jekyll-csp 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ad7855278a3b719aaaa04add26777010e47ee2c9b25cd736b20e3fde75538e72
+  data.tar.gz: 13323d6f7ee84b5ef4f0a0d6e65ae5324664667fe890c2016bd3884972f0c212
+SHA512:
+  metadata.gz: f4182dbcae069d047c16216eef429c151adb6bdeda1cc7405773ff5bf5ca7c4a8c69e6667f981757b9dae8bdcbe51c844499d818d0c7452c4ea53783f7a4029e
+  data.tar.gz: e0da23509ad6205c73d0e6d47c5521b851aefe8696c6711ce4debeef8480e8cbe0247f8f5df8aea6fc89fe08404965cc8acd04df4b0c7bbb3d4fc9872eb929e7

data/lib/jekyll-csp/csp.rb

@@ -0,0 +1,321 @@
+require 'jekyll'
+require 'nokogiri'
+require 'digest'
+require 'open-uri'
+require 'uri'
+
+##
+# Provides the ability to generate a content security policy for inline scripts and styles.
+# Will reuse an existing CSP or generate a new one and insert in HEAD.
+module CSP
+  ##
+  # Provides the ability to generate a content security policy for inline scripts and styles.
+  # Will reuse an existing CSP or generate a new one and insert in HEAD.
+  class Generator
+    def initialize(document_html)
+      @document_html = document_html
+      @nokogiri = Nokogiri::HTML(document_html)
+
+      @csp_tags = {
+        "frame-src" => [],
+        "script-src" => [],
+        "img-src" => [],
+        "style-src" => []
+      }
+
+      config = Jekyll.configuration({})['jekyll_csp']
+      
+      @indentation = config['indentation'] || 2
+      @enable_newlines = config['newlines'].to_s ? config['newlines'] : true
+      @debug = config['debug'].to_s ? config['debug'] : false
+      @include_self = config['include_self'].to_s ? config['include_self'] : false
+
+      if @enable_newlines == false
+        @indentation = 0
+      end
+
+      self.write_debug_log(config)
+    end
+
+
+    ##
+    # Write a debug log
+    def write_debug_log(content)
+      if @debug
+        Jekyll.logger.warn content
+      end
+    end
+
+    ##
+    # Generate a CSP entry using the correct indentation and formatting
+    def generate_meta_entry(tag, items)
+      # Remove duplicates
+      items = items.uniq
+
+      # Line separator
+      line_sep = @enable_newlines ? "\n" : ""
+
+      "" \
+      << line_sep \
+      << self.get_indent_str(3) \
+      << tag \
+      << " " \
+      << line_sep \
+      << self.get_indent_str(4) \
+      << items.join(" " + line_sep + self.get_indent_str(4)) \
+      << "; "
+    end
+
+    ##
+    # Get an indentation string.
+    def get_indent_str(count)
+      " " * (@indentation * count)
+    end
+
+    ##
+    # Creates an HTML content security policy meta tag.
+    def generate_convert_security_policy_meta_tag
+      meta_content = ""
+
+      @csp_tags.each do |tag, items|
+        meta_content += self.generate_meta_entry(tag, items)
+      end
+
+      csp = self.get_or_create_csp_tag
+      csp['content'] = meta_content
+    end
+
+    def get_or_create_csp_tag
+      csp = @nokogiri.at_xpath("//meta[translate(@http-equiv, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz') = 'content-security-policy']")
+
+      if csp
+        return csp
+      end
+
+      tag = "<meta http-equiv=\"Content-Security-Policy\" content="">"
+
+      if @nokogiri.at("head")
+        self.write_debug_log("Generated content security policy, inserted in HEAD.")
+        @nokogiri.at("head") << tag
+      elsif @nokogiri.at("body")
+        self.write_debug_log("Generated content security policy, inserted in BODY.")
+        @nokogiri.at("body") << tag
+      else
+        self.write_debug_log("Generated content security policy but found no-where to insert it.")
+      end
+
+      csp = @nokogiri.at_xpath("//meta[translate(@http-equiv, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz') = 'content-security-policy']")
+      return csp
+    end
+
+    ##
+    # Parse an existing content security policy meta tag
+    def parse_existing_meta_element()
+      csp = self.get_or_create_csp_tag
+
+      if csp
+        content = csp.attr('content')
+        content = content.strip! || content
+        policies = content.split(';')
+        
+        policies.each do |policy|
+          policy = policy.strip! || policy
+
+          if policy.include? ' '
+            policy_parts = policy.split(' ')
+
+            self.write_debug_log("Found existing CSP meta tag for '" << policy_parts[0] << "', concatenating rather than creating.")
+            
+            # If an existing tag doesn't exist, add it assuming the user knows best
+            if !@csp_tags.key?(policy_parts[0])
+              @csp_tags[policy_parts[0]] = []
+            end
+            
+            @csp_tags[policy_parts[0]].concat(policy_parts.drop(1))
+          end
+        end
+
+        @nokogiri.search('meta[http-equiv="Content-Security-Policy"]').each do |el|
+          el.remove
+        end
+      end
+    end
+
+    ##
