astro-helmet 1.1.0 → 1.2.0

package/README.md

@@ -171,8 +171,8 @@ JSON-LD script tags are rendered with priority `105`, placing them after regular
 
 When provided with an array of `headItems`, `astro-helmet` will merge the items together.
 
-`headItems.meta` are deduplicated by `name`, `property` and `http-equiv`.
-Meta items later in the array replace earlier items.
+`headItems.meta` are deduplicated by `name`, `property`, `http-equiv` and `charset`.
+Meta items later in the array replace earlier items. Meta tags without any of these keys (e.g. `itemprop`-only tags) are never deduplicated.
 
 `title` and `base` items are also deduplicated, with the last item in the array taking precedence.
 
@@ -270,7 +270,7 @@ function applyPriority(tag: Tag): Required<Tag> {
       break
 
     case 'style':
-      priority = tag.innerHTML.includes('@import') ? 30 : 51
+      priority = tag.innerHTML?.includes('@import') ? 30 : 51
       break
 
     case 'script':

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "astro-helmet",
-	"version": "1.1.0",
+	"version": "1.2.0",
 	"type": "module",
 	"description": "A document head manager for astro.",
 	"author": "Ryan Voitiskis <ryanvoitiskis@pm.me> (https://ryanvoitiskis.com/)",
@@ -30,24 +30,24 @@
 		"release": "semantic-release"
 	},
 	"devDependencies": {
-		"@astrojs/check": "^0.9.6",
+		"@astrojs/check": "^0.9.8",
 		"@eslint/js": "^9.39.2",
 		"@semantic-release/changelog": "^6.0.3",
 		"@semantic-release/git": "^10.0.1",
 		"@semantic-release/github": "^11.0.1",
 		"@semantic-release/npm": "^12.0.1",
-		"@vitest/coverage-v8": "^2.1.8",
-		"astro": "^5.0.3",
+		"@vitest/coverage-v8": "^4.1.2",
+		"astro": "^6.1.3",
 		"eslint": "^9.39.2",
 		"prettier": "^3.4.2",
 		"prettier-plugin-astro": "^0.14.1",
 		"semantic-release": "^24.2.0",
 		"typescript": "^5.7.2",
 		"typescript-eslint": "^8.55.0",
-		"vitest": "^2.1.8"
+		"vitest": "^4.1.2"
 	},
 	"peerDependencies": {
-		"astro": "^4.0.0 || ^5.0.0"
+		"astro": "^4.0.0 || ^5.0.0 || ^6.0.0"
 	},
 	"repository": {
 		"type": "git",

package/src/Helmet.astro

@@ -1,5 +1,5 @@
 ---
-import { type HeadItems, type Tag, renderHead } from './main'
+import { type HeadItems, type Tag, renderHead, getInlineContent, getExternalResources } from './main'
 
 interface Props {
 	headItems: HeadItems | HeadItems[]
@@ -12,6 +12,34 @@ interface Props {
 const { headItems, options = {} } = Astro.props
 const { applyPriority, omitHeadTags = false } = options
 const head = renderHead(headItems, applyPriority)
+
+// Register CSP hashes and resources when running on Astro 6+ with CSP enabled.
+// Cast avoids typecheck failures for downstream consumers on Astro 4/5 where
+// `csp` isn't declared on `AstroGlobal`.
+const csp = (Astro as unknown as {
+	csp?: {
+		insertScriptHash(hash: string): void
+		insertStyleHash(hash: string): void
+		insertScriptResource(url: string): void
+		insertStyleResource(url: string): void
+	}
+}).csp
+if (csp) {
+	for (const { type, content } of getInlineContent(headItems)) {
+		const hashBuffer = await crypto.subtle.digest(
+			'SHA-256',
+			new TextEncoder().encode(content)
+		)
+		const hash = btoa(String.fromCharCode(...new Uint8Array(hashBuffer)))
+		if (type === 'script') csp.insertScriptHash(`sha256-${hash}`)
+		else csp.insertStyleHash(`sha256-${hash}`)
+	}
+
+	for (const { type, url } of getExternalResources(headItems)) {
+		if (type === 'script') csp.insertScriptResource(url)
+		else csp.insertStyleResource(url)
+	}
+}
 ---
 
 {

package/src/main.ts

@@ -183,6 +183,62 @@ function applyPriorityDefault(tag: Tag): Required<Tag> {
 	return { ...tag, priority }
 }
 
+export function getInlineContent(
+	headItems: HeadItems | HeadItems[]
+): { type: 'script' | 'style'; content: string }[] {
+	const items = Array.isArray(headItems)
+		? mergeHeadItems(headItems.map((i) => normaliseHeadItems(i)))
+		: normaliseHeadItems(headItems)
+
+	const result: { type: 'script' | 'style'; content: string }[] = []
+
+	for (const style of items.style) {
+		if (style.innerHTML) result.push({ type: 'style', content: style.innerHTML })
+	}
+
+	for (const script of items.script) {
+		if (script.innerHTML)
+			result.push({ type: 'script', content: script.innerHTML })
+	}
+
+	for (const item of items.jsonLd) {
+		result.push({
+			type: 'script',
+			content: escapeJsonLd(
+				JSON.stringify({ ...item, '@context': 'https://schema.org' })
+			)
+		})
+	}
+
+	return result
+}
+
+export function getExternalResources(
+	headItems: HeadItems | HeadItems[]
+): { type: 'script' | 'style'; url: string }[] {
+	const items = Array.isArray(headItems)
+		? mergeHeadItems(headItems.map((i) => normaliseHeadItems(i)))
+		: normaliseHeadItems(headItems)
+
+	const result: { type: 'script' | 'style'; url: string }[] = []
+
+	for (const script of items.script) {
+		if (script.src) result.push({ type: 'script', url: script.src })
+	}
+
+	for (const link of items.link) {
+		if (link.rel === 'stylesheet' && link.href)
+			result.push({ type: 'style', url: link.href })
+		else if (link.rel === 'preload' && link.href) {
+			if (link.as === 'script') result.push({ type: 'script', url: link.href })
+			else if (link.as === 'style')
+				result.push({ type: 'style', url: link.href })
+		}
+	}
+
+	return result
+}
+
 function escapeJsonLd(json: string): string {
 	return json.replace(/<\//g, '<\\/')
 }