csprefabricate 2.0.22 → 2.1.1

package/CHANGELOG.md

@@ -1,118 +1,21 @@
 # Changelog
 
-## [2.0.22](https://github.com/JamesToohey/csprefabricate/compare/v2.0.21...v2.0.22) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([7fb1d2a](https://github.com/JamesToohey/csprefabricate/commit/7fb1d2abf2fb7f9cf7994c19e503c60fa0e577f4))
-
-## [2.0.21](https://github.com/JamesToohey/csprefabricate/compare/v2.0.20...v2.0.21) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([cdcd28d](https://github.com/JamesToohey/csprefabricate/commit/cdcd28d9fdd32cf80e2ffbb21bc2f9da44a360d4))
-
-## [2.0.20](https://github.com/JamesToohey/csprefabricate/compare/v2.0.19...v2.0.20) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([7f58f49](https://github.com/JamesToohey/csprefabricate/commit/7f58f49c5bc6af0687ad3c941f5886ab3b86db4a))
-
-## [2.0.19](https://github.com/JamesToohey/csprefabricate/compare/v2.0.18...v2.0.19) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([d2172c3](https://github.com/JamesToohey/csprefabricate/commit/d2172c39e3f575bbf4b439fc63a862e1097d1735))
-
-## [2.0.18](https://github.com/JamesToohey/csprefabricate/compare/v2.0.17...v2.0.18) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([6c58a59](https://github.com/JamesToohey/csprefabricate/commit/6c58a592cd1421ad95edf714bb5aba0d3305dc09))
-
-## [2.0.17](https://github.com/JamesToohey/csprefabricate/compare/v2.0.16...v2.0.17) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([c1c0cec](https://github.com/JamesToohey/csprefabricate/commit/c1c0cecbbed2d20df29271c5df5b91305e28e04d))
-
-## [2.0.16](https://github.com/JamesToohey/csprefabricate/compare/v2.0.15...v2.0.16) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([e7358d0](https://github.com/JamesToohey/csprefabricate/commit/e7358d0039fc55ffc500f2a0cc587de9e53acd93))
-
-## [2.0.15](https://github.com/JamesToohey/csprefabricate/compare/v2.0.14...v2.0.15) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([7a3b173](https://github.com/JamesToohey/csprefabricate/commit/7a3b17372d0cff5d00654897593237fac833cc49))
-
-## [2.0.14](https://github.com/JamesToohey/csprefabricate/compare/v2.0.13...v2.0.14) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([06028e6](https://github.com/JamesToohey/csprefabricate/commit/06028e6b81fadadfe34833ad09816daed024c4fd))
-
-## [2.0.13](https://github.com/JamesToohey/csprefabricate/compare/v2.0.12...v2.0.13) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([618e057](https://github.com/JamesToohey/csprefabricate/commit/618e0572ebf57e124a9d206bab9e84c24f62f24f))
-
-## [2.0.12](https://github.com/JamesToohey/csprefabricate/compare/v2.0.11...v2.0.12) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([fc14047](https://github.com/JamesToohey/csprefabricate/commit/fc140477fd270d5d525e14989cf5354d9660346c))
-
-## [2.0.11](https://github.com/JamesToohey/csprefabricate/compare/v2.0.10...v2.0.11) (2026-01-30)
+## [2.1.1](https://github.com/JamesToohey/csprefabricate/compare/v2.1.0...v2.1.1) (2026-02-21)
 
 
 ### Bug Fixes
 
-* try again ([1fbc507](https://github.com/JamesToohey/csprefabricate/commit/1fbc50742191362517c772b911f639af61d9d6a1))
+* Update npm-publish.yaml to fix OIDC error ([#72](https://github.com/JamesToohey/csprefabricate/issues/72)) ([7f77e3b](https://github.com/JamesToohey/csprefabricate/commit/7f77e3b4d7b8447b79d927d521f8d1042ec83655))
 
-## [2.0.10](https://github.com/JamesToohey/csprefabricate/compare/v2.0.9...v2.0.10) (2026-01-30)
+## [2.1.0](https://github.com/JamesToohey/csprefabricate/compare/v2.0.22...v2.1.0) (2026-02-21)
 
