@elliemae/pui-cli 8.40.3 → 8.41.0

package/dist/cjs/server/middlewares.js

@@ -37,7 +37,6 @@ var import_cors = __toESM(require("cors"), 1);
 var import_compression = __toESM(require("compression"), 1);
 var import_express_static_gzip = __toESM(require("express-static-gzip"), 1);
 var import_pino_http = __toESM(require("pino-http"), 1);
-var import_csp = require("./csp.js");
 var import_helpers = require("../webpack/helpers.js");
 const paths = (0, import_helpers.getPaths)();
 const setupDefaultMiddlewares = (app) => {
@@ -53,7 +52,6 @@ const setupDefaultMiddlewares = (app) => {
   app.use(pino);
   app.use((0, import_cors.default)());
   app.options("*", (0, import_cors.default)());
-  (0, import_csp.csp)(app);
   app.use(import_express.default.urlencoded({ extended: false }));
   app.use(import_express.default.text({ type: "text/plain" }));
   app.use(import_express.default.json({ type: "application/json" }));
@@ -61,9 +59,6 @@ const setupDefaultMiddlewares = (app) => {
 const setupAdditionalMiddlewars = (app, options = {}) => {
   const { buildPath = paths.buildPath, basePath = paths.basePath } = options;
   app.use((0, import_compression.default)());
-  app.get(basePath, (req, res) => {
-    (0, import_csp.sendFileWithCSPNonce)({ buildPath, res });
-  });
   app.use(
     basePath,
     (0, import_express_static_gzip.default)(buildPath, {
@@ -73,9 +68,5 @@ const setupAdditionalMiddlewars = (app, options = {}) => {
     })
   );
   app.use((0, import_express_static_gzip.default)("cdn", {}));
-  app.get(
-    "*",
-    (req, res) => (0, import_csp.sendFileWithCSPNonce)({ buildPath, res })
-  );
   return app;
 };

package/dist/cjs/webpack/csp-plugin.js

@@ -0,0 +1,83 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var csp_plugin_exports = {};
+__export(csp_plugin_exports, {
+  CspPlugin: () => CspPlugin
+});
+module.exports = __toCommonJS(csp_plugin_exports);
+var import_html_webpack_plugin = __toESM(require("html-webpack-plugin"), 1);
+var import_csp = require("./csp.js");
+const defaultOptions = {
+  enableUnsafeEval: false
+};
+class CspPlugin {
+  #options = defaultOptions;
+  #htmlWebpackPlugin;
+  /**
+   *
+   * @param htmlWebpackPlugin
+   * @param {object} options Additional options for this module.
+   */
+  constructor(htmlWebpackPlugin, options) {
+    this.#htmlWebpackPlugin = htmlWebpackPlugin;
+    this.#options = { ...this.#options, ...options ?? {} };
+  }
+  /**
+   * Processes HtmlWebpackPlugin's html data by adding the CSP
+   * @param compilation
+   * @param htmlPluginData
+   * @param htmlPluginData.html
+   * @param compileCb
+   * @returns {*}
+   */
+  processCsp(compilation, htmlPluginData, compileCb) {
+    const cspModule = new import_csp.CSP(htmlPluginData.html);
+    cspModule.refactorSourcedScriptsForHashBasedCsp();
+    const scriptHashes = cspModule.hashAllInlineScripts();
+    const { enableUnsafeEval } = this.#options;
+    const strictCsp = import_csp.CSP.getStrictCsp(scriptHashes, {
+      enableUnsafeEval
+    });
+    cspModule.addMetaTag(strictCsp);
+    htmlPluginData.html = cspModule.serializeDom();
+    return compileCb(null, htmlPluginData);
+  }
+  /**
+   * Hooks into webpack to collect assets and hash them, build the policy, and add it into our HTML template
+   * @param compiler
+   */
+  apply(compiler) {
+    compiler.hooks.compilation.tap("CspPlugin", (compilation) => {
+      import_html_webpack_plugin.default.getCompilationHooks(compilation).beforeEmit.tapAsync(
+        "CspPlugin",
+        this.processCsp.bind(this, compilation)
+      );
+    });
+  }
+}

