@elliemae/pui-cli 8.40.2 → 8.41.0

package/dist/types/lib/webpack/csp.d.ts

@@ -0,0 +1,65 @@
+/** Module for enabling a hash-based strict Content Security Policy. */
+declare class CSP {
+    private static readonly HASH_FUNCTION;
+    private static readonly INLINE_SCRIPT_SELECTOR;
+    private static readonly SOURCED_SCRIPT_SELECTOR;
+    private $;
+    constructor(html: string);
+    serializeDom(): string;
+    /**
+     * Returns a strict Content Security Policy for mittigating XSS.
+     * For more details read csp.withgoogle.com.
+     * If you modify this CSP, make sure it has not become trivially bypassable by
+     * checking the policy using csp-evaluator.withgoogle.com.
+     * @param hashes A list of sha-256 hashes of trusted inline scripts.
+     * @param cspOptions
+     * @param enableTrustedTypes If Trusted Types should be enabled for scripts.
+     * @param enableBrowserFallbacks If fallbacks for older browsers should be
+     *   added. This is will not weaken the policy as modern browsers will ignore
+     *   the fallbacks.
+     * @param enableUnsafeEval If you cannot remove all uses of eval(), you can
+     *   still set a strict CSP, but you will have to use the 'unsafe-eval'
+     *   keyword which will make your policy slightly less secure.
+     * @param cspOptions.enableBrowserFallbacks
+     * @param cspOptions.enableTrustedTypes
+     * @param cspOptions.enableUnsafeEval
+     * @returns A strict Content Security Policy string.
+     */
+    static getStrictCsp(hashes?: string[], cspOptions?: {
+        enableUnsafeEval?: boolean;
+    }): string;
+    /**
+     * Enables a CSP via a meta tag at the beginning of the document.
+     * Warning: It's recommended to set CSP as HTTP response header instead of
+     * using a meta tag. Injections before the meta tag will not be covered by CSP
+     * and meta tags don't support CSP in report-only mode.
+     * @param csp A Content Security Policy string.
+     */
+    addMetaTag(csp: string): void;
+    /**
+     * Replaces all sourced scripts with a single inline script that can be hashed
+     */
+    refactorSourcedScriptsForHashBasedCsp(): void;
+    /**
+     * Returns a list of hashes of all inline scripts found in the HTML document.
+     * @returns A list of sha-256 hashes of inline scripts.
+     */
+    hashAllInlineScripts(): string[];
+    /**
+     * Returns JS code for dynamically loading sourced (external) scripts.
+     * @param scriptInfoList A list of objects containing src and type for scripts that should be loaded
+     * @returns JS code for loading scripts.
+     */
+    static createLoaderScript(scriptInfoList: {
+        src: string;
+        type?: string;
+    }[]): string | undefined;
+    /**
+     * Calculates a CSP compatible hash of an inline script.
+     * @param scriptText Text between opening and closing script tag. Has to
+     *     include whitespaces and newlines!
+     * @returns A sha-256 hash of the script.
+     */
+    static hashInlineScript(scriptText: string): string;
+}
+export { CSP };