+    # Initialize some default values
+    def inject_defaults
+      if @include_self == false
+        return 
+      end
+
+      @csp_tags.each do |tag, items|
+        items.push("'self'")
+      end
+    end
+
+    ##
+    # This function converts elements with style="color:red" attributes into inline styles
+    def convert_all_inline_styles_attributes
+      @nokogiri.css('*').each do |find|
+        find_src = find.attr('style')
+
+        if find_src
+          if find.attr('id')
+            element_id = find.attr('id')
+          else
+            hash = Digest::MD5.hexdigest find_src + "#{Random.rand(11)}"
+            element_id = "csp-gen-" + hash
+            find["id"] = element_id
+          end
+
+          new_element = "<style>#" + element_id + " { " + find_src + " } </style>"
+          find.remove_attribute("style")
+
+          if @nokogiri.at('head')
+            @nokogiri.at('head') << new_element
+            self.write_debug_log('Converting style attribute to inline style, inserted into HEAD.')
+          else
+            if @nokogiri.at('body')
+              @nokogiri.at('body') << new_element
+              Jekyll.logger.info
+              self.write_debug_log('Converting style attribute to inline style, inserted into BODY.')
+            else
+              self.write_debug_log('Unable to convert style attribute to inline style, no HEAD or BODY found.')
+            end
+          end
+        end
+      end
+    end
+
+    ##
+    # Find all images
+    def find_images
+      @nokogiri.css('img').each do |find|
+        find_src = find.attr('src')
+
+        if find_src and find_src.start_with?('http', 'https')
+          @csp_tags['img-src'].push find_src.match(/(.*\/)+(.*$)/)[1]
+        end
+      end
+
+      @nokogiri.css('style').each do |find|
+        finds = find.content.scan(/url\(([^\)]+)\)/)
+
+        finds.each do |innerFind|
+          innerFind = innerFind[0]
+          innerFind = innerFind.tr('\'"', '')
+          if innerFind.start_with?('http', 'https')
+            @csp_tags['img-src'].push self.get_domain(innerFind)
+          end
+        end
+      end
+
+    end
+
+    ##
+    # Find all scripts
+    def find_scripts
+      @nokogiri.css('script').each do |find|
+        if find.attr('src')
+          find_src = find.attr('src')
+
+          if find_src and find_src.start_with?('http', 'https')
+            @csp_tags['script-src'].push find_src.match(/(.*\/)+(.*$)/)[1]
+          end
+
+        else
+          @csp_tags['script-src'].push self.generate_sha256_content_hash find.content
+        end
+      end
+    end
+
+    ##
+    # Find all inline stylesheets
+    def find_inline_styles
+      @nokogiri.css('style').each do |find|
+        @csp_tags['style-src'].push self.generate_sha256_content_hash find.content
+      end
+    end
+
+    ##
+    # Find all linked stylesheets
+    def find_linked_styles
+      @nokogiri.css('link').each do |find|
+        self.write_debug_log(find)
+        find_attr = find.attr('href')
+
+        if find_attr
+            @csp_tags['style-src'].push find_attr
+        else
+          self.write_debug_log("Found linked style with no href." << find)
+        end
+      end
+    end
+
+    ##
+    # Find all iframes
+    def find_frames
+      @nokogiri.css('iframe, frame').each do |find|
+        find_src = find.attr('src')
+
+        if find_src and find_src.start_with?('http', 'https')
+          @csp_tags['frame-src'].push find_src
+        end
+      end
+    end
+
+    def get_domain(url)
+      uri = URI.parse(url)
+      "#{uri.scheme}://#{uri.host}"
+    end
+
+    ##
+    # Generate a SHA256 hash from content
+    def generate_sha256_content_hash(content)
+      hash = Digest::SHA2.base64digest content
+      "'sha256-#{hash}'"
+    end
+
+    ##
+    # Builds an HTML meta tag based on the found inline scripts and style hashes
+    def run
+      self.parse_existing_meta_element
+      self.inject_defaults
+      self.convert_all_inline_styles_attributes
+
+      # Find elements in document
+      self.find_linked_styles
+      self.find_images
+      self.find_inline_styles
+      self.find_scripts
+      self.find_frames
+
+      self.generate_convert_security_policy_meta_tag
+
+      @nokogiri.to_html
+    end
+  end
+
+  ##
+  # Write the file contents back.
+  def write_file_contents(dest, content)
+    FileUtils.mkdir_p(File.dirname(dest))
+    File.open(dest, 'w') do |f|
+      f.write(content)
+    end
+  end
+
+  ##
+  # Write document contents
+  def write(dest)
+    dest_path = destination(dest)
+
+    if File.extname(dest_path) == ".html"
+      content_security_policy_generator = Generator.new output
+      self.write_file_contents(dest_path, content_security_policy_generator.run)
+    else
+      self.write_file_contents(dest_path, output)
+    end
+
+  end
+end