package/dist/cjs/webpack/csp.js

@@ -0,0 +1,158 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var csp_exports = {};
+__export(csp_exports, {
+  CSP: () => CSP
+});
+module.exports = __toCommonJS(csp_exports);
+var crypto = __toESM(require("node:crypto"), 1);
+var cheerio = __toESM(require("cheerio"), 1);
+class CSP {
+  static HASH_FUNCTION = "sha256";
+  static INLINE_SCRIPT_SELECTOR = "script:not([src])";
+  static SOURCED_SCRIPT_SELECTOR = "script[src]";
+  $;
+  constructor(html) {
+    this.$ = cheerio.load(html);
+  }
+  serializeDom() {
+    return this.$.root().html() ?? "";
+  }
+  /**
+   * Returns a strict Content Security Policy for mittigating XSS.
+   * For more details read csp.withgoogle.com.
+   * If you modify this CSP, make sure it has not become trivially bypassable by
+   * checking the policy using csp-evaluator.withgoogle.com.
+   * @param hashes A list of sha-256 hashes of trusted inline scripts.
+   * @param cspOptions
+   * @param enableTrustedTypes If Trusted Types should be enabled for scripts.
+   * @param enableBrowserFallbacks If fallbacks for older browsers should be
+   *   added. This is will not weaken the policy as modern browsers will ignore
+   *   the fallbacks.
+   * @param enableUnsafeEval If you cannot remove all uses of eval(), you can
+   *   still set a strict CSP, but you will have to use the 'unsafe-eval'
+   *   keyword which will make your policy slightly less secure.
+   * @param cspOptions.enableBrowserFallbacks
+   * @param cspOptions.enableTrustedTypes
+   * @param cspOptions.enableUnsafeEval
+   * @returns A strict Content Security Policy string.
+   */
+  static getStrictCsp(hashes, cspOptions = {
+    enableUnsafeEval: false
+  }) {
+    const strictCspTemplate = {
+      // 'strict-dynamic' allows hashed scripts to create new scripts.
+      "script-src": [`'strict-dynamic'`, ...hashes ?? []],
+      // Restricts `object-src` to disable dangerous plugins like Flash.
+      "object-src": [`'none'`],
+      // Restricts `base-uri` to block the injection of `<base>` tags. This
+      // prevents attackers from changing the locations of scripts loaded from
+      // relative URLs.
+      "base-uri": [`'self'`]
+    };
+    if (cspOptions.enableUnsafeEval) {
+      strictCspTemplate["script-src"].push(`'unsafe-eval'`);
+    }
+    return Object.entries(strictCspTemplate).map(([directive, values]) => `${directive} ${values.join(" ")};`).join("");
+  }
+  /**
+   * Enables a CSP via a meta tag at the beginning of the document.
+   * Warning: It's recommended to set CSP as HTTP response header instead of
+   * using a meta tag. Injections before the meta tag will not be covered by CSP
+   * and meta tags don't support CSP in report-only mode.
+   * @param csp A Content Security Policy string.
+   */
+  addMetaTag(csp) {
+    let metaTag = this.$('meta[http-equiv="Content-Security-Policy"]');
+    if (!metaTag.length) {
+      metaTag = cheerio.load('<meta http-equiv="Content-Security-Policy">')(
+        "meta"
+      );
+      metaTag.prependTo(this.$("head"));
+    }
+    metaTag.attr("content", csp);
+  }
+  /**
+   * Replaces all sourced scripts with a single inline script that can be hashed
+   */
+  refactorSourcedScriptsForHashBasedCsp() {
+    const scriptInfoList = this.$(CSP.SOURCED_SCRIPT_SELECTOR).map((i, script) => {
+      const src = this.$(script).attr("src") ?? "";
+      const type = this.$(script).attr("type") ?? "";
+      this.$(script).remove();
+      return { src, type };
+    }).toArray().filter((info) => info.src);
+    const loaderScript = CSP.createLoaderScript(scriptInfoList);
+    if (!loaderScript) {
+      return;
+    }
+    const newScript = cheerio.load("<script>")("script");
+    newScript.text(loaderScript);
+    newScript.appendTo(this.$("body"));
+  }
+  /**
+   * Returns a list of hashes of all inline scripts found in the HTML document.
+   * @returns A list of sha-256 hashes of inline scripts.
+   */
+  hashAllInlineScripts() {
+    return this.$(CSP.INLINE_SCRIPT_SELECTOR).map((i, elem) => CSP.hashInlineScript(this.$(elem).html() ?? "")).get();
+  }
+  /**
+   * Returns JS code for dynamically loading sourced (external) scripts.
+   * @param scriptInfoList A list of objects containing src and type for scripts that should be loaded
+   * @returns JS code for loading scripts.
+   */
+  static createLoaderScript(scriptInfoList) {
+    if (!scriptInfoList.length) {
+      return void 0;
+    }
+    return `
+    var scripts = ${JSON.stringify(scriptInfoList)};
+    scripts.forEach(function(scriptInfo) {
+      var s = document.createElement('script');
+      s.src = scriptInfo.src;
+      if (scriptInfo.type) {
+        s.type = scriptInfo.type;
+      }
+      s.async = false; // preserve execution order.
+      document.body.appendChild(s);
+    });
+    `;
+  }
+  /**
+   * Calculates a CSP compatible hash of an inline script.
+   * @param scriptText Text between opening and closing script tag. Has to
+   *     include whitespaces and newlines!
+   * @returns A sha-256 hash of the script.
+   */
+  static hashInlineScript(scriptText) {
+    const hash = crypto.createHash(CSP.HASH_FUNCTION).update(scriptText, "utf-8").digest("base64");
+    return `'${CSP.HASH_FUNCTION}-${hash}'`;
+  }
+}

