@netlify/plugin-csp-nonce 1.2.5 → 1.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/__csp-nonce.ts +4 -3
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "private": false,
3
3
  "name": "@netlify/plugin-csp-nonce",
4
- "version": "1.2.5",
4
+ "version": "1.2.6",
5
5
  "description": "Use a nonce for the script-src and style-src directives of your Content Security Policy.",
6
6
  "main": "index.js",
7
7
  "repository": {
package/src/__csp-nonce.ts CHANGED
@@ -90,15 +90,16 @@ const handler = async (request: Request, context: Context) => {
90
90
  .map((directive) => {
91
91
  // prepend our rules for any existing directives
92
92
  const d = directive.trim();
93
- if (d.startsWith("script-src")) {
94
- return d.replace("script-src", scriptSrc);
93
+ // intentionally add trailing space to avoid mangling `script-src-elem`
94
+ if (d.startsWith("script-src ")) {
95
+ return d.replace("script-src ", scriptSrc);
95
96
  }
96
97
  // intentionally omit report-uri: theirs should take precedence
97
98
  return d;
98
99
  })
99
100
  .filter(Boolean);
100
101
  // push our rules if the directives don't exist yet
101
- if (!directives.find((d) => d.startsWith("script-src"))) {
102
+ if (!directives.find((d) => d.startsWith("script-src "))) {
102
103
  directives.push(scriptSrc);
103
104
  }
104
105
  if (!directives.find((d) => d.startsWith("report-uri"))) {