@netlify/plugin-csp-nonce 1.2.10 → 1.2.12

package/package.json

@@ -1,7 +1,7 @@
 {
   "private": false,
   "name": "@netlify/plugin-csp-nonce",
-  "version": "1.2.10",
+  "version": "1.2.12",
   "description": "Use a nonce for the script-src and style-src directives of your Content Security Policy.",
   "main": "index.js",
   "repository": {

package/src/__csp-nonce.ts

@@ -21,19 +21,13 @@ const params = inputs as Params;
 const handler = async (request: Request, context: Context) => {
   const response = await context.next(request);
 
-  let header = params.reportOnly
-    ? "content-security-policy-report-only"
-    : "content-security-policy";
-
   // for debugging which routes use this edge function
   response.headers.set("x-debug-csp-nonce", "invoked");
 
-  // html GETs only
-  const isGET = request.method?.toUpperCase() === "GET";
   const isHTMLResponse = response.headers
     .get("content-type")
     ?.startsWith("text/html");
-  const shouldTransformResponse = isGET && isHTMLResponse;
+  const shouldTransformResponse = isHTMLResponse;
   if (!shouldTransformResponse) {
     console.log(`Unnecessary invocation for ${request.url}`, {
       method: request.method,
@@ -42,6 +36,10 @@ const handler = async (request: Request, context: Context) => {
     return response;
   }
 
+  let header = params.reportOnly
+    ? "content-security-policy-report-only"
+    : "content-security-policy";
+
   // CSP_NONCE_DISTRIBUTION is a number from 0 to 1,
   // but 0 to 100 is also supported, along with a trailing %
   // @ts-ignore
@@ -180,10 +178,11 @@ const excludedExtensions = [
 export const config: Config = {
   path: params.path,
   excludedPath: ["/.netlify*", `**/*.(${excludedExtensions.join("|")})`]
-    .concat(params.excludedPath)
-    .filter(Boolean),
+  .concat(params.excludedPath)
+  .filter(Boolean),
   handler,
   onError: "bypass",
+  method: "GET",
 };
 
 export default handler;