strict-csp-html-webpack-plugin - npm Package Compare versions

strict-csp-html-webpack-plugin

Package Overview

Dependencies

Maintainers

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 1.0.0-beta.2 to 1.0.1

package.json

		{
		"name": "strict-csp-html-webpack-plugin",
		"version": "1.0.0-beta.2",
		"version": "1.0.1",
		"description": "A webpack plugin that adds a hash-based strict CSP to help protect your site against XSS attacks.",
		@@ -5,0 +5,0 @@ "main": "plugin.js",

plugin.js

		@@ -22,2 +22,3 @@ /**
		enableTrustedTypes: false,
		enableUnsafeEval: false,
		};
		@@ -48,3 +49,4 @@
		this.options.enableTrustedTypes,
		true
		true,
		this.options.enableUnsafeEval
		);
		@@ -66,8 +68,10 @@ strictCspModule.addMetaTag(strictCsp);
		(compilation) => {
		this.htmlWebpackPlugin
		.getHooks(compilation)
		.beforeEmit.tapAsync(
		'StrictCspHtmlWebpackPlugin',
		this.processCsp.bind(this, compilation)
		);
		const hook = typeof this.htmlWebpackPlugin.getHooks === 'function' ?
		this.htmlWebpackPlugin.getHooks(compilation).beforeEmit : // html-webpack-plugin v4 and above
		compilation.hooks.htmlWebpackPluginAfterHtmlProcessing; // html-webpack-plugin v3

		hook.tapAsync(
		'StrictCspHtmlWebpackPlugin',
		this.processCsp.bind(this, compilation)
		);
		}
		@@ -74,0 +78,0 @@ );

README.md

		@@ -1,34 +0,28 @@
		⚠️⚠️⚠️⚠️
		# strict-csp-html-webpack-plugin

		**This is an MVP. Work in Progress.
		Do not use in production!**
		[Available on npm](https://www.npmjs.com/package/strict-csp-html-webpack-plugin).

		⚠️⚠️⚠️⚠️
		⚠️ This is experimental. Do not use in production. Make sure to check [what's not supported](https://github.com/google/strict-csp/issues?q=is%3Aissue+is%3Aopen+label%3Afeature).

		strict-csp-html-webpack-plugin sets up a [strict Content-Security-Policy (CSP)](https://web.dev/strict-csp) to help protect your site against XSS attacks. It's a hash-based CSP.
		## What this plugin does: defense-in-depth against XSS 🛡

		This plugin is best-suited for single-page applications. If you have server-side logics, use a nonce-based strict CSP instead.

		## What this plugin does
		Cross-site scripting (XSS)—the ability to inject malicious scripts into a web application—has been one of the biggest web security vulnerabilities for over a decade.

		- It replaces sourced scripts with an inline script that dynamically loads all sourced scripts.
		- It creates a strict hash-based CSP that efficiently helps protect your site against XSS. This CSP is set in a meta tag. It looks like this: `script-src {HASH-INLINE-SCRIPT} 'strict-dynamic'; object-src 'none'; base-uri 'none';`. `{HASH-INLINE-SCRIPT}` is the hash on the inline script that dynamically loads all sources scripts.
		strict-csp-html-webpack-plugin helps protect your single-page application against XSS attacks. It does so by configuring a [strict Content-Security-Policy (CSP)](https://web.dev/strict-csp) for your application.

		Note: if you have other inline scripts, the plugin takes care of them too: it adds their hash to the CSP to ensure they can be loaded.
		A strict CSP, added in the form of a meta tag, looks as follows:

		### How it works
		```html
		<meta
		http-equiv="Content-Security-Policy"
		content="script-src 'sha256-3uCZp...oQxI=' 'strict-dynamic'; style-src 'self' 'unsafe-inline'"
		</meta>
		```

		strict-csp-webpack-plugin uses the `strict-csp` library to form a strict CSP and hooks into `HtmlWebpackPlugin` to set up this CSP as a `meta` HTML tag.
		## Quickstart 🚀

		### Not supported

		- XML
		- Custom configuration for the hashing algorithm (right now, only sha256)
		- `prefetch` scripts

		## Quickstart

		### Step 1: install the plugin

		`npm i --save strict-csp-html-webpack-plugin`
		`npm i --save strict-csp-html-webpack-plugin@beta`

		@@ -80,1 +74,4 @@ (or with `yarn`)
		\| `enableTrustedTypes` \| `true` \| When `true`, enables [trusted types](https://web.dev/trusted-types) for additional protections against DOM XSS attacks. \|
		\| `enableUnsafeEval` \| `false` \| When `true`, enables [unsafe-eval](https://web.dev/strict-csp/) in case you cannot remove all uses of `eval()`. \|

Fixed alerts

Improved metrics

Worsened metrics