jekyll-content-security-policy-generator 1.6.8 → 1.6.10
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d4c60e7eb8da0e545f4b95bdebd2868b4d8f9bfa9f07352ae549349eb389dcfb
|
4
|
+
data.tar.gz: e8322faa009accd48954b155182d06101900ca709985deb5b6c68ff711b5af7a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a77bae14674eb6cf7d3aba4c5f5e20673d47de36347eab7723d1502320dca614da472cf2d4ad64345e4d7c218427de46a27b088b02e120aa09024a50f36ee8a0
|
7
|
+
data.tar.gz: f502a9cf7ec9b92fca5de81dcd4c493c2e837cad2a58d749a889007879e17a6578e713dfcb57a1e121103a519d52d1b0506549a399de791bd92cb1633f1134a9
|
data/Cover.png
ADDED
Binary file
|
data/README.md
CHANGED
@@ -1,5 +1,7 @@
|
|
1
1
|
# jekyll-content-security-policy-generator Plugin
|
2
2
|
|
3
|
+
![Jekyll Image Cover](Cover.png)
|
4
|
+
|
3
5
|
This Jekyll plugin automatically builds an HTML content-security-policy for a Jekyll site. The plugin
|
4
6
|
will scan ```.html``` files generated by Jekyll and attempt to locate images, styles, scripts, frames etc and build a
|
5
7
|
content security policy HTML meta tag. The script will also generate SHA256 hashes for inline scripts and styles. If
|
@@ -21,15 +23,40 @@ To speed up development of Jekyll based sites whilst also helping to generate se
|
|
21
23
|
|
22
24
|
## Installation
|
23
25
|
|
24
|
-
|
26
|
+
Add the plugin your Gemfile within the jekyll_plugins group:
|
27
|
+
|
28
|
+
```
|
29
|
+
group :jekyll_plugins do
|
30
|
+
gem 'jekyll-content-security-policy-generator'
|
31
|
+
... other gem files
|
32
|
+
end
|
33
|
+
```
|
34
|
+
|
35
|
+
Then install
|
36
|
+
|
37
|
+
```
|
38
|
+
bundle install
|
39
|
+
```
|
40
|
+
|
41
|
+
## Nokogiri Error on Mac?
|
42
|
+
|
43
|
+
For some reason, Nokogiri will install with both the ARM (M1) and x86 variants which will confuse bundler. Best way I found to fix this was to open the Gemfile.lock and remove the:
|
44
|
+
|
45
|
+
```
|
46
|
+
nokogiri (1.11.3-arm64-darwin)
|
47
|
+
racc (~> 1.4)
|
48
|
+
```
|
25
49
|
|
26
|
-
|
50
|
+
Or the x86 if you have an M1 mac.
|
27
51
|
|
28
|
-
|
52
|
+
Alternatively, you can add ```nokogiri``` to your Gemfile, like so:
|
29
53
|
|
30
54
|
```
|
31
|
-
|
32
|
-
|
55
|
+
group :jekyll_plugins do
|
56
|
+
gem 'nokogiri'
|
57
|
+
gem 'jekyll-content-security-policy-generator'
|
58
|
+
... other gem files
|
59
|
+
end
|
33
60
|
```
|
34
61
|
|
35
62
|
## Support
|
@@ -1,10 +1,15 @@
|
|
1
1
|
lib = File.expand_path("../lib", __FILE__)
|
2
|
+
|
2
3
|
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
3
4
|
require "jekyll-content-security-policy-generator/version"
|
5
|
+
|
4
6
|
Gem::Specification.new do |spec|
|
5
7
|
spec.name = "jekyll-content-security-policy-generator"
|
6
8
|
spec.summary = "Helps generate a content security policy."
|
7
|
-
spec.description = "
|
9
|
+
spec.description = "Will generate a content-security-policy based on images, scripts, stylesheets, frames and"\
|
10
|
+
"others on each generated page. This script assumes that all your linked resources as 'safe'."\
|
11
|
+
"Style attributes will also be converted into <style> elements and SHA256 hashes will be"\
|
12
|
+
"generated for inline styles/scripts."
