@netlify/plugin-csp-nonce 1.2.1 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/__csp-nonce.ts +11 -9
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "private": false,
3
3
  "name": "@netlify/plugin-csp-nonce",
4
- "version": "1.2.1",
4
+ "version": "1.2.2",
5
5
  "description": "Use a nonce for the script-src and style-src directives of your Content Security Policy.",
6
6
  "main": "index.js",
7
7
  "repository": {
package/src/__csp-nonce.ts CHANGED
@@ -3,6 +3,8 @@
3
3
  import type { Config, Context } from "netlify:edge";
4
4
  // @ts-expect-error
5
5
  import { randomBytes } from "node:crypto";
6
+ // @ts-expect-error
7
+ import { HTMLRewriter } from "https://ghuc.cc/worker-tools/html-rewriter@0.1.0-pre.17/index.ts";
6
8
 
7
9
  import inputs from "./__csp-nonce-inputs.json" assert { type: "json" };
8
10
 
@@ -16,7 +18,7 @@ type Params = {
16
18
  const params = inputs as Params;
17
19
 
18
20
  const handler = async (request: Request, context: Context) => {
19
- const response = await context.next();
21
+ const response = await context.next(request);
20
22
 
21
23
  let header = params.reportOnly
22
24
  ? "content-security-policy-report-only"
@@ -109,13 +111,13 @@ const handler = async (request: Request, context: Context) => {
109
111
  response.headers.set(header, value);
110
112
  }
111
113
 
112
- // time to do some regex magic
113
- const page = await response.text();
114
- const rewrittenPage = page.replace(
115
- /<script([^>]*)>/gi,
116
- `<script$1 nonce="${nonce}">`
117
- );
118
- return new Response(rewrittenPage, response);
114
+ return new HTMLRewriter()
115
+ .on("script", {
116
+ element(element) {
117
+ element.setAttribute("nonce", nonce);
118
+ },
119
+ })
120
+ .transform(response);
119
121
  };
120
122
 
121
123
  // Top 50 most common extensions (minus .html and .htm) according to Humio
@@ -175,7 +177,7 @@ export const config: Config = {
175
177
  excludedPath: [
176
178
  ...params.excludedPath,
177
179
  "/.netlify/*",
178
- ...excludedExtensions.map((ext) => `**/*.${ext}`),
180
+ `**/*.(${excludedExtensions.join("|")})`,
179
181
  ],
180
182
  handler,
181
183
  onError: "bypass",