package/dist/cjs/webpack/webpack.dev.babel.js

@@ -114,6 +114,9 @@ const devConfig = {
         googleTagManager: (0, import_helpers.isGoogleTagManagerEnabled)()
       }
     }),
+    // new CspPlugin(HtmlWebpackPlugin, {
+    //   enableUnsafeEval: true,
+    // }),
     new import_circular_dependency_plugin.default({
       exclude: /a\.(js|ts|jsx|tsx)|node_modules/,
       // exclude node_modules

package/dist/cjs/webpack/webpack.prod.babel.js

@@ -57,6 +57,7 @@ const getProdConfig = ({ latestVersion = true } = {}) => {
     },
     optimization: {
       moduleIds: "deterministic",
+      realContentHash: false,
       minimizer: [
         new import_esbuild_loader.EsbuildPlugin({
           target: (0, import_browserslist_to_esbuild.default)(),
@@ -140,5 +141,7 @@ const htmlWebpackPlugin = new import_html_webpack_plugin.default({
   }
 });
 const config = (0, import_webpack_base_babel.baseConfig)(getProdConfig());
-if (config.plugins) config.plugins.push(htmlWebpackPlugin);
+if (config.plugins) {
+  config.plugins.push(htmlWebpackPlugin);
+}
 var webpack_prod_babel_default = config;

package/dist/esm/server/middlewares.js

@@ -3,7 +3,6 @@ import cors from "cors";
 import compression from "compression";
 import expressStaticGzip from "express-static-gzip";
 import pinoLogger from "pino-http";
-import { csp, sendFileWithCSPNonce } from "./csp.js";
 import { getPaths } from "../webpack/helpers.js";
 const paths = getPaths();
 const setupDefaultMiddlewares = (app) => {
@@ -19,7 +18,6 @@ const setupDefaultMiddlewares = (app) => {
   app.use(pino);
   app.use(cors());
   app.options("*", cors());
-  csp(app);
   app.use(express.urlencoded({ extended: false }));
   app.use(express.text({ type: "text/plain" }));
   app.use(express.json({ type: "application/json" }));
@@ -27,9 +25,6 @@ const setupDefaultMiddlewares = (app) => {
 const setupAdditionalMiddlewars = (app, options = {}) => {
   const { buildPath = paths.buildPath, basePath = paths.basePath } = options;
   app.use(compression());
-  app.get(basePath, (req, res) => {
-    sendFileWithCSPNonce({ buildPath, res });
-  });
   app.use(
     basePath,
     expressStaticGzip(buildPath, {
@@ -39,10 +34,6 @@ const setupAdditionalMiddlewars = (app, options = {}) => {
     })
   );
   app.use(expressStaticGzip("cdn", {}));
-  app.get(
-    "*",
-    (req, res) => sendFileWithCSPNonce({ buildPath, res })
-  );
   return app;
 };
 export {

