2.2.1 • Published 7 months ago
hwp-csp-plugin v2.2.1
hwp-csp-plugin
Plugin to add Content-Security-Policy to HTML files generated by html-webpack-plugin
It was heavily inspired by csp-html-webpack-plugin, but it operates a bit differently.
Installation
npm i -D hwp-csp-plugin
Usage
import { HwpCspPlugin } from 'hwp-csp-plugin';
// Webpack configuration object
export default {
plugins: [
new HtmlWebpackPlugin({ /* ... */ }),
new HwpCspPlugin(/* options */),
],
};
To configure the plugin, pass an object with the following keys to its constructor (all keys are optional):
enabled
(boolean
, defaults totrue
): whether to enable the plugin;policy
(Record<string, string | string[]
>): Content Security Policy; keys are<directives>
, values are<values>
. Values can be a string ("'self' https:"
) or arrays (["'self'", 'https:']
)hashFunc
(one ofsha256
,sha384
(default),sha512
): hash function to generate hashes of inline scripts / styles;hashEnabled
: can be eitherboolean
or an object with the following properties:script
(boolean
, defaults totrue
): whether to generate hashes of inline scripts;style
(boolean
, defaults totrue
): whether to generate hashes of inline styles;
addIntegrity
(boolean
, defaults tofalse
): whether to addintegrity
attribute to inline scripts and styles (controlled byhashEnabled
option).
Differences to csp-html-webpack-plugin
- HwpCspPlugin intentionally does not support nonces. Nonces, by definition, must be used only once and be unique for every request.
- HwpCspPlugin does not support
html-webpack-plugin
< 4.x - HwpCspPlugin does not enforce a default content security policy.
- HwpCspPlugin uses a subjectively simpler approach to configuration and lets you shoot yourself in the foot.
- HwpCspPlugin is written in TypeScript (not that it is a killer feature, but it hopefully simplifies maintenance)
Things to Do
- Currently the plugin removes existing
<meta http-equiv="Content-Security-Policy"/>
metatags. However, it could be possible to have multiple CSPs. This needs to be investigated, and if so, then this behavior should be configurable; - Add callbacks allowing the user to modify the CSP before it is written to the file;
- Consider
unsafe-hashes
andscript-src-attr
/style-src-attr
.
2.2.1
7 months ago
2.2.0
11 months ago
2.1.3
2 years ago
2.1.2
3 years ago
2.1.1
3 years ago
2.1.0
3 years ago
2.0.2
4 years ago
2.0.1
4 years ago
2.0.0
4 years ago
1.1.1
5 years ago
1.1.0
5 years ago
1.0.18
5 years ago
1.0.17
5 years ago
1.0.16
5 years ago
1.0.15
5 years ago
1.0.14
5 years ago
1.0.13
5 years ago
1.0.12
5 years ago
1.0.11
5 years ago
1.0.10
5 years ago
1.0.9
5 years ago
1.0.8
5 years ago
1.0.7
5 years ago
1.0.6
5 years ago
1.0.5
5 years ago
1.0.4
5 years ago
1.0.3
5 years ago
1.0.2
5 years ago
1.0.1
5 years ago
1.0.0
5 years ago