@netlify/plugin-csp-nonce 1.2.1 → 1.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +4 -3
- package/src/__csp-nonce.ts +16 -13
- package/src/__csp-violations.ts +1 -0
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"private": false,
|
|
3
3
|
"name": "@netlify/plugin-csp-nonce",
|
|
4
|
-
"version": "1.2.
|
|
4
|
+
"version": "1.2.3",
|
|
5
5
|
"description": "Use a nonce for the script-src and style-src directives of your Content Security Policy.",
|
|
6
6
|
"main": "index.js",
|
|
7
7
|
"repository": {
|
|
@@ -17,13 +17,14 @@
|
|
|
17
17
|
"src/*"
|
|
18
18
|
],
|
|
19
19
|
"devDependencies": {
|
|
20
|
-
"prettier": "^2.8.8"
|
|
20
|
+
"prettier": "^2.8.8",
|
|
21
|
+
"typescript": "^5.2.2"
|
|
21
22
|
},
|
|
22
23
|
"bugs": {
|
|
23
24
|
"url": "https://github.com/netlify/plugin-csp-nonce/issues"
|
|
24
25
|
},
|
|
25
26
|
"homepage": "https://github.com/netlify/plugin-csp-nonce#readme",
|
|
26
27
|
"scripts": {
|
|
27
|
-
"
|
|
28
|
+
"build": "tsc src/*.ts --noEmit --strict --lib es2018,dom"
|
|
28
29
|
}
|
|
29
30
|
}
|
package/src/__csp-nonce.ts
CHANGED
|
@@ -1,9 +1,12 @@
|
|
|
1
1
|
/* eslint-disable */
|
|
2
|
-
// @ts-
|
|
2
|
+
// @ts-ignore
|
|
3
3
|
import type { Config, Context } from "netlify:edge";
|
|
4
|
-
// @ts-
|
|
4
|
+
// @ts-ignore
|
|
5
5
|
import { randomBytes } from "node:crypto";
|
|
6
|
+
// @ts-ignore
|
|
7
|
+
import { HTMLRewriter } from "https://ghuc.cc/worker-tools/html-rewriter@0.1.0-pre.17/index.ts";
|
|
6
8
|
|
|
9
|
+
// @ts-ignore
|
|
7
10
|
import inputs from "./__csp-nonce-inputs.json" assert { type: "json" };
|
|
8
11
|
|
|
9
12
|
type Params = {
|
|
@@ -16,7 +19,7 @@ type Params = {
|
|
|
16
19
|
const params = inputs as Params;
|
|
17
20
|
|
|
18
21
|
const handler = async (request: Request, context: Context) => {
|
|
19
|
-
const response = await context.next();
|
|
22
|
+
const response = await context.next(request);
|
|
20
23
|
|
|
21
24
|
let header = params.reportOnly
|
|
22
25
|
? "content-security-policy-report-only"
|
|
@@ -41,7 +44,7 @@ const handler = async (request: Request, context: Context) => {
|
|
|
41
44
|
|
|
42
45
|
// CSP_NONCE_DISTRIBUTION is a number from 0 to 1,
|
|
43
46
|
// but 0 to 100 is also supported, along with a trailing %
|
|
44
|
-
// @ts-
|
|
47
|
+
// @ts-ignore
|
|
45
48
|
const distribution = Netlify.env.get("CSP_NONCE_DISTRIBUTION");
|
|
46
49
|
if (!!distribution) {
|
|
47
50
|
const threshold =
|
|
@@ -80,7 +83,7 @@ const handler = async (request: Request, context: Context) => {
|
|
|
80
83
|
params.reportUri || "/.netlify/functions/__csp-violations"
|
|
81
84
|
}`;
|
|
82
85
|
|
|
83
|
-
const csp = response.headers.get(header);
|
|
86
|
+
const csp = response.headers.get(header) as string;
|
|
84
87
|
if (csp) {
|
|
85
88
|
const directives = csp
|
|
86
89
|
.split(";")
|
|
@@ -109,13 +112,13 @@ const handler = async (request: Request, context: Context) => {
|
|
|
109
112
|
response.headers.set(header, value);
|
|
110
113
|
}
|
|
111
114
|
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
115
|
+
return new HTMLRewriter()
|
|
116
|
+
.on("script", {
|
|
117
|
+
element(element: HTMLElement) {
|
|
118
|
+
element.setAttribute("nonce", nonce);
|
|
119
|
+
},
|
|
120
|
+
})
|
|
121
|
+
.transform(response);
|
|
119
122
|
};
|
|
120
123
|
|
|
121
124
|
// Top 50 most common extensions (minus .html and .htm) according to Humio
|
|
@@ -175,7 +178,7 @@ export const config: Config = {
|
|
|
175
178
|
excludedPath: [
|
|
176
179
|
...params.excludedPath,
|
|
177
180
|
"/.netlify/*",
|
|
178
|
-
|
|
181
|
+
`**/*.(${excludedExtensions.join("|")})`,
|
|
179
182
|
],
|
|
180
183
|
handler,
|
|
181
184
|
onError: "bypass",
|