package/dist/esm/webpack/csp-plugin.js

@@ -0,0 +1,53 @@
+import HtmlWebpackPlugin from "html-webpack-plugin";
+import { CSP } from "./csp.js";
+const defaultOptions = {
+  enableUnsafeEval: false
+};
+class CspPlugin {
+  #options = defaultOptions;
+  #htmlWebpackPlugin;
+  /**
+   *
+   * @param htmlWebpackPlugin
+   * @param {object} options Additional options for this module.
+   */
+  constructor(htmlWebpackPlugin, options) {
+    this.#htmlWebpackPlugin = htmlWebpackPlugin;
+    this.#options = { ...this.#options, ...options ?? {} };
+  }
+  /**
+   * Processes HtmlWebpackPlugin's html data by adding the CSP
+   * @param compilation
+   * @param htmlPluginData
+   * @param htmlPluginData.html
+   * @param compileCb
+   * @returns {*}
+   */
+  processCsp(compilation, htmlPluginData, compileCb) {
+    const cspModule = new CSP(htmlPluginData.html);
+    cspModule.refactorSourcedScriptsForHashBasedCsp();
+    const scriptHashes = cspModule.hashAllInlineScripts();
+    const { enableUnsafeEval } = this.#options;
+    const strictCsp = CSP.getStrictCsp(scriptHashes, {
+      enableUnsafeEval
+    });
+    cspModule.addMetaTag(strictCsp);
+    htmlPluginData.html = cspModule.serializeDom();
+    return compileCb(null, htmlPluginData);
+  }
+  /**
+   * Hooks into webpack to collect assets and hash them, build the policy, and add it into our HTML template
+   * @param compiler
+   */
+  apply(compiler) {
+    compiler.hooks.compilation.tap("CspPlugin", (compilation) => {
+      HtmlWebpackPlugin.getCompilationHooks(compilation).beforeEmit.tapAsync(
+        "CspPlugin",
+        this.processCsp.bind(this, compilation)
+      );
+    });
+  }
+}
+export {
+  CspPlugin
+};