|
8
13
|
spec.version = JekyllContentSecurityPolicyGenerator::VERSION
|
9
14
|
spec.authors = ["strongscot"]
|
10
15
|
spec.email = ["mail@strongscot.com"]
|
@@ -14,7 +19,7 @@ Gem::Specification.new do |spec|
|
|
14
19
|
spec.require_paths = ["lib"]
|
15
20
|
spec.add_dependency 'jekyll'
|
16
21
|
spec.add_dependency 'digest'
|
17
|
-
spec.add_dependency 'nokogiri'
|
22
|
+
spec.add_dependency 'nokogiri'
|
18
23
|
spec.add_development_dependency 'rake'
|
19
24
|
spec.add_development_dependency 'rspec'
|
20
25
|
spec.add_development_dependency 'rubocop'
|
@@ -2,6 +2,7 @@ require 'jekyll'
|
|
2
2
|
require 'nokogiri'
|
3
3
|
require 'digest'
|
4
4
|
require 'open-uri'
|
5
|
+
require 'uri'
|
5
6
|
|
6
7
|
##
|
7
8
|
# Provides the ability to generate a content security policy for inline scripts and styles.
|
@@ -30,11 +31,19 @@ module Jekyll
|
|
30
31
|
def generate_convert_security_policy_meta_tag
|
31
32
|
meta_content = ""
|
32
33
|
|
34
|
+
@csp_script_src = @csp_script_src.uniq
|
35
|
+
@csp_image_src = @csp_image_src.uniq
|
36
|
+
@csp_style_src = @csp_style_src.uniq
|
37
|
+
@csp_script_src = @csp_script_src.uniq
|
38
|
+
@csp_unknown = @csp_unknown.uniq
|
39
|
+
|
33
40
|
if @csp_frame_src.length > 0
|
41
|
+
@csp_script_src.uniq
|
34
42
|
meta_content += "frame-src " + @csp_frame_src.join(' ') + '; '
|
35
43
|
end
|
36
44
|
|
37
45
|
if @csp_image_src.length > 0
|
46
|
+
Jekyll.logger.warn @csp_image_src
|
38
47
|
meta_content += "img-src " + @csp_image_src.join(' ') + '; '
|
39
48
|
end
|
40
49
|
|
@@ -55,10 +64,10 @@ module Jekyll
|
|
55
64
|
end
|
56
65
|
|
57
66
|
if @nokogiri.at("head")
|
58
|
-
Jekyll.logger.info "Generated content security policy, inserted in HEAD."
|
67
|
+
#Jekyll.logger.info "Generated content security policy, inserted in HEAD."
|
59
68
|
@nokogiri.at("head") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
|
60
69
|
elsif @nokogiri.at("body")
|
61
|
-
Jekyll.logger.info "Generated content security policy, inserted in BODY."
|
70
|
+
#Jekyll.logger.info "Generated content security policy, inserted in BODY."
|
62
71
|
@nokogiri.at("body") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
|
63
72
|
else
|
64
73
|
Jekyll.logger.error "Generated content security policy but found no-where to insert it."
|
@@ -84,16 +93,12 @@ module Jekyll
|
|
84
93
|
|
85
94
|
if policy_parts[0] == 'script-src'
|
86
95
|
@csp_script_src.concat(policy_parts.drop(1))
|
87
|
-
@csp_script_src = @csp_script_src.uniq
|
88
96
|
elsif policy_parts[0] == 'style-src'
|
89
97
|
@csp_style_src.concat(policy_parts.drop(1))
|
90
|
-
@csp_style_src = @csp_style_src.uniq
|
91
98
|
elsif policy_parts[0] == 'image-src'
|
92
99
|
@csp_image_src.concat(policy_parts.drop(1))
|
93
|
-
@csp_image_src = @csp_image_src.uniq
|
94
100
|
elsif policy_parts[0] == 'frame-src'
|
95
101
|
@csp_frame_src.concat(policy_parts.drop(1))
|
96
|
-
@csp_frame_src = @csp_frame_src.uniq
|
97
102
|
else
|
98
103
|
@csp_unknown.concat([policy_parts])
|
99
104
|
end
|
@@ -124,11 +129,11 @@ module Jekyll
|
|
124
129
|
|
125
130
|
if @nokogiri.at('head')
|
126
131
|
@nokogiri.at('head') << new_element
|
127
|
-
Jekyll.logger.info'Converting style attribute to inline style, inserted into HEAD.'