 
-### Bug Fixes
-
-* try again ([5e728ae](https://github.com/JamesToohey/csprefabricate/commit/5e728aeaeb4c13f2572e70f7b61dca6fde32f243))
-
-## [2.0.9](https://github.com/JamesToohey/csprefabricate/compare/v2.0.8...v2.0.9) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([bf0266f](https://github.com/JamesToohey/csprefabricate/commit/bf0266fb8f968602bc2bc4bab5eeb3632197a289))
-
-## [2.0.8](https://github.com/JamesToohey/csprefabricate/compare/v2.0.7...v2.0.8) (2026-01-30)
-
-
-### Bug Fixes
-
-* try again ([93a8888](https://github.com/JamesToohey/csprefabricate/commit/93a8888c8a435a8befca4bd60cb830ba1260b040))
-
-## [2.0.7](https://github.com/JamesToohey/csprefabricate/compare/v2.0.6...v2.0.7) (2026-01-30)
-
-
-### Bug Fixes
+### Features
 
-* trigger release please ([57c16d6](https://github.com/JamesToohey/csprefabricate/commit/57c16d606ef27635a3a3a0427a9e187a69722411))
+* Add CSP Level 3 directives and deprecation warnings ([#68](https://github.com/JamesToohey/csprefabricate/issues/68)) ([35e91fa](https://github.com/JamesToohey/csprefabricate/commit/35e91fa51374794dc6a6cb5d661fb39558605ba8))
+* Improve exposed types ([#66](https://github.com/JamesToohey/csprefabricate/issues/66)) ([71028e2](https://github.com/JamesToohey/csprefabricate/commit/71028e293673353b1b966fd9acf0c59c15b54383))
 
-## [2.0.6](https://github.com/JamesToohey/csprefabricate/compare/v2.0.5...v2.0.6) (2026-01-30)
+## [2.0.22](https://github.com/JamesToohey/csprefabricate/compare/v2.0.21...v2.0.22) (2026-01-30)
 
 
 ### Bug Fixes

package/README.md

@@ -13,8 +13,11 @@ This project aims to make creating useful and secure CSPs a more pleasant experi
 Currently `csprefabricate`:
 
 - Validates directive names
+- Supports CSP Level 3 directives (`script-src-elem`, `script-src-attr`, `style-src-elem`, `style-src-attr`, `webrtc`)
+- Supports CSP Level 3 keyword sources (`'wasm-unsafe-eval'`, `'inline-speculation-rules'`, `'unsafe-allow-redirects'`, `'trusted-types-eval'`, `'report-sample'`, `'report-sha256'`, `'report-sha384'`, `'report-sha512'`, `'unsafe-webtransport-hashes'`)
 - Supports providing a list of TLDs for a given domain name
 - Provides warnings for insecure or incomplete CSP configurations, with options to disable specific warnings
+- Warns about deprecated directives (`plugin-types`, `report-uri`, `block-all-mixed-content`)
 
 ## Common CSP Issues
 
@@ -25,6 +28,7 @@ By default, `csprefabricate` will warn you about common CSP issues, such as:
 - Use of `'unsafe-inline'` in `script-src`, even if nonces or hashes are present
 - Missing nonces or hashes when using `'unsafe-inline'` in `script-src`
 - Allowing `data:` in `img-src` or `media-src`
+- Use of deprecated directives (`plugin-types`, `report-uri`, `block-all-mixed-content`)
 
 You can control which warnings are shown by passing an optional `WarningOptions` object to the `create` function:
 
