@adobe/helix-html-pipeline 6.26.3 → 6.26.5

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+## [6.26.5](https://github.com/adobe/helix-html-pipeline/compare/v6.26.4...v6.26.5) (2025-07-17)
+
+
+### Bug Fixes
+
+* don't replace 3 spaces in metadata value with comma ([ddb1c8e](https://github.com/adobe/helix-html-pipeline/commit/ddb1c8e3e2de92265b7a5f545cc73c94059ec31f))
+
+## [6.26.4](https://github.com/adobe/helix-html-pipeline/compare/v6.26.3...v6.26.4) (2025-07-11)
+
+
+### Bug Fixes
+
+* Rename "move-as-header" to "move-to-http-header" ([#910](https://github.com/adobe/helix-html-pipeline/issues/910)) ([fa5b101](https://github.com/adobe/helix-html-pipeline/commit/fa5b10157bb82a4eeed90b7968ac922718ecf659))
+
 ## [6.26.3](https://github.com/adobe/helix-html-pipeline/compare/v6.26.2...v6.26.3) (2025-07-07)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "6.26.3",
+  "version": "6.26.5",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -70,7 +70,7 @@
     "unist-util-visit-parents": "6.0.1"
   },
   "devDependencies": {
-    "@adobe/eslint-config-helix": "3.0.6",
+    "@adobe/eslint-config-helix": "3.0.8",
     "@eslint/config-helpers": "0.3.0",
     "@markedjs/html-differ": "5.0.2",
     "@semantic-release/changelog": "6.0.3",
@@ -81,7 +81,7 @@
     "eslint-import-resolver-exports": "1.0.0-beta.5",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.32.0",
-    "esmock": "2.7.0",
+    "esmock": "2.7.1",
     "husky": "9.1.7",
     "js-yaml": "4.1.0",
     "jsdom": "26.1.0",
@@ -90,7 +90,7 @@
     "mocha": "11.7.1",
     "mocha-multi-reporters": "1.5.1",
     "mocha-suppress-logs": "0.6.0",
-    "semantic-release": "24.2.6"
+    "semantic-release": "24.2.7"
   },
   "lint-staged": {
     "*.js": "eslint",

package/src/steps/csp.js

@@ -166,16 +166,17 @@ export function contentSecurityPolicyOnAST(res, tree) {
     || headersCSPRO?.includes(NONCE_AEM)
   ) {
     createAndApplyNonceOnAST(res, tree, metaCSP, headersCSP, headersCSPRO);
-  }
 
-  if (metaCSP?.properties['move-as-header'] === 'true') {
-    if (!headersCSP) {
-      // if we have a CSP in meta but no CSP in headers
-      // we can move the CSP from meta to headers, if requested
-      res.headers.set('content-security-policy', metaCSP.properties.content);
-      remove(tree, null, metaCSP);
-    } else {
-      delete metaCSP.properties['move-as-header'];
+    if (metaCSP?.properties['move-as-header'] === 'true' || metaCSP?.properties['move-to-http-header'] === 'true') {
+      if (!headersCSP) {
+        // if we have a CSP in meta but no CSP in headers
+        // we can move the CSP from meta to headers, if requested
+        res.headers.set('content-security-policy', metaCSP.properties.content);
+        remove(tree, null, metaCSP);
+      } else {
+        delete metaCSP.properties['move-as-header'];
+        delete metaCSP.properties['move-to-http-header'];
+      }
     }
   }
 }
@@ -219,7 +220,11 @@ export function contentSecurityPolicyOnCode(state, res) {
           if (contentAttr) {
             ({ scriptNonce, styleNonce } = shouldApplyNonce(contentAttr.value, cspHeader));
 
-            if (!cspHeader && tag.attrs.find((attr) => attr.name === 'move-as-header' && attr.value === 'true')) {
+            if (!cspHeader
+              && tag.attrs.find(
+                (attr) => (attr.name === 'move-as-header' || attr.name === 'move-to-http-header') && attr.value === 'true',
+              )
+            ) {
               res.headers.set('content-security-policy', contentAttr.value.replaceAll(NONCE_AEM, `'nonce-${nonce}'`));
               return; // don't push the chunk so it gets removed from the response body
             }

package/src/steps/extract-metadata.js

@@ -70,7 +70,7 @@ function readBlockConfig($block) {
 
         if (!value) {
           // for text content only
-          value = toString($value).trim().replace(/ {3}/g, ',');
+          value = toString($value).trim();
         }
 
         if (!value) {