@netlify/plugin-csp-nonce 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +2 -2
  2. package/package.json +1 -1
  3. package/src/__csp-nonce.ts +12 -6
package/README.md CHANGED
@@ -97,10 +97,10 @@ If your HTML does not contain the `nonce` attribute on the `<script>` tags that
97
97
 
98
98
  You may want to gradually rollout the effects of this plugin while you monitor violation reports, without modifying code.
99
99
 
100
- You can ramp up or ramp down the inclusion of the headers this plugin enforces by setting the `CSP_NONCE_DISTRIBUTION` environment variable to a value between `0` and `1`.
100
+ You can ramp up or ramp down the inclusion of the `Content-Security-Policy` header by setting the `CSP_NONCE_DISTRIBUTION` environment variable to a value between `0` and `1`.
101
101
 
102
102
  - If `0`, the plugin is completely skipped at build time, and no extra functions or edge functions get deployed. Functionally, this acts the same as if the plugin isn't installed at all.
103
103
  - If `1`, 100% of traffic for all matching paths will include the nonce. Functionally, this acts the same as if the `CSP_NONCE_DISTRIBUTION` environment variable was not defined.
104
- - Any value in between `0` and `1` will include the nonce in randomly distributed traffic. For example, a value of `0.25` will include the nonce 25% of the time for matching paths.
104
+ - Any value in between `0` and `1` will include the nonce in randomly distributed traffic. For example, a value of `0.25` will put the nonce in the `Content-Security-Policy` header 25% of requests for matching paths. The other 75% of matching requests will have the nonce in the `Content-Security-Policy-Report-Only` header.
105
105
 
106
106
  The `CSP_NONCE_DISTRIBUTION` environment variable needs to be scoped to both `Builds` and `Functions`.
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "private": false,
3
3
  "name": "@netlify/plugin-csp-nonce",
4
- "version": "1.2.0",
4
+ "version": "1.2.1",
5
5
  "description": "Use a nonce for the script-src and style-src directives of your Content Security Policy.",
6
6
  "main": "index.js",
7
7
  "repository": {
package/src/__csp-nonce.ts CHANGED
@@ -15,13 +15,13 @@ type Params = {
15
15
  };
16
16
  const params = inputs as Params;
17
17
 
18
- const header = params.reportOnly
19
- ? "content-security-policy-report-only"
20
- : "content-security-policy";
21
-
22
18
  const handler = async (request: Request, context: Context) => {
23
19
  const response = await context.next();
24
20
 
21
+ let header = params.reportOnly
22
+ ? "content-security-policy-report-only"
23
+ : "content-security-policy";
24
+
25
25
  // for debugging which routes use this edge function
26
26
  response.headers.set("x-debug-csp-nonce", "invoked");
27
27
 
@@ -48,10 +48,16 @@ const handler = async (request: Request, context: Context) => {
48
48
  distribution.endsWith("%") || parseFloat(distribution) > 1
49
49
  ? Math.max(parseFloat(distribution) / 100, 0)
50
50
  : Math.max(parseFloat(distribution), 0);
51
- // if a roll of the dice is greater than our threshold, skip
52
51
  const random = Math.random();
52
+ // if a roll of the dice is greater than our threshold...
53
53
  if (random > threshold && threshold <= 1) {
54
- return response;
54
+ if (header === "content-security-policy") {
55
+ // if the real CSP is set, then change to report only
56
+ header = "content-security-policy-report-only";
57
+ } else {
58
+ // if the CSP is set to report-only, return unadulterated response
59
+ return response;
60
+ }
55
61
  }
56
62
  }
57
63