@@ -48,6 +52,7 @@ const warningOptions: WarningOptions = {
     unsafeInline: false,
     missingNonceOrHash: false,
     dataUri: false,
+    deprecatedDirectives: false,
 };
 
 create(csp, warningOptions);
@@ -118,6 +123,55 @@ const cspString = create(csp);
 // "img-src 'self' *.example.com *.example.co.uk *.example.net;"
 ```
 
+### Example 4: Using CSP Level 3 Directives and Keywords
+
+CSP Level 3 introduced more granular control over scripts and styles, plus new keyword sources:
+
+```typescript
+import {create, Directive, ContentSecurityPolicy} from "csprefabricate";
+
+const csp: ContentSecurityPolicy = {
+    [Directive.DEFAULT_SRC]: ["self"],
+    // Control <script> elements separately from inline event handlers
+    [Directive.SCRIPT_SRC_ELEM]: ["self", "https://cdn.example.com"],
+    [Directive.SCRIPT_SRC_ATTR]: ["none"],
+    // Control <style> elements separately from inline styles
+    [Directive.STYLE_SRC_ELEM]: ["self"],
+    [Directive.STYLE_SRC_ATTR]: ["unsafe-inline"],
+    // Allow WebAssembly compilation (but not eval)
+    [Directive.SCRIPT_SRC]: ["self", "wasm-unsafe-eval"],
+    // Control WebRTC connections
+    [Directive.WEBRTC]: ["allow"],
+    [Directive.OBJECT_SRC]: ["none"],
+    [Directive.BASE_URI]: ["self"],
+};
+
+const cspString = create(csp);
+// "default-src 'self'; script-src-elem 'self' https://cdn.example.com; script-src-attr 'none'; style-src-elem 'self'; style-src-attr 'unsafe-inline'; script-src 'self' 'wasm-unsafe-eval'; webrtc 'allow'; object-src 'none'; base-uri 'self';"
+```
+
+#### CSP Level 3 Keyword Sources
+
+CSP Level 3 introduces several new keyword sources that are automatically wrapped in single quotes:
+
+- **`'wasm-unsafe-eval'`** - Allows WebAssembly compilation without allowing JavaScript eval
+- **`'inline-speculation-rules'`** - Allows inline speculation rules for prefetching
+- **`'unsafe-allow-redirects'`** - Allows redirects in navigation (experimental)
+- **`'trusted-types-eval'`** - Allows eval when combined with Trusted Types
+- **`'report-sample'`** - Includes code samples in violation reports
+- **`'report-sha256'`, `'report-sha384'`, `'report-sha512'`** - Generates hash-based reports for subresources
+- **`'unsafe-webtransport-hashes'`** - Allows WebTransport connections with certificate hashes
+
+## Deprecated Directives
+
+Some CSP directives have been deprecated in favor of newer alternatives. `csprefabricate` will warn you when using these directives:
+
+- **`plugin-types`** - Never widely supported, scheduled for removal
+- **`report-uri`** - Use `report-to` instead
+- **`block-all-mixed-content`** - Use `upgrade-insecure-requests` instead
+
+These directives are still functional but may be removed from future CSP specifications. You can disable these warnings by setting `deprecatedDirectives: false` in your `WarningOptions`.
+
 ## Baseline Recommended CSPs
 
 You can quickly generate a recommended Content Security Policy for common use cases using built-in baselines.

package/dist/helpers.d.ts

@@ -5,6 +5,7 @@ export interface WarningOptions {
     unsafeInline?: boolean;
     missingNonceOrHash?: boolean;
     dataUri?: boolean;
+    deprecatedDirectives?: boolean;
 }
 export declare function warnOnCspIssues(csp: ContentSecurityPolicy, overrides?: WarningOptions): void;
 export declare const isValidDirective: (directive: string) => boolean;

package/dist/helpers.js

@@ -9,6 +9,7 @@ const DEFAULT_WARNINGS = {
     unsafeInline: true,
     missingNonceOrHash: true,
     dataUri: true,
+    deprecatedDirectives: true,
 };
 const validDirectives = [
     "default-src",
@@ -36,6 +37,12 @@ const validDirectives = [
     "trusted-types",
     "upgrade-insecure-requests",