|
132
|
+
#Jekyll.logger.info'Converting style attribute to inline style, inserted into HEAD.'
|
128
133
|
else
|
129
134
|
if @nokogiri.at('body')
|
130
135
|
@nokogiri.at('body') << new_element
|
131
|
-
Jekyll.logger.info'Converting style attribute to inline style, inserted into BODY.'
|
136
|
+
#Jekyll.logger.info'Converting style attribute to inline style, inserted into BODY.'
|
132
137
|
else
|
133
138
|
Jekyll.logger.warn'Unable to convert style attribute to inline style, no HEAD or BODY found.'
|
134
139
|
end
|
@@ -147,6 +152,19 @@ module Jekyll
|
|
147
152
|
@csp_image_src.push find_src.match(/(.*\/)+(.*$)/)[1]
|
148
153
|
end
|
149
154
|
end
|
155
|
+
|
156
|
+
@nokogiri.css('style').each do |find|
|
157
|
+
finds = find.content.scan(/url\(([^\)]+)\)/)
|
158
|
+
|
159
|
+
finds.each do |innerFind|
|
160
|
+
innerFind = innerFind[0]
|
161
|
+
innerFind = innerFind.tr('\'"', '')
|
162
|
+
if innerFind.start_with?('http', 'https')
|
163
|
+
@csp_image_src.push self.get_domain(innerFind)
|
164
|
+
end
|
165
|
+
end
|
166
|
+
end
|
167
|
+
|
150
168
|
end
|
151
169
|
|
152
170
|
##
|
@@ -195,6 +213,11 @@ module Jekyll
|
|
195
213
|
end
|
196
214
|
end
|
197
215
|
|
216
|
+
def get_domain(url)
|
217
|
+
uri = URI.parse(url)
|
218
|
+
"#{uri.scheme}://#{uri.host}"
|
219
|
+
end
|
220
|
+
|
198
221
|
##
|
199
222
|
# Generate a content hash
|
200
223
|
def generate_sha256_content_hash(content)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: jekyll-content-security-policy-generator
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.6.
|
4
|
+
version: 1.6.10
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- strongscot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-04-
|
11
|
+
date: 2021-04-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jekyll
|
@@ -42,16 +42,16 @@ dependencies:
|
|
42
42
|
name: nokogiri
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
|
-
- - "
|
45
|
+
- - ">="
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: '
|
47
|
+
version: '0'
|
48
48
|
type: :runtime
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
|
-
- - "
|
52
|
+
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: '
|
54
|
+
version: '0'
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
56
|
name: rake
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
@@ -94,8 +94,10 @@ dependencies:
|
|
94
94
|
- - ">="
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: '0'
|
97
|
-
description:
|
98
|
-
frames
|
97
|
+
description: Will generate a content-security-policy based on images, scripts, stylesheets,
|
98
|
+
frames andothers on each generated page. This script assumes that all your linked
|
99
|
+
resources as 'safe'.Style attributes will also be converted into <style> elements
|
100
|
+
and SHA256 hashes will begenerated for inline styles/scripts.
|
99
101
|
email:
|
100
102
|
- mail@strongscot.com
|
101
103
|
executables: []
|
@@ -103,6 +105,7 @@ extensions: []
|
|
103
105
|
extra_rdoc_files: []
|
104
106
|
files:
|
105
107
|
- ".gitignore"
|
108
|
+
- Cover.png
|
106
109
|
- LICENSE
|
107
110
|
- Makefile
|
108
111
|
- README.md
|