gatsby-plugin-csp - npm Package Compare versions

Comparing version 1.0.0 to 1.0.1

package.json

 {
   "name": "gatsby-plugin-csp",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Adds Content Security Policy to your Gatsby app.",
@@ -5,0 +5,0 @@ "main": "index.js",

README.md

@@ -5,3 +5,3 @@ # gatsby-plugin-csp
 
-`gatsby-plugin-csp` by default creates strict policy, generates script and style hashes and adds `Content-Security-Policy` meta tag to the head.
+`gatsby-plugin-csp` by default creates strict policy, generates script and style hashes then adds `Content-Security-Policy` meta tag to the `<head>` of each page.
 
@@ -25,6 +25,22 @@ ## Install
 
-## Option
+Default Policy:
 
-Default options:
+```
+base-uri 'self';
+default-src 'self';
+script-src 'self' 'sha256-iF/...GM=' 'sha256-BOv...L4=';
+style-src 'self' 'sha256-WCK...jU=';
+object-src 'none';
+form-action 'self';
+font-src 'self' data:;
+connect-src 'self';
+img-src 'self' data:;
+```
 
+sha256 for every inline script and style is generated automatically during the build process and appended to its directive (`script-src` or `style-src`).
+
+## Options
+
+Strict CSP can break a lot of things you use on your website, especially 3rd party scripts like Google Analytics. To allow your 3rd party scripts running, you can adjust the policy through the plugin options.
+
 ```javascript
@@ -35,18 +51,13 @@ // In your gatsby-config.js
     {
-      resolve: `gatsby-plugin-strict-csp`,
+      resolve: `gatsby-plugin-csp`,
       options: {
         disableOnDev: true,
-        mergeScriptHashes: true,
-        mergeStyleHashes: true,
+        mergeScriptHashes: true, // you can disable scripts sha256 hashes
+        mergeStyleHashes: true, // you can disable styles sha256 hashes
         mergeDefaultDirectives: true,
         directives: {
-          "base-uri": "'self'",
-          "default-src": "self",
-          "script-src": "'self'",
-          "style-src": "'self'",
-          "object-src": "'none'",
-          "form-action": "'self'",
-          "font-src": "'self' data:",
-          "connect-src": "'self'",
-          "img-src": "'self' data:"
+          "script-src": "'self' www.google-analytics.com",
+          "style-src": "'self' 'unsafe-inline'",
+          "img-src": "'self' data: www.google-analytics.com"
+          // you can add your directives or override defaults
         }
@@ -53,0 +64,0 @@ }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

6202

increased by11.15%

Number of lines in readme file

66

increased by20%

No dependency changes