@commercetools-frontend/mc-html-template 20.10.3 → 20.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +2 -1
  2. package/build/compile-html.js +6 -2
  3. package/build/generate-template.js +1 -0
  4. package/build/process-headers.js +15 -7
  5. package/build/utils/replace-html-placeholders.js +2 -2
  6. package/package.json +7 -7
package/README.md CHANGED
@@ -20,7 +20,7 @@ This method will return the compiled HTML document with the CSS/JS scripts injec
20
20
 
21
21
  > NOTE that the HTML document will still have the **placeholders** (see `replaceHtmlPlaceholders`)
22
22
 
23
- #### `replaceHtmlPlaceholders(html: String, env: Object): String`
23
+ #### `replaceHtmlPlaceholders(html: String, { env: Object, headers: Object, cliFlags: Object }): String`
24
24
 
25
25
  This method will replace the **placeholders** defined in the HTML document based on the application config.
26
26
 
@@ -35,6 +35,7 @@ At the moment we define the following placeholders:
35
35
  - `__APP_ENVIRONMENT__`: the sanitized application config environment, which will be available at the global variable `window.app`
36
36
  - `__DATALAYER_JS__`: the initial configuration for GTM, in case the `trackingGtm` is defined in the `additionalEnv` property of the application config
37
37
  - `__GTM_SCRIPT__`: the actual GTM script, in case the `trackingGtm` is defined in the `additionalEnv` property of the application config
38
+ - `__CSP__`: the generated `Content-Security-Policy` directives, defined as an HTML meta tag
38
39
 
39
40
  #### `processHeaders(applicationConfig: Object, { env: Object, headers: Object }): Object`
40
41
 
package/build/compile-html.js CHANGED
@@ -10,11 +10,15 @@ const processHeaders = require('./process-headers');
10
10
 
11
11
  const replaceHtmlPlaceholders = require('./utils/replace-html-placeholders');
12
12
 
13
- module.exports = async function compileHtml(indexHtmlTemplatePath) {
13
+ module.exports = async function compileHtml(indexHtmlTemplatePath, cliFlags) {
14
14
  const applicationConfig = processConfig();
15
15
  const compiledHeaders = processHeaders(applicationConfig);
16
16
  const indexHtmlTemplateContent = fs.readFileSync(indexHtmlTemplatePath, 'utf8');
17
- const indexHtmlContent = replaceHtmlPlaceholders(indexHtmlTemplateContent, applicationConfig.env);
17
+ const indexHtmlContent = replaceHtmlPlaceholders(indexHtmlTemplateContent, {
18
+ env: applicationConfig.env,
19
+ headers: compiledHeaders,
20
+ cliFlags
21
+ });
18
22
  return {
19
23
  env: applicationConfig.env,
20
24
  headers: compiledHeaders,
package/build/generate-template.js CHANGED
@@ -17,6 +17,7 @@ module.exports = function generateTemplate({
17
17
  <meta charset="utf-8">
18
18
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
19
19
  <meta name="referrer" content="no-referrer">
20
+ <meta http-equiv="Content-Security-Policy" content="__CSP__">
20
21
  <link rel="preconnect" href="__CDN_URL__">
21
22
  <link rel="preconnect" href="__MC_API_URL__">
22
23
  <!-- Fav and touch icons -->
package/build/process-headers.js CHANGED
@@ -16,6 +16,10 @@ var _entries = _interopRequireDefault(require("@babel/runtime-corejs3/core-js-st
16
16
 
17
17
  var _concat = _interopRequireDefault(require("@babel/runtime-corejs3/core-js-stable/instance/concat"));
18
18
 
19
+ const {
20
+ HTTP_SECURITY_HEADERS
21
+ } = require('@commercetools-frontend/constants');
22
+
19
23
  const createAssetHash = require('./utils/create-asset-hash');
20
24
 
21
25
  const sanitizeAppEnvironment = require('./utils/sanitize-app-environment');
@@ -46,7 +50,7 @@ const toStructuredHeaderString = (directives = {}) => {
46
50
  };
47
51
 
48
52
  const processHeaders = applicationConfig => {
49
- var _context4, _context5, _context6, _applicationConfig$he, _context7;
53
+ var _context4, _context5, _context6, _applicationConfig$he;
50
54
 
51
55
  const isMcDevEnv = applicationConfig.env.env === 'development'; // List hashes for injected inline scripts.
52
56
  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
@@ -89,16 +93,20 @@ const processHeaders = applicationConfig => {
89
93
  ); // Recursively merge the directives
90
94
 
