@netlify/plugin-csp-nonce 1.4.0 → 1.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/manifest.yml +3 -0
- package/package.json +1 -1
- package/src/__csp-nonce.ts +13 -7
- package/src/__csp-violations.ts +2 -3
package/manifest.yml
CHANGED
|
@@ -5,6 +5,9 @@ inputs:
|
|
|
5
5
|
default: true
|
|
6
6
|
- name: reportUri
|
|
7
7
|
description: The relative or absolute URL to report any violations. If not defined, violations are reported to the __csp-violations function, which this plugin deploys.
|
|
8
|
+
- name: strictDynamic
|
|
9
|
+
description: When true, dynamically trust scripts via nonce or hash instead of static allowlists, enhancing security.
|
|
10
|
+
default: true
|
|
8
11
|
- name: unsafeEval
|
|
9
12
|
description: When true, adds 'unsafe-eval' to CSP for easier adoption. Set to false to have a safer policy if your code and code dependencies does not use eval().
|
|
10
13
|
default: true
|
package/package.json
CHANGED
package/src/__csp-nonce.ts
CHANGED
|
@@ -1,10 +1,16 @@
|
|
|
1
|
-
|
|
2
|
-
// @ts-ignore
|
|
1
|
+
// @ts-ignore cannot find module
|
|
3
2
|
import type { Config, Context } from "netlify:edge";
|
|
4
|
-
// @ts-ignore
|
|
3
|
+
// @ts-ignore cannot find module
|
|
5
4
|
import { csp } from "https://deno.land/x/csp_nonce_html_transformer@v2.2.2/src/index-embedded-wasm.ts";
|
|
6
|
-
|
|
7
|
-
import
|
|
5
|
+
|
|
6
|
+
// Using `import ... with ...` syntax directly fails due to the node 18 type-checking we're running on this file,
|
|
7
|
+
// but this syntax works fine in deno 1.46.3 and 2.x which is what the functions are bundled and run with.
|
|
8
|
+
// We're able to sneak by the node syntax issues by using this `await import(...)` syntax instead of a direct import statement.
|
|
9
|
+
// @ts-ignore top-level await
|
|
10
|
+
const { default: inputs } = await import("./__csp-nonce-inputs.json", {
|
|
11
|
+
// @ts-ignore 'with' syntax
|
|
12
|
+
with: { type: "json" },
|
|
13
|
+
});
|
|
8
14
|
|
|
9
15
|
type Params = {
|
|
10
16
|
reportOnly: boolean;
|
|
@@ -21,10 +27,10 @@ type Params = {
|
|
|
21
27
|
};
|
|
22
28
|
const params = inputs as Params;
|
|
23
29
|
params.reportUri = params.reportUri || "/.netlify/functions/__csp-violations";
|
|
24
|
-
// @ts-ignore
|
|
30
|
+
// @ts-ignore Netlify
|
|
25
31
|
params.distribution = Netlify.env.get("CSP_NONCE_DISTRIBUTION");
|
|
26
32
|
|
|
27
|
-
params.strictDynamic = true;
|
|
33
|
+
params.strictDynamic = params.strictDynamic ?? true;
|
|
28
34
|
params.unsafeInline = params.unsafeInline ?? true;
|
|
29
35
|
params.self = params.self ?? true;
|
|
30
36
|
params.https = true;
|
package/src/__csp-violations.ts
CHANGED
|
@@ -1,12 +1,11 @@
|
|
|
1
|
-
|
|
2
|
-
// @ts-ignore
|
|
1
|
+
// @ts-ignore async missing await
|
|
3
2
|
const handler = async (event) => {
|
|
4
3
|
try {
|
|
5
4
|
const { "csp-report": cspReport } = JSON.parse(event.body);
|
|
6
5
|
if (cspReport) {
|
|
7
6
|
console.log(JSON.stringify(cspReport));
|
|
8
7
|
}
|
|
9
|
-
} catch
|
|
8
|
+
} catch {
|
|
10
9
|
// ...the sound of silence
|
|
11
10
|
}
|
|
12
11
|
return {
|