@elliemae/pui-cli 8.40.3 → 8.41.1

package/dist/cjs/server/csp.js

@@ -39,7 +39,6 @@ var import_express = __toESM(require("express"), 1);
 var import_helmet = __toESM(require("helmet"), 1);
 const CSP_REPORT_URI = "/diagnostics/v1/csp";
 const sources = [
-  "'self'",
   "http://localhost:*",
   "https://localhost:*",
   "ws://localhost:*",
@@ -47,12 +46,7 @@ const sources = [
   "*.elliemae.io",
   "*.elliemae.com",
   "*.ellieservices.com",
-  "*.ellielabs.com",
-  "https://cdn.appdynamics.com",
-  "http://pdx-col.eum-appdynamics.com",
-  "https://pdx-col.eum-appdynamics.com/",
-  "https://www.google-analytics.com",
-  "https://www.googletagmanager.com"
+  "*.ellielabs.com"
 ];
 const sendFileWithCSPNonce = ({
   buildPath,
@@ -72,7 +66,7 @@ const sendFileWithCSPNonce = ({
 };
 const getScriptSrc = () => {
   const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
-  const scriptSrc = sources.concat([source]);
+  const scriptSrc = [source, "strict-dynamic"];
   return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
 };
 const csp = (app) => {
@@ -84,24 +78,14 @@ const csp = (app) => {
     (0, import_helmet.default)({
       contentSecurityPolicy: {
         directives: {
-          baseUri: ["'self'"],
-          connectSrc: sources,
-          defaultSrc: ["'self'"],
-          fontSrc: sources.concat(["data:"]),
-          formAction: ["'self'"],
+          baseUri: ["'none'"],
           frameAncestors: sources,
-          frameSrc: sources,
-          imgSrc: sources.concat(["data:"]),
           objectSrc: ["'none'"],
           scriptSrc: getScriptSrc(),
-          scriptSrcAttr: ["'none'"],
-          styleSrc: sources.concat(["'unsafe-inline'"]),
-          workerSrc: sources,
           upgradeInsecureRequests: [],
-          reportUri: CSP_REPORT_URI,
           reportTo: CSP_REPORT_URI
         },
-        reportOnly: true
+        reportOnly: process.env.CSP_REPORT_ONLY !== "false"
       },
       xFrameOptions: false,
       xPermittedCrossDomainPolicies: false,

package/dist/cjs/server/middlewares.js

@@ -54,6 +54,11 @@ const setupDefaultMiddlewares = (app) => {
   app.use((0, import_cors.default)());
   app.options("*", (0, import_cors.default)());
   (0, import_csp.csp)(app);
+  app.set("Cross-Origin-Opener-Policy", "same-origin-allow-popups");
+  app.set(
+    "Permissions-Policy",
+    "geolocation=(), camera=(), microphone=(), interest-cohort=()"
+  );
   app.use(import_express.default.urlencoded({ extended: false }));
   app.use(import_express.default.text({ type: "text/plain" }));
   app.use(import_express.default.json({ type: "application/json" }));

package/dist/cjs/webpack/csp-plugin.js

@@ -0,0 +1,83 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var csp_plugin_exports = {};
+__export(csp_plugin_exports, {
+  CspPlugin: () => CspPlugin
+});
+module.exports = __toCommonJS(csp_plugin_exports);
+var import_html_webpack_plugin = __toESM(require("html-webpack-plugin"), 1);
+var import_csp = require("./csp.js");
+const defaultOptions = {
+  enableUnsafeEval: false
+};
+class CspPlugin {
+  #options = defaultOptions;
+  #htmlWebpackPlugin;
+  /**
+   *
+   * @param htmlWebpackPlugin
+   * @param {object} options Additional options for this module.
+   */
+  constructor(htmlWebpackPlugin, options) {
+    this.#htmlWebpackPlugin = htmlWebpackPlugin;
+    this.#options = { ...this.#options, ...options ?? {} };
+  }
+  /**
+   * Processes HtmlWebpackPlugin's html data by adding the CSP
+   * @param compilation
+   * @param htmlPluginData
+   * @param htmlPluginData.html
+   * @param compileCb
+   * @returns {*}
+   */
+  processCsp(compilation, htmlPluginData, compileCb) {
+    const cspModule = new import_csp.CSP(htmlPluginData.html);
+    cspModule.refactorSourcedScriptsForHashBasedCsp();
+    const scriptHashes = cspModule.hashAllInlineScripts();
+    const { enableUnsafeEval } = this.#options;
+    const strictCsp = import_csp.CSP.getStrictCsp(scriptHashes, {
+      enableUnsafeEval
+    });
+    cspModule.addMetaTag(strictCsp);
+    htmlPluginData.html = cspModule.serializeDom();
+    return compileCb(null, htmlPluginData);
+  }
+  /**
+   * Hooks into webpack to collect assets and hash them, build the policy, and add it into our HTML template
+   * @param compiler
+   */
+  apply(compiler) {
+    compiler.hooks.compilation.tap("CspPlugin", (compilation) => {
+      import_html_webpack_plugin.default.getCompilationHooks(compilation).beforeEmit.tapAsync(
+        "CspPlugin",
+        this.processCsp.bind(this, compilation)
+      );
+    });
+  }
+}

