jekyll-content-security-policy-generator 1.6.8 → 1.6.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83640101b7159f3d53a4e59890b1d8a9b1d33841441762a38039c65d2f740d13
-  data.tar.gz: 1c231c2b1e9d31de74392f9fe81a5af678a7fb9f713e7730982cba3d0a327ed4
+  metadata.gz: d4c60e7eb8da0e545f4b95bdebd2868b4d8f9bfa9f07352ae549349eb389dcfb
+  data.tar.gz: e8322faa009accd48954b155182d06101900ca709985deb5b6c68ff711b5af7a
 SHA512:
-  metadata.gz: 409a834f57f1ffc953d4472352ec5434f8c5403633f9eb167abfc28c34dd9db6eebc70d3a1463ecaf91d11c2c4e6959bd2aeb7b61aa64574a3d95d14c096838c
-  data.tar.gz: 6f38ccbab275e6529cdf40079fd56eacae0778397fa32cd6b63fb38c981071732b157d9045f2896d8e60dd9293cab4e8f70d0c62475aff3e5534b1267702eed0
+  metadata.gz: a77bae14674eb6cf7d3aba4c5f5e20673d47de36347eab7723d1502320dca614da472cf2d4ad64345e4d7c218427de46a27b088b02e120aa09024a50f36ee8a0
+  data.tar.gz: f502a9cf7ec9b92fca5de81dcd4c493c2e837cad2a58d749a889007879e17a6578e713dfcb57a1e121103a519d52d1b0506549a399de791bd92cb1633f1134a9

data/README.md

@@ -1,5 +1,7 @@
 # jekyll-content-security-policy-generator Plugin
 
+![Jekyll Image Cover](Cover.png)
+
 This Jekyll plugin automatically builds an HTML content-security-policy for a Jekyll site. The plugin
 will scan ```.html``` files generated by Jekyll and attempt to locate images, styles, scripts, frames etc and build a
 content security policy HTML meta tag. The script will also generate SHA256 hashes for inline scripts and styles. If
@@ -21,15 +23,40 @@ To speed up development of Jekyll based sites whilst also helping to generate se
 
 ## Installation
 
-Install the gem:
+Add the plugin your Gemfile within the jekyll_plugins group:
+
+```
+group :jekyll_plugins do
+  gem 'jekyll-content-security-policy-generator'
+  ... other gem files
+end
+```
+
+Then install
+
+```
+bundle install
+```
+
+## Nokogiri Error on Mac?
+
+For some reason, Nokogiri will install with both the ARM (M1) and x86 variants which will confuse bundler. Best way I found to fix this was to open the Gemfile.lock and remove the:
+
+```
+nokogiri (1.11.3-arm64-darwin)
+  racc (~> 1.4)
+```
 
-```gem install jekyll-content-security-policy-generator```
+Or the x86 if you have an M1 mac.
 
-Then add this to your _config.yml:
+Alternatively, you can add ```nokogiri``` to your Gemfile, like so:
 
 ```
-plugins:
-  - jekyll-content-security-policy-generator
+group :jekyll_plugins do
+  gem 'nokogiri'
+  gem 'jekyll-content-security-policy-generator'
+  ... other gem files
+end
 ```
 
 ## Support

data/jekyll-content-security-policy-generator.gemspec

@@ -1,10 +1,15 @@
 lib = File.expand_path("../lib", __FILE__)
+
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "jekyll-content-security-policy-generator/version"
+
 Gem::Specification.new do |spec|
   spec.name          = "jekyll-content-security-policy-generator"
   spec.summary       = "Helps generate a content security policy."
-  spec.description   = "Helps generate a content security policy. Locates inline scripts, images, frames etc."
+  spec.description   = "Will generate a content-security-policy based on images, scripts, stylesheets, frames and"\
+                       "others on each generated page. This script assumes that all your linked resources as 'safe'."\
+                       "Style attributes will also be converted into <style> elements and SHA256 hashes will be"\
+                       "generated for inline styles/scripts."
   spec.version       = JekyllContentSecurityPolicyGenerator::VERSION
   spec.authors       = ["strongscot"]
   spec.email         = ["mail@strongscot.com"]
@@ -14,7 +19,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   spec.add_dependency 'jekyll'
   spec.add_dependency 'digest'
-  spec.add_dependency 'nokogiri', '~> 1.10'
+  spec.add_dependency 'nokogiri'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'rubocop'

data/lib/jekyll-content-security-policy-generator/hook.rb

@@ -2,6 +2,7 @@ require 'jekyll'
 require 'nokogiri'
 require 'digest'
 require 'open-uri'
+require 'uri'
 
 ##
 # Provides the ability to generate a content security policy for inline scripts and styles.
@@ -30,11 +31,19 @@ module Jekyll
       def generate_convert_security_policy_meta_tag
         meta_content = ""
 
