@localnerve/csp-hashes 1.0.2 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +6 -0
- package/dist/index.mjs +1 -1
- package/dist/lib/index.js +37 -26
- package/dist/lib/removeCspMeta.js +35 -0
- package/package.json +2 -3
- package/readme.md +26 -1
package/dist/index.js
CHANGED
|
@@ -15,4 +15,10 @@ Object.defineProperty(exports, "hashstream", {
|
|
|
15
15
|
return _index.hashstream;
|
|
16
16
|
}
|
|
17
17
|
});
|
|
18
|
+
Object.defineProperty(exports, "removeCspMeta", {
|
|
19
|
+
enumerable: true,
|
|
20
|
+
get: function () {
|
|
21
|
+
return _index.removeCspMeta;
|
|
22
|
+
}
|
|
23
|
+
});
|
|
18
24
|
var _index = require("./lib/index.js");
|
package/dist/index.mjs
CHANGED
package/dist/lib/index.js
CHANGED
|
@@ -4,9 +4,16 @@ Object.defineProperty(exports, "__esModule", {
|
|
|
4
4
|
value: true
|
|
5
5
|
});
|
|
6
6
|
exports.default = exports.hashstream = hashstream;
|
|
7
|
-
|
|
8
|
-
|
|
7
|
+
Object.defineProperty(exports, "removeCspMeta", {
|
|
8
|
+
enumerable: true,
|
|
9
|
+
get: function () {
|
|
10
|
+
return _removeCspMeta.removeCspMeta;
|
|
11
|
+
}
|
|
12
|
+
});
|
|
13
|
+
var _stream = require("stream");
|
|
9
14
|
var _crypto = _interopRequireDefault(require("crypto"));
|
|
15
|
+
var _cheerio = _interopRequireDefault(require("cheerio"));
|
|
16
|
+
var _removeCspMeta = require("./removeCspMeta.js");
|
|
10
17
|
function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
|
|
11
18
|
/**
|
|
12
19
|
* CSP Hashes.
|
|
@@ -69,32 +76,36 @@ function hashstream({
|
|
|
69
76
|
const createHash = r => _crypto.default.createHash(algo).update(r).digest('base64');
|
|
70
77
|
const formatHash = h => `'${algo}-${h}'`;
|
|
71
78
|
const makeCSPHash = s => formatHash(createHash(s));
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
79
|
+
const transformObjectStream = new _stream.Transform({
|
|
80
|
+
objectMode: true,
|
|
81
|
+
transform: (vinyl, enc, done) => {
|
|
82
|
+
const path = vinyl.path;
|
|
83
|
+
const content = vinyl.contents;
|
|
84
|
+
const hashes = {
|
|
85
|
+
script: {
|
|
86
|
+
elements: [],
|
|
87
|
+
attributes: [],
|
|
88
|
+
get all() {
|
|
89
|
+
return this.elements.concat(this.attributes);
|
|
90
|
+
}
|
|
91
|
+
},
|
|
92
|
+
style: {
|
|
93
|
+
elements: [],
|
|
94
|
+
attributes: [],
|
|
95
|
+
get all() {
|
|
96
|
+
return this.elements.concat(this.attributes);
|
|
97
|
+
}
|
|
88
98
|
}
|
|
99
|
+
};
|
|
100
|
+
collectHashes(makeCSPHash, content, hashes);
|
|
101
|
+
if (replace) {
|
|
102
|
+
const s = callback(path, hashes, content.toString());
|
|
103
|
+
vinyl.contents = Buffer.from(s, enc);
|
|
104
|
+
} else {
|
|
105
|
+
callback(path, hashes);
|
|
89
106
|
}
|
|
90
|
-
|
|
91
|
-
collectHashes(makeCSPHash, content, hashes);
|
|
92
|
-
if (replace) {
|
|
93
|
-
const s = callback(path, hashes, content.toString());
|
|
94
|
-
vinyl.contents = Buffer.from(s, enc);
|
|
95
|
-
} else {
|
|
96
|
-
callback(path, hashes);
|
|
107
|
+
done(null, vinyl);
|
|
97
108
|
}
|
|
98
|
-
done(null, vinyl);
|
|
99
109
|
});
|
|
110
|
+
return transformObjectStream;
|
|
100
111
|
}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
|
|
3
|
+
Object.defineProperty(exports, "__esModule", {
|
|
4
|
+
value: true
|
|
5
|
+
});
|
|
6
|
+
exports.default = exports.removeCspMeta = removeCspMeta;
|
|
7
|
+
var _stream = require("stream");
|
|
8
|
+
/**
|
|
9
|
+
* removeCspMeta.js
|
|
10
|
+
*
|
|
11
|
+
* A convenience method to remove the content of a Content-Security-Policy in a meta tag.
|
|
12
|
+
* Useful for development builds that need to ignore CSP meta tags.