package/dist/cjs/webpack/csp.js

@@ -0,0 +1,158 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var csp_exports = {};
+__export(csp_exports, {
+  CSP: () => CSP
+});
+module.exports = __toCommonJS(csp_exports);
+var crypto = __toESM(require("node:crypto"), 1);
+var cheerio = __toESM(require("cheerio"), 1);
+class CSP {
+  static HASH_FUNCTION = "sha256";
+  static INLINE_SCRIPT_SELECTOR = "script:not([src])";
+  static SOURCED_SCRIPT_SELECTOR = "script[src]";
+  $;
+  constructor(html) {
+    this.$ = cheerio.load(html);
+  }
+  serializeDom() {
+    return this.$.root().html() ?? "";
+  }
+  /**
+   * Returns a strict Content Security Policy for mittigating XSS.
+   * For more details read csp.withgoogle.com.
+   * If you modify this CSP, make sure it has not become trivially bypassable by
+   * checking the policy using csp-evaluator.withgoogle.com.
+   * @param hashes A list of sha-256 hashes of trusted inline scripts.
+   * @param cspOptions
+   * @param enableTrustedTypes If Trusted Types should be enabled for scripts.
+   * @param enableBrowserFallbacks If fallbacks for older browsers should be
+   *   added. This is will not weaken the policy as modern browsers will ignore
+   *   the fallbacks.
+   * @param enableUnsafeEval If you cannot remove all uses of eval(), you can
+   *   still set a strict CSP, but you will have to use the 'unsafe-eval'
+   *   keyword which will make your policy slightly less secure.
+   * @param cspOptions.enableBrowserFallbacks
+   * @param cspOptions.enableTrustedTypes
+   * @param cspOptions.enableUnsafeEval
+   * @returns A strict Content Security Policy string.
+   */
+  static getStrictCsp(hashes, cspOptions = {
+    enableUnsafeEval: false
+  }) {
+    const strictCspTemplate = {
+      // 'strict-dynamic' allows hashed scripts to create new scripts.
+      "script-src": [`'strict-dynamic'`, ...hashes ?? []],
+      // Restricts `object-src` to disable dangerous plugins like Flash.
+      "object-src": [`'none'`],
+      // Restricts `base-uri` to block the injection of `<base>` tags. This
+      // prevents attackers from changing the locations of scripts loaded from
+      // relative URLs.
+      "base-uri": [`'self'`]
+    };
+    if (cspOptions.enableUnsafeEval) {
+      strictCspTemplate["script-src"].push(`'unsafe-eval'`);
+    }
+    return Object.entries(strictCspTemplate).map(([directive, values]) => `${directive} ${values.join(" ")};`).join("");
+  }
+  /**
+   * Enables a CSP via a meta tag at the beginning of the document.
+   * Warning: It's recommended to set CSP as HTTP response header instead of
+   * using a meta tag. Injections before the meta tag will not be covered by CSP
+   * and meta tags don't support CSP in report-only mode.
+   * @param csp A Content Security Policy string.
+   */
+  addMetaTag(csp) {
+    let metaTag = this.$('meta[http-equiv="Content-Security-Policy"]');
+    if (!metaTag.length) {
+      metaTag = cheerio.load('<meta http-equiv="Content-Security-Policy">')(
+        "meta"
+      );
+      metaTag.prependTo(this.$("head"));
+    }
+    metaTag.attr("content", csp);
+  }
+  /**
+   * Replaces all sourced scripts with a single inline script that can be hashed
+   */
+  refactorSourcedScriptsForHashBasedCsp() {
+    const scriptInfoList = this.$(CSP.SOURCED_SCRIPT_SELECTOR).map((i, script) => {
+      const src = this.$(script).attr("src") ?? "";
+      const type = this.$(script).attr("type") ?? "";
+      this.$(script).remove();
+      return { src, type };
+    }).toArray().filter((info) => info.src);
+    const loaderScript = CSP.createLoaderScript(scriptInfoList);
+    if (!loaderScript) {
+      return;
+    }
+    const newScript = cheerio.load("<script>")("script");
+    newScript.text(loaderScript);
+    newScript.appendTo(this.$("body"));
+  }
+  /**
+   * Returns a list of hashes of all inline scripts found in the HTML document.
+   * @returns A list of sha-256 hashes of inline scripts.
+   */
+  hashAllInlineScripts() {
+    return this.$(CSP.INLINE_SCRIPT_SELECTOR).map((i, elem) => CSP.hashInlineScript(this.$(elem).html() ?? "")).get();
+  }
+  /**
+   * Returns JS code for dynamically loading sourced (external) scripts.
+   * @param scriptInfoList A list of objects containing src and type for scripts that should be loaded
+   * @returns JS code for loading scripts.
+   */
+  static createLoaderScript(scriptInfoList) {
+    if (!scriptInfoList.length) {
+      return void 0;
+    }
+    return `
+    var scripts = ${JSON.stringify(scriptInfoList)};
+    scripts.forEach(function(scriptInfo) {
+      var s = document.createElement('script');
+      s.src = scriptInfo.src;
+      if (scriptInfo.type) {
+        s.type = scriptInfo.type;
+      }
+      s.async = false; // preserve execution order.
+      document.body.appendChild(s);
+    });
+    `;
+  }
+  /**
+   * Calculates a CSP compatible hash of an inline script.
+   * @param scriptText Text between opening and closing script tag. Has to
+   *     include whitespaces and newlines!
+   * @returns A sha-256 hash of the script.
+   */
+  static hashInlineScript(scriptText) {
+    const hash = crypto.createHash(CSP.HASH_FUNCTION).update(scriptText, "utf-8").digest("base64");
+    return `'${CSP.HASH_FUNCTION}-${hash}'`;
+  }
+}