     "block-all-mixed-content",
+    "script-src-elem",
+    "script-src-attr",
+    "style-src-elem",
+    "style-src-attr",
+    "webrtc",
+    "fenced-frame-src",
 ];
 const specialRules = [
     "none",
@@ -44,6 +51,18 @@ const specialRules = [
     "unsafe-eval",
     "strict-dynamic",
     "unsafe-hashes",
+    "wasm-unsafe-eval",
+    "inline-speculation-rules",
+    "unsafe-allow-redirects",
+    "trusted-types-eval",
+    "report-sample",
+    "report-sha256",
+    "report-sha384",
+    "report-sha512",
+    "unsafe-webtransport-hashes",
+    "allow",
+    "block",
+    "script",
 ];
 function warnOnCspIssues(csp, overrides = {}) {
     const options = { ...DEFAULT_WARNINGS, ...overrides };
@@ -102,6 +121,18 @@ function warnOnCspIssues(csp, overrides = {}) {
             }
         });
     }
+    // 6. Deprecated directives
+    if (options.deprecatedDirectives) {
+        if (types_1.Directive.PLUGIN_TYPES in csp) {
+            console.warn(`[CSPrefabricate] Directive 'plugin-types' is deprecated and may be removed in future CSP versions. This directive was never widely supported.`);
+        }
+        if (types_1.Directive.REPORT_URI in csp) {
+            console.warn(`[CSPrefabricate] Directive 'report-uri' is deprecated and may be removed in future CSP versions. Use 'report-to' instead.`);
+        }
+        if (types_1.Directive.BLOCK_ALL_MIXED_CONTENT in csp) {
+            console.warn(`[CSPrefabricate] Directive 'block-all-mixed-content' is deprecated and may be removed in future CSP versions. Use 'upgrade-insecure-requests' instead.`);
+        }
+    }
 }
 const isValidDirective = (directive) => validDirectives.includes(directive);
 exports.isValidDirective = isValidDirective;

package/dist/index.d.ts

@@ -1,6 +1,7 @@
-import { Directive } from "./types";
 import { create } from "./utils";
 import * as Baseline from "./baseline";
 export { Baseline };
-export { create, Directive };
-export type { ContentSecurityPolicy } from "./types";
+export { create };
+export { Directive } from "./types";
+export type { ContentSecurityPolicy, Rules, BasicDirectiveRule, BlankDirectiveRule, AllowBlockRule, RequireTrustedTypesForRule, CSPDirective, CSP, } from "./types";
+export type { WarningOptions } from "./helpers";

package/dist/index.js

@@ -34,9 +34,9 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Directive = exports.create = exports.Baseline = void 0;
-const types_1 = require("./types");
-Object.defineProperty(exports, "Directive", { enumerable: true, get: function () { return types_1.Directive; } });
 const utils_1 = require("./utils");
 Object.defineProperty(exports, "create", { enumerable: true, get: function () { return utils_1.create; } });
 const Baseline = __importStar(require("./baseline"));
 exports.Baseline = Baseline;
+var types_1 = require("./types");
+Object.defineProperty(exports, "Directive", { enumerable: true, get: function () { return types_1.Directive; } });

package/dist/test/type-exports.typecheck.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/type-exports.typecheck.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("../index");
+const rules = ["self", "example.com"];
+const basicRule = ["self", "example.com"];
+const blankRule = null;
+const allowBlockRule = ["allow"];
+const requireTrustedTypesForRule = ["script"];
+const directive = index_1.Directive.DEFAULT_SRC;
+const csp = { [directive]: rules };
+const cspByName = { [index_1.Directive.SCRIPT_SRC]: basicRule };
+const options = { overlyPermissive: false };
+void rules;
+void basicRule;
+void blankRule;
+void allowBlockRule;
+void requireTrustedTypesForRule;
+void directive;
+void csp;
+void cspByName;
+void options;

package/dist/types.d.ts