91
95
  const mergedCsp = mergeCspDirectives(cspDirectives, (_applicationConfig$he = applicationConfig.headers.csp) !== null && _applicationConfig$he !== void 0 ? _applicationConfig$he : {});
92
- return {
93
- 'Strict-Transport-Security': (0, _concat.default)(_context7 = ['max-age=31536000']).call(_context7, applicationConfig.headers.strictTransportSecurity || []).join('; '),
94
- 'X-XSS-Protection': '1; mode=block',
95
- 'X-Content-Type-Options': 'nosniff',
96
- 'X-Frame-Options': 'DENY',
97
- 'Referrer-Policy': 'same-origin',
96
+ return { // Default security headers.
97
+ ...HTTP_SECURITY_HEADERS,
98
+ // The `Content-Security-Policy` header is always generated
99
+ // based on the Custom Application config.
98
100
  'Content-Security-Policy': toHeaderString(mergedCsp),
101
+ // Allow to extend the `Strict-Transport-Security` header.
102
+ ...(applicationConfig.headers.strictTransportSecurity && {
103
+ 'Strict-Transport-Security': [HTTP_SECURITY_HEADERS['Strict-Transport-Security'], ...applicationConfig.headers.strictTransportSecurity].join('; ')
104
+ }),
105
+ // Allow to extend the `Feature-Policy` header.
99
106
  ...(applicationConfig.headers.featurePolicies && {
100
107
  'Feature-Policy': toHeaderString(applicationConfig.headers.featurePolicies)
101
108
  }),
109
+ // Allow to extend the `Permissions-Policy` header.
102
110
  ...(applicationConfig.headers.permissionsPolicies && {
103
111
  'Permissions-Policy': toStructuredHeaderString(applicationConfig.headers.permissionsPolicies)
104
112
  })
package/build/utils/replace-html-placeholders.js CHANGED
@@ -16,7 +16,7 @@ const getGtmTrackingScript = gtmId => {
16
16
  `;
17
17
  };
18
18
 
19
- const replaceHtmlPlaceholders = (indexHtmlContent, config) => indexHtmlContent.replace(new RegExp('__CDN_URL__', 'g'), config.cdnUrl ? // Ensure there is a trailing slash
20
- `${trimTrailingSlash(config.cdnUrl)}/` : '').replace(new RegExp('__MC_API_URL__', 'g'), trimTrailingSlash(config.mcApiUrl)).replace(new RegExp('__APP_ENVIRONMENT__', 'g'), sanitizeAppEnvironment(config)).replace(new RegExp('__GTM_SCRIPT__', 'g'), getGtmTrackingScript(config.trackingGtm)).replace(new RegExp('__DATALAYER_JS__', 'g'), htmlScripts.dataLayer).replace(new RegExp('__LOADING_SCREEN_JS__', 'g'), htmlScripts.loadingScreen).replace(new RegExp('__LOADING_SCREEN_CSS__', 'g'), htmlStyles.loadingScreen);
19
+ const replaceHtmlPlaceholders = (indexHtmlContent, options) => indexHtmlContent.replace(new RegExp('__CSP__', 'g'), options.headers && options.cliFlags && options.cliFlags.inlineCsp ? options.headers['Content-Security-Policy'] : '').replace(new RegExp('__CDN_URL__', 'g'), options.env.cdnUrl ? // Ensure there is a trailing slash
20
+ `${trimTrailingSlash(options.env.cdnUrl)}/` : '').replace(new RegExp('__MC_API_URL__', 'g'), trimTrailingSlash(options.env.mcApiUrl)).replace(new RegExp('__APP_ENVIRONMENT__', 'g'), sanitizeAppEnvironment(options.env)).replace(new RegExp('__GTM_SCRIPT__', 'g'), getGtmTrackingScript(options.env.trackingGtm)).replace(new RegExp('__DATALAYER_JS__', 'g'), htmlScripts.dataLayer).replace(new RegExp('__LOADING_SCREEN_JS__', 'g'), htmlScripts.loadingScreen).replace(new RegExp('__LOADING_SCREEN_CSS__', 'g'), htmlStyles.loadingScreen);
21
21
 
22
22
  module.exports = replaceHtmlPlaceholders;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@commercetools-frontend/mc-html-template",
3
- "version": "20.10.3",
3
+ "version": "20.12.0",
4
4
  "description": "Everything related to render the index.html for a MC application",
5
5
  "bugs": "https://github.com/commercetools/merchant-center-application-kit/issues",
6
6
  "repository": {
@@ -11,7 +11,6 @@
11
11
  "homepage": "https://docs.commercetools.com/custom-applications",
12
12
  "keywords": ["javascript", "frontend", "react", "toolkit"],
13
13
  "license": "MIT",
14
- "private": false,
15
14
  "publishConfig": {
16
15
  "access": "public"
17
16
  },
@@ -26,22 +25,23 @@
26
25
  "README.md"
27
26
  ],
28
27
  "scripts": {
29
- "prebuild": "rimraf build/**",
30
- "build": "babel src --out-dir build",
28
+ "build": "rimraf build && babel src --out-dir build",
31
29
  "build:bundles:watch": "yarn build -w"
32
30
  },
33
31
  "dependencies": {
34
32
  "@babel/runtime": "7.15.4",
35
33
  "@babel/runtime-corejs3": "7.15.4",
36
- "@commercetools-frontend/application-config": "20.10.3",
37
- "core-js": "3.18.2",
34
+ "@commercetools-frontend/application-config": "20.12.0",
35
+ "@commercetools-frontend/constants": "20.12.0",
36
+ "core-js": "3.19.0",
38
37
  "serialize-javascript": "6.0.0",
39
38
  "uglify-es": "3.3.9",
40
39
  "uglifycss": "0.0.29"
41
40
  },
42
41
  "devDependencies": {
43
42
  "@babel/plugin-transform-runtime": "7.15.8",
44
- "@babel/preset-env": "7.15.8"
43
+ "@babel/preset-env": "7.15.8",
44
+ "rimraf": "3.0.2"
45
45
  },
46
46
  "engines": {
47
47
  "node": ">=12 || >=14"