|
|
13
|
+
*
|
|
14
|
+
* Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
|
|
15
|
+
* Licensed under the MIT license.
|
|
16
|
+
*/
|
|
17
|
+
|
|
18
|
+
function removeCspMeta() {
|
|
19
|
+
return new _stream.Transform({
|
|
20
|
+
objectMode: true,
|
|
21
|
+
transform: (vinyl, enc, done) => {
|
|
22
|
+
var _vinyl$contents;
|
|
23
|
+
let e = null;
|
|
24
|
+
const input = vinyl === null || vinyl === void 0 ? void 0 : (_vinyl$contents = vinyl.contents) === null || _vinyl$contents === void 0 ? void 0 : _vinyl$contents.toString();
|
|
25
|
+
if (input) {
|
|
26
|
+
const output = input.replace(/("?Content-Security-Policy"?)(\s+)(content=")([^"]+)"/i, '$1$2$3$2"');
|
|
27
|
+
vinyl.contents = Buffer.from(output, enc);
|
|
28
|
+
} else {
|
|
29
|
+
e = new Error('removeCspMeta could not get Vinyl object file contents');
|
|
30
|
+
e.errorCode = 'EBADINPUT';
|
|
31
|
+
}
|
|
32
|
+
done(e, vinyl);
|
|
33
|
+
}
|
|
34
|
+
});
|
|
35
|
+
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@localnerve/csp-hashes",
|
|
3
|
-
"version": "1.0
|
|
3
|
+
"version": "1.1.0",
|
|
4
4
|
"description": "Flexible library to generate CSP hashes",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"exports": {
|
|
@@ -27,8 +27,7 @@
|
|
|
27
27
|
"vinyl": "^2.2.1"
|
|
28
28
|
},
|
|
29
29
|
"dependencies": {
|
|
30
|
-
"cheerio": "^1.0.0-rc.12"
|
|
31
|
-
"through2": "^4.0.2"
|
|
30
|
+
"cheerio": "^1.0.0-rc.12"
|
|
32
31
|
},
|
|
33
32
|
"repository": {
|
|
34
33
|
"type": "git",
|
package/readme.md
CHANGED
|
@@ -24,7 +24,9 @@ This Nodejs library generates script and style inline element and attribute hash
|
|
|
24
24
|
+ NodeJS 14+
|
|
25
25
|
|
|
26
26
|
## API
|
|
27
|
-
|
|
27
|
+
|
|
28
|
+
### hashstream (also the default export)
|
|
29
|
+
This library exports a function that takes options and returns a transform stream in object mode. The transform stream operates on [Vinyl](https://github.com/gulpjs/vinyl) objects or a compatible file object with `path` and `contents` properties. The only required option is a [`callback`](#callback-function) function.
|
|
28
30
|
|
|
29
31
|
```
|
|
30
32
|
Stream hashstream ({
|
|
@@ -34,6 +36,13 @@ Stream hashstream ({
|
|
|
34
36
|
})
|
|
35
37
|
```
|
|
36
38
|
|
|
39
|
+
### removeCspMeta
|
|
40
|
+
This library also exports a convenience helper method, `removeCspMeta` that is useful for some types of development builds. This method returns a stream that operates on [Vinyl](https://github.com/gulpjs/vinyl) objects and removes any `Content-Security-Policy` content found in the files.
|
|
41
|
+
|
|
42
|
+
```
|
|
43
|
+
Stream removeCspMeta ()
|
|
44
|
+
```
|
|
45
|
+
|
|
37
46
|
### Options
|
|
38
47
|
|
|
39
48
|
+ {Function} **callback** - Required - A [function](#callback-function) to process the hashes. Receives file contents and must return new file contents if `replace` option is true.
|
|
@@ -129,6 +138,22 @@ export function cspMetaTags (settings) {
|
|
|
129
138
|
}
|
|
130
139
|
```
|
|
131
140
|
|
|
141
|
+
### Build step to remove CSP Meta tag content
|
|
142
|
+
In this example, a build step removes any content from a `Content-Security-Policy` in a development build that wishes to ignore it.
|
|
143
|
+
|
|
144
|
+
```javascript
|
|
145
|
+
import gulp from 'gulp';
|
|
146
|
+
import { removeCspMeta } from '@localnerve/csp-hashes';
|
|
147
|
+
|
|
148
|
+
export function stripCspMetaContents (settings) {
|
|
149
|
+
const { dist } = settings;
|
|
150
|
+
|
|
151
|
+
return gulp.src(`${dist}/**/*.html`)
|
|
152
|
+
.pipe(removeCspMeta())
|
|
153
|
+
.pipe(gulp.dest(dist));
|
|
154
|
+
}
|
|
155
|
+
```
|
|
156
|
+
|
|
132
157
|
## LICENSE
|
|
133
158
|
|
|
134
159
|
* [MIT, Alex Grant, LocalNerve, LLC](license.md)
|