@@ -23,11 +23,19 @@ declare enum Directive {
     REQUIRE_TRUSTED_TYPES_FOR = "require-trusted-types-for",
     TRUSTED_TYPES = "trusted-types",
     UPGRADE_INSECURE_REQUESTS = "upgrade-insecure-requests",
-    BLOCK_ALL_MIXED_CONTENT = "block-all-mixed-content"
+    BLOCK_ALL_MIXED_CONTENT = "block-all-mixed-content",
+    SCRIPT_SRC_ELEM = "script-src-elem",
+    SCRIPT_SRC_ATTR = "script-src-attr",
+    STYLE_SRC_ELEM = "style-src-elem",
+    STYLE_SRC_ATTR = "style-src-attr",
+    WEBRTC = "webrtc",
+    FENCED_FRAME_SRC = "fenced-frame-src"
 }
 type BasicDirectiveRule = Array<string | Record<string, Array<string>>>;
 type BlankDirectiveRule = null;
-type Rules = BasicDirectiveRule | BlankDirectiveRule;
+type AllowBlockRule = Array<"allow" | "block">;
+type RequireTrustedTypesForRule = ["script"];
+type Rules = BasicDirectiveRule | BlankDirectiveRule | AllowBlockRule | RequireTrustedTypesForRule;
 interface ContentSecurityPolicy {
     [Directive.DEFAULT_SRC]?: BasicDirectiveRule;
     [Directive.SCRIPT_SRC]?: BasicDirectiveRule;
@@ -50,9 +58,17 @@ interface ContentSecurityPolicy {
     [Directive.MANIFEST_SRC]?: BasicDirectiveRule;
     [Directive.PREFETCH_SRC]?: BasicDirectiveRule;
     [Directive.NAVIGATE_TO]?: BasicDirectiveRule;
-    [Directive.REQUIRE_TRUSTED_TYPES_FOR]?: BasicDirectiveRule;
+    [Directive.REQUIRE_TRUSTED_TYPES_FOR]?: RequireTrustedTypesForRule;
     [Directive.TRUSTED_TYPES]?: BasicDirectiveRule;
     [Directive.UPGRADE_INSECURE_REQUESTS]?: BlankDirectiveRule;
     [Directive.BLOCK_ALL_MIXED_CONTENT]?: BlankDirectiveRule;
+    [Directive.SCRIPT_SRC_ELEM]?: BasicDirectiveRule;
+    [Directive.SCRIPT_SRC_ATTR]?: BasicDirectiveRule;
+    [Directive.STYLE_SRC_ELEM]?: BasicDirectiveRule;
+    [Directive.STYLE_SRC_ATTR]?: BasicDirectiveRule;
+    [Directive.WEBRTC]?: AllowBlockRule;
+    [Directive.FENCED_FRAME_SRC]?: BasicDirectiveRule;
 }
-export { ContentSecurityPolicy, Rules, Directive, BasicDirectiveRule };
+type CSPDirective = Directive;
+type CSP = ContentSecurityPolicy;
+export { ContentSecurityPolicy, Rules, Directive, BasicDirectiveRule, BlankDirectiveRule, AllowBlockRule, RequireTrustedTypesForRule, CSPDirective, CSP, };

package/dist/types.js

@@ -28,4 +28,10 @@ var Directive;
     Directive["TRUSTED_TYPES"] = "trusted-types";
     Directive["UPGRADE_INSECURE_REQUESTS"] = "upgrade-insecure-requests";
     Directive["BLOCK_ALL_MIXED_CONTENT"] = "block-all-mixed-content";
+    Directive["SCRIPT_SRC_ELEM"] = "script-src-elem";
+    Directive["SCRIPT_SRC_ATTR"] = "script-src-attr";
+    Directive["STYLE_SRC_ELEM"] = "style-src-elem";
+    Directive["STYLE_SRC_ATTR"] = "style-src-attr";
+    Directive["WEBRTC"] = "webrtc";
+    Directive["FENCED_FRAME_SRC"] = "fenced-frame-src";
 })(Directive || (exports.Directive = Directive = {}));

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "csprefabricate",
-    "version": "2.0.22",
+    "version": "2.1.1",
     "description": "Generate valid and secure Content Security Policies (CSP) with TypeScript.",
     "keywords": [
         "csp",
@@ -23,6 +23,12 @@
         "name": "James Toohey",
         "url": "https://github.com/JamesToohey"
     },
+    "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/JamesToohey"
+    },
+    "type": "commonjs",
+    "sideEffects": false,
     "packageManager": "yarn@4.12.0",
     "exports": {
         ".": {
@@ -41,6 +47,8 @@
     ],
     "scripts": {
         "build": "tsc --project tsconfig.build.json",
+        "format": "prettier --write .",
+        "format:check": "prettier --check .",
         "functional-test": "yarn build && tsx --test src/test/functional/functional.test.js",
         "lint": "eslint .",
         "pack": "npm pack",