From 1be6906b7edc30ad2204d06fdc3e4b7c953f16b0 Mon Sep 17 00:00:00 2001 From: StephanBijzitter Date: Wed, 15 Sep 2021 15:33:42 +0200 Subject: [PATCH] Allow nonceEnabled and hashEnabled to take single boolean values Providing a single boolean value to either of these options will now apply the value to each provided policy directive. Closes slackhq/csp-html-webpack-plugin#98 --- README.md | 4 ++-- plugin.js | 37 +++++++++++++++++++++++++------------ 2 files changed, 27 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index b1a4eb4..c484a89 100644 --- a/README.md +++ b/README.md @@ -83,8 +83,8 @@ This `CspHtmlWebpackPlugin` accepts 2 params with the following structure: - The `htmlPluginData` is passed into the function as it's first param. - If `enabled` is set the false, it will disable generating a CSP for all instances of `HtmlWebpackPlugin` in your webpack config. - `{string}` hashingMethod - accepts 'sha256', 'sha384', 'sha512' - your node version must also accept this hashing method. - - `{object}` hashEnabled - a `` entry for which policy rules are allowed to include hashes - - `{object}` nonceEnabled - a `` entry for which policy rules are allowed to include nonces + - `{boolean|object}` hashEnabled - a `` entry for which policy rules are allowed to include hashes, or a single boolean value to apply to all policy rules + - `{boolean|object}` nonceEnabled - a `` entry for which policy rules are allowed to include nonces, or a single boolean value to apply to all policy rules - `{Function}` processFn - allows the developer to overwrite the default method of what happens to the CSP after it has been created - Parameters are: - `builtPolicy`: a `string` containing the completed policy; diff --git a/plugin.js b/plugin.js index 56b927c..dc158ca 100644 --- a/plugin.js +++ b/plugin.js @@ -46,6 +46,17 @@ const defaultProcessFn = (builtPolicy, htmlPluginData, $) => { : $.html(); }; +const convert = (keys, value) => + typeof value !== 'boolean' + ? value + : keys.reduce( + (previousValue, currentValue) => ({ + ...previousValue, + [currentValue]: value, + }), + {} + ); + const defaultPolicy = { 'base-uri': "'self'", 'object-src': "'none'", @@ -56,14 +67,8 @@ const defaultPolicy = { const defaultAdditionalOpts = { enabled: true, hashingMethod: 'sha256', - hashEnabled: { - 'script-src': true, - 'style-src': true, - }, - nonceEnabled: { - 'script-src': true, - 'style-src': true, - }, + hashEnabled: true, + nonceEnabled: true, processFn: defaultProcessFn, }; @@ -112,14 +117,22 @@ class CspHtmlWebpackPlugin { this.validatePolicy(compilation); // 2. Lets set which hashes and nonces are enabled for this HtmlWebpackPlugin instance + const policyKeys = Object.keys(this.policy); + this.hashEnabled = Object.freeze({ - ...this.opts.hashEnabled, - ...get(htmlPluginData, 'plugin.options.cspPlugin.hashEnabled', {}), + ...convert(policyKeys, this.opts.hashEnabled), + ...convert( + policyKeys, + get(htmlPluginData, 'plugin.options.cspPlugin.hashEnabled', {}) + ), }); this.nonceEnabled = Object.freeze({ - ...this.opts.nonceEnabled, - ...get(htmlPluginData, 'plugin.options.cspPlugin.nonceEnabled', {}), + ...convert(policyKeys, this.opts.nonceEnabled), + ...convert( + policyKeys, + get(htmlPluginData, 'plugin.options.cspPlugin.nonceEnabled', {}) + ), }); // 3. Get the processFn for this HtmlWebpackPlugin instance.