siarashield_workspace 0.0.20 → 0.0.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -11
- package/package.json +1 -1
- package/.npm-cache/_cacache/content-v2/sha512/9e/ec/aec8be3566a8741b12d6d50270a2b627378de12b494e1a9eb9dceb0eeb5a3efd01ce6e26b32b37fccefebe5ae1f16023abb8c63731fae5779c05dc14ccb5 +0 -1
- package/.npm-cache/_cacache/index-v5/af/03/5c781820370e585dc2323edbbc80669bf714da5b47d56510c7d0bd7521ee +0 -2
package/README.md
CHANGED
|
@@ -109,18 +109,16 @@ To make CSP setup easier for customers, the plugin now exports helpers:
|
|
|
109
109
|
```ts
|
|
110
110
|
import { getSiaraShieldCspPolicy, mergeSiaraShieldCspPolicy } from 'siarashield_workspace';
|
|
111
111
|
|
|
112
|
-
const policy = getSiaraShieldCspPolicy(
|
|
112
|
+
const policy = getSiaraShieldCspPolicy();
|
|
113
113
|
|
|
114
|
-
const mergedPolicy = mergeSiaraShieldCspPolicy("default-src 'self'"
|
|
115
|
-
nonce: 'server-generated-nonce',
|
|
116
|
-
});
|
|
114
|
+
const mergedPolicy = mergeSiaraShieldCspPolicy("default-src 'self'");
|
|
117
115
|
```
|
|
118
116
|
|
|
119
117
|
Recommended CSP baseline:
|
|
120
118
|
|
|
121
119
|
```http
|
|
122
|
-
script-src 'self'
|
|
123
|
-
script-src-elem 'self'
|
|
120
|
+
script-src 'self' https://embedcdn.mycybersiara.com https://embed.mycybersiara.com;
|
|
121
|
+
script-src-elem 'self' https://embedcdn.mycybersiara.com https://embed.mycybersiara.com;
|
|
124
122
|
connect-src 'self' https://embed.mycybersiara.com;
|
|
125
123
|
img-src 'self' data: https://embed.mycybersiara.com;
|
|
126
124
|
style-src 'self' 'unsafe-inline';
|
|
@@ -130,9 +128,7 @@ If the customer still loads jQuery from another CDN like Google, they should als
|
|
|
130
128
|
|
|
131
129
|
You can use `getSiaraShieldCspPolicy(...)` to generate the plugin baseline from the plugin side instead of hardcoding it in customer projects.
|
|
132
130
|
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
This package now preloads `SiaraShield_Validation.js` with the same nonce to reduce CSP issues from the vendor bootstrap chain.
|
|
131
|
+
This package now preloads `SiaraShield_Validation.js` to reduce CSP issues from the vendor bootstrap chain.
|
|
136
132
|
|
|
137
133
|
The plugin can help generate the CSP string, but the final CSP header/meta must still be applied by the customer project.
|
|
138
134
|
|
|
@@ -140,7 +136,7 @@ The plugin can help generate the CSP string, but the final CSP header/meta must
|
|
|
140
136
|
|
|
141
137
|
- Captcha not visible -> confirm `<div class="SiaraShield"></div>` is present
|
|
142
138
|
- `CheckCaptcha` not available -> ensure `initSiaraShield(...)` ran successfully
|
|
143
|
-
- CSP warning or script load failure -> allow the `script-src`, `connect-src`, and `img-src` hosts above
|
|
139
|
+
- CSP warning or script load failure -> allow the `script-src`, `connect-src`, and `img-src` hosts above
|
|
144
140
|
- Token empty -> check browser console and network calls after clicking submit
|
|
145
141
|
|
|
146
142
|
## Build and pack (library maintainers)
|
|
@@ -148,4 +144,4 @@ The plugin can help generate the CSP string, but the final CSP header/meta must
|
|
|
148
144
|
```bash
|
|
149
145
|
npm run build:lib
|
|
150
146
|
npm run pack:lib
|
|
151
|
-
```
|
|
147
|
+
```
|