data/lib/jekyll-csp/hook.rb

@@ -0,0 +1,27 @@
+require 'jekyll'
+require_relative 'csp.rb'
+
+module Jekyll  
+  class Document
+    include CSP
+
+    ##
+    # Write document contents
+    def write(dest)
+      super dest
+      trigger_hooks(:post_write)
+    end
+  end
+
+  class Page
+    include CSP
+
+    ##
+    # Write page contents
+    def write(dest)
+      super dest
+
+      Jekyll::Hooks.trigger hook_owner, :post_write, self
+    end
+  end
+end

data/lib/jekyll-csp/version.rb

@@ -0,0 +1,3 @@
+module JekyllCSP
+  VERSION = "1.0.0".freeze
+end

data/lib/jekyll-csp.rb

@@ -0,0 +1,5 @@
+require_relative "jekyll-csp/version"
+require_relative "jekyll-csp/hook"
+
+module JekyllCSP
+end

metadata

@@ -0,0 +1,135 @@
+--- !ruby/object:Gem::Specification
+name: jekyll-csp
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- scottstraughan
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-05-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jekyll
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.4.0
+- !ruby/object:Gem::Dependency
+  name: digest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.18.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.18.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Will generate a content-security-policy based on images, scripts, stylesheets,
+  frames andothers on each generated page. This script assumes that all your linked
+  resources as 'safe'.Style attributes will also be converted into <style> elements
+  and SHA256 hashes will begenerated for inline styles/scripts.
+email:
+- ''
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/jekyll-csp.rb
+- lib/jekyll-csp/csp.rb
+- lib/jekyll-csp/hook.rb
+- lib/jekyll-csp/version.rb
+homepage: https://github.com/scottstraughan/jekyll-csp
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Generate a Content Security Policy HTML meta tag based on found inline scripts,
+  inline styles etc.
+test_files: []