@netlify/plugin-csp-nonce 1.0.4 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/__csp-nonce.ts +11 -11
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@netlify/plugin-csp-nonce",
3
- "version": "1.0.4",
3
+ "version": "1.0.5",
4
4
  "description": "Use a nonce for the script-src and style-src directives of your Content Security Policy.",
5
5
  "main": "index.js",
6
6
  "repository": {
package/src/__csp-nonce.ts CHANGED
@@ -25,8 +25,10 @@ const handler = async (request: Request, context: Context) => {
25
25
 
26
26
  // html only
27
27
  if (
28
- !request.headers.get("accept")?.startsWith("text/html") ||
29
- !response.headers.get("content-type").startsWith("text/html")
28
+ !(
29
+ request.headers.get("accept")?.startsWith("text/html") &&
30
+ response.headers.get("content-type").startsWith("text/html")
31
+ )
30
32
  ) {
31
33
  return response;
32
34
  }
@@ -38,7 +40,6 @@ const handler = async (request: Request, context: Context) => {
38
40
  // https://content-security-policy.com/strict-dynamic/
39
41
  const rules = `'nonce-${nonce}' 'strict-dynamic' 'unsafe-inline' 'self' https: http:`;
40
42
  const scriptSrc = `script-src ${rules}`;
41
- const styleSrc = `style-src ${rules}`;
42
43
  const reportUri = `report-uri /.netlify/functions/__csp-violations`;
43
44
 
44
45
  const csp = response.headers.get(header);
@@ -51,9 +52,7 @@ const handler = async (request: Request, context: Context) => {
51
52
  if (d.startsWith("script-src")) {
52
53
  return d.replace("script-src", scriptSrc);
53
54
  }
54
- if (d.startsWith("style-src")) {
55
- return d.replace("style-src", styleSrc);
56
- }
55
+ // intentionally omit report-uri: theirs should take precedence
57
56
  return d;
58
57
  })
59
58
  .filter(Boolean);
@@ -61,26 +60,27 @@ const handler = async (request: Request, context: Context) => {
61
60
  if (!directives.find((d) => d.startsWith("script-src"))) {
62
61
  directives.push(scriptSrc);
63
62
  }
64
- if (!directives.find((d) => d.startsWith("style-src"))) {
65
- directives.push(styleSrc);
63
+ if (!directives.find((d) => d.startsWith("report-uri"))) {
64
+ directives.push(reportUri);
66
65
  }
67
66
  const value = directives.join("; ");
68
67
  response.headers.set(header, value);
69
68
  } else {
70
69
  // make a new ruleset of directives if no CSP present
71
- const value = [scriptSrc, styleSrc, reportUri].join("; ");
70
+ const value = [scriptSrc, reportUri].join("; ");
72
71
  response.headers.set(header, value);
73
72
  }
74
73
 
75
74
  // time to do some regex magic
76
75
  const page = await response.text();
77
76
  const rewrittenPage = page.replace(
78
- /<(script|style)([^>]*)>/gi,
79
- `<$1$2 nonce="${nonce}">`
77
+ /<script([^>]*)>/gi,
78
+ `<$1 nonce="${nonce}">`
80
79
  );
81
80
  return new Response(rewrittenPage, response);
82
81
  };
83
82
 
83
+ // Top 50 most common extensions (minus .html and .htm) according to Humio
84
84
  const excludedExtensions = [
85
85
  "aspx",
86
86
  "avif",