package/dist/cjs/webpack/webpack.dev.babel.js

@@ -114,6 +114,9 @@ const devConfig = {
         googleTagManager: (0, import_helpers.isGoogleTagManagerEnabled)()
       }
     }),
+    // new CspPlugin(HtmlWebpackPlugin, {
+    //   enableUnsafeEval: true,
+    // }),
     new import_circular_dependency_plugin.default({
       exclude: /a\.(js|ts|jsx|tsx)|node_modules/,
       // exclude node_modules

package/dist/cjs/webpack/webpack.prod.babel.js

@@ -57,6 +57,7 @@ const getProdConfig = ({ latestVersion = true } = {}) => {
     },
     optimization: {
       moduleIds: "deterministic",
+      // realContentHash: false,
       minimizer: [
         new import_esbuild_loader.EsbuildPlugin({
           target: (0, import_browserslist_to_esbuild.default)(),
@@ -140,5 +141,7 @@ const htmlWebpackPlugin = new import_html_webpack_plugin.default({
   }
 });
 const config = (0, import_webpack_base_babel.baseConfig)(getProdConfig());
-if (config.plugins) config.plugins.push(htmlWebpackPlugin);
+if (config.plugins) {
+  config.plugins.push(htmlWebpackPlugin);
+}
 var webpack_prod_babel_default = config;

