strict-csp-html-webpack-plugin
Advanced tools
Comparing version 1.0.0-beta.2 to 1.0.1
{ | ||
"name": "strict-csp-html-webpack-plugin", | ||
"version": "1.0.0-beta.2", | ||
"version": "1.0.1", | ||
"description": "A webpack plugin that adds a hash-based strict CSP to help protect your site against XSS attacks.", | ||
@@ -5,0 +5,0 @@ "main": "plugin.js", |
@@ -22,2 +22,3 @@ /** | ||
enableTrustedTypes: false, | ||
enableUnsafeEval: false, | ||
}; | ||
@@ -48,3 +49,4 @@ | ||
this.options.enableTrustedTypes, | ||
true | ||
true, | ||
this.options.enableUnsafeEval | ||
); | ||
@@ -66,8 +68,10 @@ strictCspModule.addMetaTag(strictCsp); | ||
(compilation) => { | ||
this.htmlWebpackPlugin | ||
.getHooks(compilation) | ||
.beforeEmit.tapAsync( | ||
'StrictCspHtmlWebpackPlugin', | ||
this.processCsp.bind(this, compilation) | ||
); | ||
const hook = typeof this.htmlWebpackPlugin.getHooks === 'function' ? | ||
this.htmlWebpackPlugin.getHooks(compilation).beforeEmit : // html-webpack-plugin v4 and above | ||
compilation.hooks.htmlWebpackPluginAfterHtmlProcessing; // html-webpack-plugin v3 | ||
hook.tapAsync( | ||
'StrictCspHtmlWebpackPlugin', | ||
this.processCsp.bind(this, compilation) | ||
); | ||
} | ||
@@ -74,0 +78,0 @@ ); |
@@ -1,34 +0,28 @@ | ||
⚠️⚠️⚠️⚠️ | ||
# strict-csp-html-webpack-plugin | ||
**This is an MVP. Work in Progress. | ||
Do not use in production!** | ||
[Available on npm](https://www.npmjs.com/package/strict-csp-html-webpack-plugin). | ||
⚠️⚠️⚠️⚠️ | ||
⚠️ This is experimental. Do not use in production. Make sure to check [what's not supported](https://github.com/google/strict-csp/issues?q=is%3Aissue+is%3Aopen+label%3Afeature). | ||
strict-csp-html-webpack-plugin sets up a [strict Content-Security-Policy (CSP)](https://web.dev/strict-csp) to help protect your site against XSS attacks. It's a hash-based CSP. | ||
## What this plugin does: defense-in-depth against XSS 🛡 | ||
**This plugin is best-suited for single-page applications. If you have server-side logics, use a nonce-based strict CSP instead.** | ||
## What this plugin does | ||
Cross-site scripting (XSS)—the ability to inject malicious scripts into a web application—has been one of the biggest web security vulnerabilities for over a decade. | ||
- It replaces sourced scripts with an inline script that dynamically loads all sourced scripts. | ||
- It creates a strict hash-based CSP that efficiently helps protect your site against XSS. This CSP is set in a meta tag. It looks like this: `script-src {HASH-INLINE-SCRIPT} 'strict-dynamic'; object-src 'none'; base-uri 'none';`. `{HASH-INLINE-SCRIPT}` is the hash on the inline script that dynamically loads all sources scripts. | ||
strict-csp-html-webpack-plugin helps protect your single-page application against XSS attacks. It does so by configuring a [strict Content-Security-Policy (CSP)](https://web.dev/strict-csp) for your application. | ||
Note: if you have other inline scripts, the plugin takes care of them too: it adds their hash to the CSP to ensure they can be loaded. | ||
A strict CSP, added in the form of a meta tag, looks as follows: | ||
### How it works | ||
```html | ||
<meta | ||
http-equiv="Content-Security-Policy" | ||
content="script-src 'sha256-3uCZp...oQxI=' 'strict-dynamic'; style-src 'self' 'unsafe-inline'" | ||
</meta> | ||
``` | ||
strict-csp-webpack-plugin uses the `strict-csp` library to form a strict CSP and hooks into `HtmlWebpackPlugin` to set up this CSP as a `meta` HTML tag. | ||
## Quickstart 🚀 | ||
### Not supported | ||
- XML | ||
- Custom configuration for the hashing algorithm (right now, only sha256) | ||
- `prefetch` scripts | ||
## Quickstart | ||
### Step 1: install the plugin | ||
`npm i --save strict-csp-html-webpack-plugin` | ||
`npm i --save strict-csp-html-webpack-plugin@beta` | ||
@@ -80,1 +74,4 @@ (or with `yarn`) | ||
| `enableTrustedTypes` | `true` | When `true`, enables [trusted types](https://web.dev/trusted-types) for additional protections against DOM XSS attacks. | | ||
| `enableUnsafeEval` | `false` | When `true`, enables [unsafe-eval](https://web.dev/strict-csp/) in case you cannot remove all uses of `eval()`. | | ||
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
6271
72
1
77