+        @csp_script_src = @csp_script_src.uniq
+        @csp_image_src = @csp_image_src.uniq
+        @csp_style_src = @csp_style_src.uniq
+        @csp_script_src = @csp_script_src.uniq
+        @csp_unknown = @csp_unknown.uniq
+
         if @csp_frame_src.length > 0
+          @csp_script_src.uniq
           meta_content += "frame-src " + @csp_frame_src.join(' ') + '; '
         end
 
         if @csp_image_src.length > 0
+          Jekyll.logger.warn @csp_image_src
           meta_content += "img-src " + @csp_image_src.join(' ') + '; '
         end
 
@@ -55,10 +64,10 @@ module Jekyll
         end
 
         if @nokogiri.at("head")
-          Jekyll.logger.info "Generated content security policy, inserted in HEAD."
+          #Jekyll.logger.info "Generated content security policy, inserted in HEAD."
           @nokogiri.at("head") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
         elsif @nokogiri.at("body")
-          Jekyll.logger.info "Generated content security policy, inserted in BODY."
+          #Jekyll.logger.info "Generated content security policy, inserted in BODY."
           @nokogiri.at("body") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
         else
           Jekyll.logger.error "Generated content security policy but found no-where to insert it."
@@ -84,16 +93,12 @@ module Jekyll
 
               if policy_parts[0] == 'script-src'
                 @csp_script_src.concat(policy_parts.drop(1))
-                @csp_script_src = @csp_script_src.uniq
               elsif policy_parts[0] == 'style-src'
                 @csp_style_src.concat(policy_parts.drop(1))
-                @csp_style_src = @csp_style_src.uniq
               elsif policy_parts[0] == 'image-src'
                 @csp_image_src.concat(policy_parts.drop(1))
-                @csp_image_src = @csp_image_src.uniq
               elsif policy_parts[0] == 'frame-src'
                 @csp_frame_src.concat(policy_parts.drop(1))
-                @csp_frame_src = @csp_frame_src.uniq
               else
                 @csp_unknown.concat([policy_parts])
               end
@@ -124,11 +129,11 @@ module Jekyll
 
             if @nokogiri.at('head')
               @nokogiri.at('head') << new_element
-              Jekyll.logger.info'Converting style attribute to inline style, inserted into HEAD.'
+              #Jekyll.logger.info'Converting style attribute to inline style, inserted into HEAD.'
             else
               if @nokogiri.at('body')
                 @nokogiri.at('body') << new_element
-                Jekyll.logger.info'Converting style attribute to inline style, inserted into BODY.'
+                #Jekyll.logger.info'Converting style attribute to inline style, inserted into BODY.'
               else
                 Jekyll.logger.warn'Unable to convert style attribute to inline style, no HEAD or BODY found.'
               end
@@ -147,6 +152,19 @@ module Jekyll
             @csp_image_src.push find_src.match(/(.*\/)+(.*$)/)[1]
           end
         end
+
+        @nokogiri.css('style').each do |find|
+          finds = find.content.scan(/url\(([^\)]+)\)/)
+
+          finds.each do |innerFind|
+            innerFind = innerFind[0]
+            innerFind = innerFind.tr('\'"', '')
+            if innerFind.start_with?('http', 'https')
+              @csp_image_src.push self.get_domain(innerFind)
+            end
+          end
+        end
+
       end
 
       ##
@@ -195,6 +213,11 @@ module Jekyll
         end
       end
 
+      def get_domain(url)
+        uri = URI.parse(url)
+        "#{uri.scheme}://#{uri.host}"
+      end
+
       ##
       # Generate a content hash
       def generate_sha256_content_hash(content)

data/lib/jekyll-content-security-policy-generator/version.rb

@@ -1,3 +1,3 @@
 module JekyllContentSecurityPolicyGenerator
-  VERSION = "1.6.8".freeze
+  VERSION = "1.6.10".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jekyll-content-security-policy-generator
 version: !ruby/object:Gem::Version
-  version: 1.6.8
+  version: 1.6.10
 platform: ruby
 authors:
 - strongscot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-11 00:00:00.000000000 Z
+date: 2021-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
@@ -42,16 +42,16 @@ dependencies:
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -94,8 +94,10 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Helps generate a content security policy. Locates inline scripts, images,
-  frames etc.
+description: Will generate a content-security-policy based on images, scripts, stylesheets,
+  frames andothers on each generated page. This script assumes that all your linked
+  resources as 'safe'.Style attributes will also be converted into <style> elements
+  and SHA256 hashes will begenerated for inline styles/scripts.
 email:
 - mail@strongscot.com
 executables: []
@@ -103,6 +105,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- Cover.png
 - LICENSE
 - Makefile
 - README.md