package/dist/esm/server/csp.js

@@ -5,7 +5,6 @@ import express from "express";
 import helmet from "helmet";
 const CSP_REPORT_URI = "/diagnostics/v1/csp";
 const sources = [
-  "'self'",
   "http://localhost:*",
   "https://localhost:*",
   "ws://localhost:*",
@@ -13,12 +12,7 @@ const sources = [
   "*.elliemae.io",
   "*.elliemae.com",
   "*.ellieservices.com",
-  "*.ellielabs.com",
-  "https://cdn.appdynamics.com",
-  "http://pdx-col.eum-appdynamics.com",
-  "https://pdx-col.eum-appdynamics.com/",
-  "https://www.google-analytics.com",
-  "https://www.googletagmanager.com"
+  "*.ellielabs.com"
 ];
 const sendFileWithCSPNonce = ({
   buildPath,
@@ -38,7 +32,7 @@ const sendFileWithCSPNonce = ({
 };
 const getScriptSrc = () => {
   const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
-  const scriptSrc = sources.concat([source]);
+  const scriptSrc = [source, "strict-dynamic"];
   return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
 };
 const csp = (app) => {
@@ -50,24 +44,14 @@ const csp = (app) => {
     helmet({
       contentSecurityPolicy: {
         directives: {
-          baseUri: ["'self'"],
-          connectSrc: sources,
-          defaultSrc: ["'self'"],
-          fontSrc: sources.concat(["data:"]),
-          formAction: ["'self'"],
+          baseUri: ["'none'"],
           frameAncestors: sources,
-          frameSrc: sources,
-          imgSrc: sources.concat(["data:"]),
           objectSrc: ["'none'"],
           scriptSrc: getScriptSrc(),
-          scriptSrcAttr: ["'none'"],
-          styleSrc: sources.concat(["'unsafe-inline'"]),
-          workerSrc: sources,
           upgradeInsecureRequests: [],
-          reportUri: CSP_REPORT_URI,
           reportTo: CSP_REPORT_URI
         },
-        reportOnly: true
+        reportOnly: process.env.CSP_REPORT_ONLY !== "false"
       },
       xFrameOptions: false,
       xPermittedCrossDomainPolicies: false,

package/dist/esm/server/middlewares.js

@@ -20,6 +20,11 @@ const setupDefaultMiddlewares = (app) => {
   app.use(cors());
   app.options("*", cors());
   csp(app);
+  app.set("Cross-Origin-Opener-Policy", "same-origin-allow-popups");
+  app.set(
+    "Permissions-Policy",
+    "geolocation=(), camera=(), microphone=(), interest-cohort=()"
+  );
   app.use(express.urlencoded({ extended: false }));
   app.use(express.text({ type: "text/plain" }));
   app.use(express.json({ type: "application/json" }));

package/dist/esm/webpack/csp-plugin.js

@@ -0,0 +1,53 @@
+import HtmlWebpackPlugin from "html-webpack-plugin";
+import { CSP } from "./csp.js";
+const defaultOptions = {
+  enableUnsafeEval: false
+};
+class CspPlugin {
+  #options = defaultOptions;
+  #htmlWebpackPlugin;
+  /**
+   *
+   * @param htmlWebpackPlugin
+   * @param {object} options Additional options for this module.
+   */
+  constructor(htmlWebpackPlugin, options) {
+    this.#htmlWebpackPlugin = htmlWebpackPlugin;
+    this.#options = { ...this.#options, ...options ?? {} };
+  }
+  /**
+   * Processes HtmlWebpackPlugin's html data by adding the CSP
+   * @param compilation
+   * @param htmlPluginData
+   * @param htmlPluginData.html
+   * @param compileCb
+   * @returns {*}
+   */
+  processCsp(compilation, htmlPluginData, compileCb) {
+    const cspModule = new CSP(htmlPluginData.html);
+    cspModule.refactorSourcedScriptsForHashBasedCsp();
+    const scriptHashes = cspModule.hashAllInlineScripts();
+    const { enableUnsafeEval } = this.#options;
+    const strictCsp = CSP.getStrictCsp(scriptHashes, {
+      enableUnsafeEval
+    });
+    cspModule.addMetaTag(strictCsp);
+    htmlPluginData.html = cspModule.serializeDom();
+    return compileCb(null, htmlPluginData);
+  }
+  /**
+   * Hooks into webpack to collect assets and hash them, build the policy, and add it into our HTML template
+   * @param compiler
+   */
+  apply(compiler) {
+    compiler.hooks.compilation.tap("CspPlugin", (compilation) => {
+      HtmlWebpackPlugin.getCompilationHooks(compilation).beforeEmit.tapAsync(
+        "CspPlugin",
+        this.processCsp.bind(this, compilation)
+      );
+    });
+  }
+}
+export {
+  CspPlugin
+};