package/dist/esm/webpack/csp.js

@@ -0,0 +1,128 @@
+import * as crypto from "node:crypto";
+import * as cheerio from "cheerio";
+class CSP {
+  static HASH_FUNCTION = "sha256";
+  static INLINE_SCRIPT_SELECTOR = "script:not([src])";
+  static SOURCED_SCRIPT_SELECTOR = "script[src]";
+  $;
+  constructor(html) {
+    this.$ = cheerio.load(html);
+  }
+  serializeDom() {
+    return this.$.root().html() ?? "";
+  }
+  /**
+   * Returns a strict Content Security Policy for mittigating XSS.
+   * For more details read csp.withgoogle.com.
+   * If you modify this CSP, make sure it has not become trivially bypassable by
+   * checking the policy using csp-evaluator.withgoogle.com.
+   * @param hashes A list of sha-256 hashes of trusted inline scripts.
+   * @param cspOptions
+   * @param enableTrustedTypes If Trusted Types should be enabled for scripts.
+   * @param enableBrowserFallbacks If fallbacks for older browsers should be
+   *   added. This is will not weaken the policy as modern browsers will ignore
+   *   the fallbacks.
+   * @param enableUnsafeEval If you cannot remove all uses of eval(), you can
+   *   still set a strict CSP, but you will have to use the 'unsafe-eval'
+   *   keyword which will make your policy slightly less secure.
+   * @param cspOptions.enableBrowserFallbacks
+   * @param cspOptions.enableTrustedTypes
+   * @param cspOptions.enableUnsafeEval
+   * @returns A strict Content Security Policy string.
+   */
+  static getStrictCsp(hashes, cspOptions = {
+    enableUnsafeEval: false
+  }) {
+    const strictCspTemplate = {
+      // 'strict-dynamic' allows hashed scripts to create new scripts.
+      "script-src": [`'strict-dynamic'`, ...hashes ?? []],
+      // Restricts `object-src` to disable dangerous plugins like Flash.
+      "object-src": [`'none'`],
+      // Restricts `base-uri` to block the injection of `<base>` tags. This
+      // prevents attackers from changing the locations of scripts loaded from
+      // relative URLs.
+      "base-uri": [`'self'`]
+    };
+    if (cspOptions.enableUnsafeEval) {
+      strictCspTemplate["script-src"].push(`'unsafe-eval'`);
+    }
+    return Object.entries(strictCspTemplate).map(([directive, values]) => `${directive} ${values.join(" ")};`).join("");
+  }
+  /**
+   * Enables a CSP via a meta tag at the beginning of the document.
+   * Warning: It's recommended to set CSP as HTTP response header instead of
+   * using a meta tag. Injections before the meta tag will not be covered by CSP
+   * and meta tags don't support CSP in report-only mode.
+   * @param csp A Content Security Policy string.
+   */
+  addMetaTag(csp) {
+    let metaTag = this.$('meta[http-equiv="Content-Security-Policy"]');
+    if (!metaTag.length) {
+      metaTag = cheerio.load('<meta http-equiv="Content-Security-Policy">')(
+        "meta"
+      );
+      metaTag.prependTo(this.$("head"));
+    }
+    metaTag.attr("content", csp);
+  }
+  /**
+   * Replaces all sourced scripts with a single inline script that can be hashed
+   */
+  refactorSourcedScriptsForHashBasedCsp() {
+    const scriptInfoList = this.$(CSP.SOURCED_SCRIPT_SELECTOR).map((i, script) => {
+      const src = this.$(script).attr("src") ?? "";
+      const type = this.$(script).attr("type") ?? "";
+      this.$(script).remove();
+      return { src, type };
+    }).toArray().filter((info) => info.src);
+    const loaderScript = CSP.createLoaderScript(scriptInfoList);
+    if (!loaderScript) {
+      return;
+    }
+    const newScript = cheerio.load("<script>")("script");
+    newScript.text(loaderScript);
+    newScript.appendTo(this.$("body"));
+  }
+  /**
+   * Returns a list of hashes of all inline scripts found in the HTML document.
+   * @returns A list of sha-256 hashes of inline scripts.
+   */
+  hashAllInlineScripts() {
+    return this.$(CSP.INLINE_SCRIPT_SELECTOR).map((i, elem) => CSP.hashInlineScript(this.$(elem).html() ?? "")).get();
+  }
+  /**
+   * Returns JS code for dynamically loading sourced (external) scripts.
+   * @param scriptInfoList A list of objects containing src and type for scripts that should be loaded
+   * @returns JS code for loading scripts.
+   */
+  static createLoaderScript(scriptInfoList) {
+    if (!scriptInfoList.length) {
+      return void 0;
+    }
+    return `
+    var scripts = ${JSON.stringify(scriptInfoList)};
+    scripts.forEach(function(scriptInfo) {
+      var s = document.createElement('script');
+      s.src = scriptInfo.src;
+      if (scriptInfo.type) {
+        s.type = scriptInfo.type;
+      }
+      s.async = false; // preserve execution order.
+      document.body.appendChild(s);
+    });
+    `;
+  }
+  /**
+   * Calculates a CSP compatible hash of an inline script.
+   * @param scriptText Text between opening and closing script tag. Has to
+   *     include whitespaces and newlines!
+   * @returns A sha-256 hash of the script.
+   */
+  static hashInlineScript(scriptText) {
+    const hash = crypto.createHash(CSP.HASH_FUNCTION).update(scriptText, "utf-8").digest("base64");
+    return `'${CSP.HASH_FUNCTION}-${hash}'`;
+  }
+}
+export {
+  CSP
+};

package/dist/esm/webpack/webpack.dev.babel.js

@@ -84,6 +84,9 @@ const devConfig = {
         googleTagManager: isGoogleTagManagerEnabled()
       }
     }),
+    // new CspPlugin(HtmlWebpackPlugin, {
+    //   enableUnsafeEval: true,
+    // }),
     new CircularDependencyPlugin({
       exclude: /a\.(js|ts|jsx|tsx)|node_modules/,
       // exclude node_modules

package/dist/esm/webpack/webpack.prod.babel.js

@@ -29,6 +29,7 @@ const getProdConfig = ({ latestVersion = true } = {}) => {
     },
     optimization: {
       moduleIds: "deterministic",
+      realContentHash: false,
       minimizer: [
         new EsbuildPlugin({
           target: browserslistToEsbuild(),
@@ -112,7 +113,9 @@ const htmlWebpackPlugin = new HtmlWebpackPlugin({
   }
 });
 const config = baseConfig(getProdConfig());
-if (config.plugins) config.plugins.push(htmlWebpackPlugin);
+if (config.plugins) {
+  config.plugins.push(htmlWebpackPlugin);
+}
 var webpack_prod_babel_default = config;
 export {
   webpack_prod_babel_default as default

