@netlify/plugin-csp-nonce 1.3.8 → 1.4.0

package/manifest.yml

@@ -14,3 +14,9 @@ inputs:
   - name: excludedPath
     description: The glob expressions of path(s) that *should not* invoke the CSP nonce edge function. Must be an array of strings. This value gets spread with common non-html filetype extensions (*.css, *.js, *.svg, etc)
     default: []
+  - name: unsafeInline
+    description: When true, allows the execution of inline scripts, such as those defined within <script> tags or through onclick attributes.
+    default: true
+  - name: self
+    description: When true, restricts the execution of scripts to those that originate from the same origin (protocol, domain, and port) as the document.
+    default: true

package/package.json

@@ -1,7 +1,7 @@
 {
   "private": false,
   "name": "@netlify/plugin-csp-nonce",
-  "version": "1.3.8",
+  "version": "1.4.0",
   "description": "Use a nonce for the script-src and style-src directives of your Content Security Policy.",
   "main": "index.js",
   "repository": {

package/src/__csp-nonce.ts

@@ -2,7 +2,7 @@
 // @ts-ignore
 import type { Config, Context } from "netlify:edge";
 // @ts-ignore
-import { csp } from "https://deno.land/x/csp_nonce_html_transformer@v2.2.1/src/index-embedded-wasm.ts";
+import { csp } from "https://deno.land/x/csp_nonce_html_transformer@v2.2.2/src/index-embedded-wasm.ts";
 // @ts-ignore
 import inputs from "./__csp-nonce-inputs.json" assert { type: "json" };
 
@@ -25,8 +25,8 @@ params.reportUri = params.reportUri || "/.netlify/functions/__csp-violations";
 params.distribution = Netlify.env.get("CSP_NONCE_DISTRIBUTION");
 
 params.strictDynamic = true;
-params.unsafeInline = true;
-params.self = true;
+params.unsafeInline = params.unsafeInline ?? true;
+params.self = params.self ?? true;
 params.https = true;
 params.http = true;