package/dist/esm/webpack/csp.js

@@ -0,0 +1,128 @@
+import * as crypto from "node:crypto";
+import * as cheerio from "cheerio";
+class CSP {
+  static HASH_FUNCTION = "sha256";
+  static INLINE_SCRIPT_SELECTOR = "script:not([src])";
+  static SOURCED_SCRIPT_SELECTOR = "script[src]";
+  $;
+  constructor(html) {
+    this.$ = cheerio.load(html);
+  }
+  serializeDom() {
+    return this.$.root().html() ?? "";
+  }
+  /**
+   * Returns a strict Content Security Policy for mittigating XSS.
+   * For more details read csp.withgoogle.com.
+   * If you modify this CSP, make sure it has not become trivially bypassable by
+   * checking the policy using csp-evaluator.withgoogle.com.
+   * @param hashes A list of sha-256 hashes of trusted inline scripts.
+   * @param cspOptions
+   * @param enableTrustedTypes If Trusted Types should be enabled for scripts.
+   * @param enableBrowserFallbacks If fallbacks for older browsers should be
+   *   added. This is will not weaken the policy as modern browsers will ignore
+   *   the fallbacks.
+   * @param enableUnsafeEval If you cannot remove all uses of eval(), you can
+   *   still set a strict CSP, but you will have to use the 'unsafe-eval'
+   *   keyword which will make your policy slightly less secure.
+   * @param cspOptions.enableBrowserFallbacks
+   * @param cspOptions.enableTrustedTypes
+   * @param cspOptions.enableUnsafeEval
+   * @returns A strict Content Security Policy string.
+   */
+  static getStrictCsp(hashes, cspOptions = {
+    enableUnsafeEval: false
+  }) {
+    const strictCspTemplate = {
+      // 'strict-dynamic' allows hashed scripts to create new scripts.
+      "script-src": [`'strict-dynamic'`, ...hashes ?? []],
+      // Restricts `object-src` to disable dangerous plugins like Flash.
+      "object-src": [`'none'`],
+      // Restricts `base-uri` to block the injection of `<base>` tags. This
+      // prevents attackers from changing the locations of scripts loaded from
+      // relative URLs.
+      "base-uri": [`'self'`]
+    };
+    if (cspOptions.enableUnsafeEval) {
+      strictCspTemplate["script-src"].push(`'unsafe-eval'`);
+    }
+    return Object.entries(strictCspTemplate).map(([directive, values]) => `${directive} ${values.join(" ")};`).join("");
+  }
+  /**
+   * Enables a CSP via a meta tag at the beginning of the document.
+   * Warning: It's recommended to set CSP as HTTP response header instead of
+   * using a meta tag. Injections before the meta tag will not be covered by CSP
+   * and meta tags don't support CSP in report-only mode.
+   * @param csp A Content Security Policy string.
+   */
+  addMetaTag(csp) {
+    let metaTag = this.$('meta[http-equiv="Content-Security-Policy"]');
+    if (!metaTag.length) {
+      metaTag = cheerio.load('<meta http-equiv="Content-Security-Policy">')(
+        "meta"
+      );
+      metaTag.prependTo(this.$("head"));
+    }
+    metaTag.attr("content", csp);
+  }
+  /**
+   * Replaces all sourced scripts with a single inline script that can be hashed
+   */
+  refactorSourcedScriptsForHashBasedCsp() {
+    const scriptInfoList = this.$(CSP.SOURCED_SCRIPT_SELECTOR).map((i, script) => {
+      const src = this.$(script).attr("src") ?? "";
+      const type = this.$(script).attr("type") ?? "";
+      this.$(script).remove();
+      return { src, type };
+    }).toArray().filter((info) => info.src);
+    const loaderScript = CSP.createLoaderScript(scriptInfoList);
+    if (!loaderScript) {
+      return;
+    }
+    const newScript = cheerio.load("<script>")("script");
+    newScript.text(loaderScript);
+    newScript.appendTo(this.$("body"));
+  }
+  /**
+   * Returns a list of hashes of all inline scripts found in the HTML document.
+   * @returns A list of sha-256 hashes of inline scripts.
+   */
+  hashAllInlineScripts() {
+    return this.$(CSP.INLINE_SCRIPT_SELECTOR).map((i, elem) => CSP.hashInlineScript(this.$(elem).html() ?? "")).get();
+  }
+  /**
+   * Returns JS code for dynamically loading sourced (external) scripts.
+   * @param scriptInfoList A list of objects containing src and type for scripts that should be loaded
+   * @returns JS code for loading scripts.
+   */
+  static createLoaderScript(scriptInfoList) {
+    if (!scriptInfoList.length) {
+      return void 0;
+    }
+    return `
+    var scripts = ${JSON.stringify(scriptInfoList)};
+    scripts.forEach(function(scriptInfo) {
+      var s = document.createElement('script');
+      s.src = scriptInfo.src;
+      if (scriptInfo.type) {
+        s.type = scriptInfo.type;
+      }
+      s.async = false; // preserve execution order.
+      document.body.appendChild(s);
+    });
+    `;
+  }
+  /**
+   * Calculates a CSP compatible hash of an inline script.
+   * @param scriptText Text between opening and closing script tag. Has to
+   *     include whitespaces and newlines!
+   * @returns A sha-256 hash of the script.
+   */
+  static hashInlineScript(scriptText) {
+    const hash = crypto.createHash(CSP.HASH_FUNCTION).update(scriptText, "utf-8").digest("base64");
+    return `'${CSP.HASH_FUNCTION}-${hash}'`;
+  }
+}
+export {
+  CSP
+};