package/dist/types/lib/webpack/csp-plugin.d.ts

@@ -0,0 +1,34 @@
+import webpack from 'webpack';
+import HtmlWebpackPlugin from 'html-webpack-plugin';
+type HTMLWebpackPluginData = {
+    html: string;
+    outputName: string;
+    plugin: HtmlWebpackPlugin;
+};
+declare const defaultOptions: {
+    enableUnsafeEval: boolean;
+};
+declare class CspPlugin {
+    #private;
+    /**
+     *
+     * @param htmlWebpackPlugin
+     * @param {object} options Additional options for this module.
+     */
+    constructor(htmlWebpackPlugin: typeof HtmlWebpackPlugin, options?: typeof defaultOptions);
+    /**
+     * Processes HtmlWebpackPlugin's html data by adding the CSP
+     * @param compilation
+     * @param htmlPluginData
+     * @param htmlPluginData.html
+     * @param compileCb
+     * @returns {*}
+     */
+    processCsp(compilation: webpack.Compilation, htmlPluginData: HTMLWebpackPluginData, compileCb: (err: Error | null, htmlPluginData: HTMLWebpackPluginData) => void): void;
+    /**
+     * Hooks into webpack to collect assets and hash them, build the policy, and add it into our HTML template
+     * @param compiler
+     */
+    apply(compiler: webpack.Compiler): void;
+}
+export { CspPlugin };

package/dist/types/lib/webpack/csp.d.ts

@@ -0,0 +1,65 @@
+/** Module for enabling a hash-based strict Content Security Policy. */
+declare class CSP {
+    private static readonly HASH_FUNCTION;
+    private static readonly INLINE_SCRIPT_SELECTOR;
+    private static readonly SOURCED_SCRIPT_SELECTOR;
+    private $;
+    constructor(html: string);
+    serializeDom(): string;
+    /**
+     * Returns a strict Content Security Policy for mittigating XSS.
+     * For more details read csp.withgoogle.com.
+     * If you modify this CSP, make sure it has not become trivially bypassable by
+     * checking the policy using csp-evaluator.withgoogle.com.
+     * @param hashes A list of sha-256 hashes of trusted inline scripts.
+     * @param cspOptions
+     * @param enableTrustedTypes If Trusted Types should be enabled for scripts.
+     * @param enableBrowserFallbacks If fallbacks for older browsers should be
+     *   added. This is will not weaken the policy as modern browsers will ignore
+     *   the fallbacks.
+     * @param enableUnsafeEval If you cannot remove all uses of eval(), you can
+     *   still set a strict CSP, but you will have to use the 'unsafe-eval'
+     *   keyword which will make your policy slightly less secure.
+     * @param cspOptions.enableBrowserFallbacks
+     * @param cspOptions.enableTrustedTypes
+     * @param cspOptions.enableUnsafeEval
+     * @returns A strict Content Security Policy string.
+     */
+    static getStrictCsp(hashes?: string[], cspOptions?: {
+        enableUnsafeEval?: boolean;
+    }): string;
+    /**
+     * Enables a CSP via a meta tag at the beginning of the document.
+     * Warning: It's recommended to set CSP as HTTP response header instead of
+     * using a meta tag. Injections before the meta tag will not be covered by CSP
+     * and meta tags don't support CSP in report-only mode.
+     * @param csp A Content Security Policy string.
+     */
+    addMetaTag(csp: string): void;
+    /**
+     * Replaces all sourced scripts with a single inline script that can be hashed
+     */
+    refactorSourcedScriptsForHashBasedCsp(): void;
+    /**
+     * Returns a list of hashes of all inline scripts found in the HTML document.
+     * @returns A list of sha-256 hashes of inline scripts.
+     */
+    hashAllInlineScripts(): string[];
+    /**
+     * Returns JS code for dynamically loading sourced (external) scripts.
+     * @param scriptInfoList A list of objects containing src and type for scripts that should be loaded
+     * @returns JS code for loading scripts.
+     */
+    static createLoaderScript(scriptInfoList: {
+        src: string;
+        type?: string;
+    }[]): string | undefined;
+    /**
+     * Calculates a CSP compatible hash of an inline script.
+     * @param scriptText Text between opening and closing script tag. Has to
+     *     include whitespaces and newlines!
+     * @returns A sha-256 hash of the script.
+     */
+    static hashInlineScript(scriptText: string): string;
+}
+export { CSP };