@netlify/plugin-csp-nonce 1.2.7 → 1.2.9

package/README.md

@@ -92,6 +92,7 @@ If your HTML does not contain the `nonce` attribute on the `<script>` tags that
 - The request method is `GET`
 - The `content-type` response header starts with `text/html`
 - The path of the request is satisfied by the `path` config option, and not included in the `excludedPath` config option
+- This site does not use [Split Testing](https://docs.netlify.com/site-deploys/split-testing/). There is a [known limitation](https://docs.netlify.com/edge-functions/limits/#feature-limitations) that requests to sites with Split Testing enabled will not execute edge functions.
 
 ### Controlling rollout
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "private": false,
   "name": "@netlify/plugin-csp-nonce",
-  "version": "1.2.7",
+  "version": "1.2.9",
   "description": "Use a nonce for the script-src and style-src directives of your Content Security Policy.",
   "main": "index.js",
   "repository": {

package/src/__csp-nonce.ts

@@ -92,7 +92,9 @@ const handler = async (request: Request, context: Context) => {
         const d = directive.trim();
         // intentionally add trailing space to avoid mangling `script-src-elem`
         if (d.startsWith("script-src ")) {
-          return d.replace("script-src ", scriptSrc);
+          // append with trailing space to include any user-supplied values
+          // https://github.com/netlify/plugin-csp-nonce/issues/72
+          return d.replace("script-src ", `${scriptSrc} `).trim();
         }
         // intentionally omit report-uri: theirs should take precedence
         return d;
@@ -177,7 +179,7 @@ const excludedExtensions = [
 
 export const config: Config = {
   path: params.path,
-  excludedPath: ["/.netlify/*", `**/*.(${excludedExtensions.join("|")})`]
+  excludedPath: ["/.netlify*", `**/*.(${excludedExtensions.join("|")})`]
     .concat(params.excludedPath)
     .filter(Boolean),
   handler,