@netlify/plugin-csp-nonce 1.2.9 → 1.2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/__csp-nonce.ts +19 -6
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "private": false,
3
3
  "name": "@netlify/plugin-csp-nonce",
4
- "version": "1.2.9",
4
+ "version": "1.2.11",
5
5
  "description": "Use a nonce for the script-src and style-src directives of your Content Security Policy.",
6
6
  "main": "index.js",
7
7
  "repository": {
package/src/__csp-nonce.ts CHANGED
@@ -4,7 +4,7 @@ import type { Config, Context } from "netlify:edge";
4
4
  // @ts-ignore
5
5
  import { randomBytes } from "node:crypto";
6
6
  // @ts-ignore
7
- import { HTMLRewriter } from "https://ghuc.cc/worker-tools/html-rewriter@0.1.0-pre.17/index.ts";
7
+ import { HTMLRewriter } from "https://ghuc.cc/worker-tools/html-rewriter@0.1.0-pre.19/index.ts";
8
8
 
9
9
  // @ts-ignore
10
10
  import inputs from "./__csp-nonce-inputs.json" assert { type: "json" };
@@ -19,6 +19,21 @@ type Params = {
19
19
  const params = inputs as Params;
20
20
 
21
21
  const handler = async (request: Request, context: Context) => {
22
+ const isGET = request.method === "GET";
23
+ // We only need to run this for HTTP GET requests.
24
+ // If it is not a GET, then return early.
25
+ //
26
+ // If we instead used `context.next(request)`
27
+ // we would be passing the request through this
28
+ // edge function for no useful reason.
29
+ if (!isGET) {
30
+ return;
31
+ }
32
+
33
+
34
+ // At this point, we know it's a GET request,
35
+ // we have to now make the request, in order to
36
+ // see what the HTTP response's content-type is.
22
37
  const response = await context.next(request);
23
38
 
24
39
  let header = params.reportOnly
@@ -28,12 +43,10 @@ const handler = async (request: Request, context: Context) => {
28
43
  // for debugging which routes use this edge function
29
44
  response.headers.set("x-debug-csp-nonce", "invoked");
30
45
 
31
- // html GETs only
32
- const isGET = request.method?.toUpperCase() === "GET";
33
46
  const isHTMLResponse = response.headers
34
47
  .get("content-type")
35
48
  ?.startsWith("text/html");
36
- const shouldTransformResponse = isGET && isHTMLResponse;
49
+ const shouldTransformResponse = isHTMLResponse;
37
50
  if (!shouldTransformResponse) {
38
51
  console.log(`Unnecessary invocation for ${request.url}`, {
39
52
  method: request.method,
@@ -180,8 +193,8 @@ const excludedExtensions = [
180
193
  export const config: Config = {
181
194
  path: params.path,
182
195
  excludedPath: ["/.netlify*", `**/*.(${excludedExtensions.join("|")})`]
183
- .concat(params.excludedPath)
184
- .filter(Boolean),
196
+ .concat(params.excludedPath)
197
+ .filter(Boolean),
185
198
  handler,
186
199
  onError: "bypass",
187
200
  };