@netlify/plugin-csp-nonce 1.2.11 → 1.2.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/__csp-nonce.ts +7 -24
package/package.json
CHANGED
package/src/__csp-nonce.ts
CHANGED
|
@@ -19,35 +19,13 @@ type Params = {
|
|
|
19
19
|
const params = inputs as Params;
|
|
20
20
|
|
|
21
21
|
const handler = async (request: Request, context: Context) => {
|
|
22
|
-
const isGET = request.method === "GET";
|
|
23
|
-
// We only need to run this for HTTP GET requests.
|
|
24
|
-
// If it is not a GET, then return early.
|
|
25
|
-
//
|
|
26
|
-
// If we instead used `context.next(request)`
|
|
27
|
-
// we would be passing the request through this
|
|
28
|
-
// edge function for no useful reason.
|
|
29
|
-
if (!isGET) {
|
|
30
|
-
return;
|
|
31
|
-
}
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
// At this point, we know it's a GET request,
|
|
35
|
-
// we have to now make the request, in order to
|
|
36
|
-
// see what the HTTP response's content-type is.
|
|
37
22
|
const response = await context.next(request);
|
|
38
23
|
|
|
39
|
-
let header = params.reportOnly
|
|
40
|
-
? "content-security-policy-report-only"
|
|
41
|
-
: "content-security-policy";
|
|
42
|
-
|
|
43
24
|
// for debugging which routes use this edge function
|
|
44
25
|
response.headers.set("x-debug-csp-nonce", "invoked");
|
|
45
26
|
|
|
46
|
-
const isHTMLResponse = response.headers
|
|
47
|
-
|
|
48
|
-
?.startsWith("text/html");
|
|
49
|
-
const shouldTransformResponse = isHTMLResponse;
|
|
50
|
-
if (!shouldTransformResponse) {
|
|
27
|
+
const isHTMLResponse = response.headers.get("content-type") === "text/html";
|
|
28
|
+
if (!isHTMLResponse) {
|
|
51
29
|
console.log(`Unnecessary invocation for ${request.url}`, {
|
|
52
30
|
method: request.method,
|
|
53
31
|
"content-type": response.headers.get("content-type"),
|
|
@@ -55,6 +33,10 @@ const handler = async (request: Request, context: Context) => {
|
|
|
55
33
|
return response;
|
|
56
34
|
}
|
|
57
35
|
|
|
36
|
+
let header = params.reportOnly
|
|
37
|
+
? "content-security-policy-report-only"
|
|
38
|
+
: "content-security-policy";
|
|
39
|
+
|
|
58
40
|
// CSP_NONCE_DISTRIBUTION is a number from 0 to 1,
|
|
59
41
|
// but 0 to 100 is also supported, along with a trailing %
|
|
60
42
|
// @ts-ignore
|
|
@@ -197,6 +179,7 @@ export const config: Config = {
|
|
|
197
179
|
.filter(Boolean),
|
|
198
180
|
handler,
|
|
199
181
|
onError: "bypass",
|
|
182
|
+
method: "GET",
|
|
200
183
|
};
|
|
201
184
|
|
|
202
185
|
export default handler;
|