package/dist/esm/webpack/webpack.dev.babel.js

@@ -84,6 +84,9 @@ const devConfig = {
         googleTagManager: isGoogleTagManagerEnabled()
       }
     }),
+    // new CspPlugin(HtmlWebpackPlugin, {
+    //   enableUnsafeEval: true,
+    // }),
     new CircularDependencyPlugin({
       exclude: /a\.(js|ts|jsx|tsx)|node_modules/,
       // exclude node_modules

package/dist/esm/webpack/webpack.prod.babel.js

@@ -29,6 +29,7 @@ const getProdConfig = ({ latestVersion = true } = {}) => {
     },
     optimization: {
       moduleIds: "deterministic",
+      // realContentHash: false,
       minimizer: [
         new EsbuildPlugin({
           target: browserslistToEsbuild(),
@@ -112,7 +113,9 @@ const htmlWebpackPlugin = new HtmlWebpackPlugin({
   }
 });
 const config = baseConfig(getProdConfig());
-if (config.plugins) config.plugins.push(htmlWebpackPlugin);
+if (config.plugins) {
+  config.plugins.push(htmlWebpackPlugin);
+}
 var webpack_prod_babel_default = config;
 export {
   webpack_prod_babel_default as default

package/dist/types/lib/webpack/csp-plugin.d.ts

@@ -0,0 +1,34 @@
+import webpack from 'webpack';
+import HtmlWebpackPlugin from 'html-webpack-plugin';
+type HTMLWebpackPluginData = {
+    html: string;
+    outputName: string;
+    plugin: HtmlWebpackPlugin;
+};
+declare const defaultOptions: {
+    enableUnsafeEval: boolean;
+};
+declare class CspPlugin {
+    #private;
+    /**
+     *
+     * @param htmlWebpackPlugin
+     * @param {object} options Additional options for this module.
+     */
+    constructor(htmlWebpackPlugin: typeof HtmlWebpackPlugin, options?: typeof defaultOptions);
+    /**
+     * Processes HtmlWebpackPlugin's html data by adding the CSP
+     * @param compilation
+     * @param htmlPluginData
+     * @param htmlPluginData.html
+     * @param compileCb
+     * @returns {*}
+     */
+    processCsp(compilation: webpack.Compilation, htmlPluginData: HTMLWebpackPluginData, compileCb: (err: Error | null, htmlPluginData: HTMLWebpackPluginData) => void): void;
+    /**
+     * Hooks into webpack to collect assets and hash them, build the policy, and add it into our HTML template
+     * @param compiler
+     */
+    apply(compiler: webpack.Compiler): void;
+}
+export { CspPlugin };