       def generate_sha256_content_hash(content)
@@ -237,9 +265,8 @@ module Jekyll
       if File.extname(dest_path) == ".html"
         content_security_policy_generator = ContentSecurityPolicyGenerator.new output
         output = content_security_policy_generator.run
+        write_file_contents(dest_path, output)
       end
-
-      write_file_contents(dest_path, output)
     end
 
   end

data/lib/jekyll-content-security-policy-generator/version.rb

@@ -1,3 +1,3 @@
 module JekyllContentSecurityPolicyGenerator
-  VERSION = "1.6.2".freeze
+  VERSION = "1.6.11".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jekyll-content-security-policy-generator
 version: !ruby/object:Gem::Version
-  version: 1.6.2
+  version: 1.6.11
 platform: ruby
 authors:
 - strongscot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-11 00:00:00.000000000 Z
+date: 2021-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
@@ -25,7 +25,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: nokogiri
+  name: digest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -39,7 +39,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: digest
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -94,36 +94,10 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: nokogiri
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: digest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-description: Helps generate a content security policy. Locates inline scripts, images,
-  frames etc.
+description: Will generate a content-security-policy based on images, scripts, stylesheets,
+  frames andothers on each generated page. This script assumes that all your linked
+  resources as 'safe'.Style attributes will also be converted into <style> elements
+  and SHA256 hashes will begenerated for inline styles/scripts.
 email:
 - mail@strongscot.com
 executables: []
@@ -131,6 +105,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- CODE_OF_CONDUCT.md
+- Cover.png
 - LICENSE
 - Makefile
 - README.md