@netlify/plugin-csp-nonce 1.0.3 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +1 -1
- package/package.json +1 -1
- package/src/__csp-nonce.ts +12 -13
- package/src/__csp-violations.ts +1 -1
package/index.js
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
|
+
/* eslint-disable no-console */
|
|
1
2
|
import fs, { copyFileSync } from "fs";
|
|
2
3
|
|
|
3
4
|
const SITE_ID = "321a7119-6008-49a8-9d2f-e20602b1b349";
|
|
4
5
|
|
|
5
|
-
/* eslint-disable no-console */
|
|
6
6
|
export const onPreBuild = async ({ inputs, netlifyConfig, utils }) => {
|
|
7
7
|
console.log(` Current working directory: ${process.cwd()}`);
|
|
8
8
|
const config = JSON.stringify(inputs, null, 2);
|
package/package.json
CHANGED
package/src/__csp-nonce.ts
CHANGED
|
@@ -1,5 +1,4 @@
|
|
|
1
|
-
/* eslint-disable
|
|
2
|
-
/* eslint-disable import/no-unresolved */
|
|
1
|
+
/* eslint-disable */
|
|
3
2
|
// @ts-expect-error
|
|
4
3
|
import { cryptoRandomString } from "https://deno.land/x/crypto_random_string@1.0.0/mod.ts";
|
|
5
4
|
// @ts-expect-error
|
|
@@ -26,8 +25,10 @@ const handler = async (request: Request, context: Context) => {
|
|
|
26
25
|
|
|
27
26
|
// html only
|
|
28
27
|
if (
|
|
29
|
-
!
|
|
30
|
-
|
|
28
|
+
!(
|
|
29
|
+
request.headers.get("accept")?.startsWith("text/html") &&
|
|
30
|
+
response.headers.get("content-type").startsWith("text/html")
|
|
31
|
+
)
|
|
31
32
|
) {
|
|
32
33
|
return response;
|
|
33
34
|
}
|
|
@@ -39,7 +40,6 @@ const handler = async (request: Request, context: Context) => {
|
|
|
39
40
|
// https://content-security-policy.com/strict-dynamic/
|
|
40
41
|
const rules = `'nonce-${nonce}' 'strict-dynamic' 'unsafe-inline' 'self' https: http:`;
|
|
41
42
|
const scriptSrc = `script-src ${rules}`;
|
|
42
|
-
const styleSrc = `style-src ${rules}`;
|
|
43
43
|
const reportUri = `report-uri /.netlify/functions/__csp-violations`;
|
|
44
44
|
|
|
45
45
|
const csp = response.headers.get(header);
|
|
@@ -52,9 +52,7 @@ const handler = async (request: Request, context: Context) => {
|
|
|
52
52
|
if (d.startsWith("script-src")) {
|
|
53
53
|
return d.replace("script-src", scriptSrc);
|
|
54
54
|
}
|
|
55
|
-
|
|
56
|
-
return d.replace("style-src", styleSrc);
|
|
57
|
-
}
|
|
55
|
+
// intentionally omit report-uri: theirs should take precedence
|
|
58
56
|
return d;
|
|
59
57
|
})
|
|
60
58
|
.filter(Boolean);
|
|
@@ -62,26 +60,27 @@ const handler = async (request: Request, context: Context) => {
|
|
|
62
60
|
if (!directives.find((d) => d.startsWith("script-src"))) {
|
|
63
61
|
directives.push(scriptSrc);
|
|
64
62
|
}
|
|
65
|
-
if (!directives.find((d) => d.startsWith("
|
|
66
|
-
directives.push(
|
|
63
|
+
if (!directives.find((d) => d.startsWith("report-uri"))) {
|
|
64
|
+
directives.push(reportUri);
|
|
67
65
|
}
|
|
68
66
|
const value = directives.join("; ");
|
|
69
67
|
response.headers.set(header, value);
|
|
70
68
|
} else {
|
|
71
69
|
// make a new ruleset of directives if no CSP present
|
|
72
|
-
const value = [scriptSrc,
|
|
70
|
+
const value = [scriptSrc, reportUri].join("; ");
|
|
73
71
|
response.headers.set(header, value);
|
|
74
72
|
}
|
|
75
73
|
|
|
76
74
|
// time to do some regex magic
|
|
77
75
|
const page = await response.text();
|
|
78
76
|
const rewrittenPage = page.replace(
|
|
79
|
-
/<
|
|
80
|
-
`<$1
|
|
77
|
+
/<script([^>]*)>/gi,
|
|
78
|
+
`<$1 nonce="${nonce}">`
|
|
81
79
|
);
|
|
82
80
|
return new Response(rewrittenPage, response);
|
|
83
81
|
};
|
|
84
82
|
|
|
83
|
+
// Top 50 most common extensions (minus .html and .htm) according to Humio
|
|
85
84
|
const excludedExtensions = [
|
|
86
85
|
"aspx",
|
|
87
86
|
"avif",
|
package/src/__csp-violations.ts
CHANGED