Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect hashes generated causing CSP violations when styles and javascripts are inlined #154

Open
1 of 6 tasks
warnyul opened this issue Dec 9, 2024 · 1 comment
Open
1 of 6 tasks

Incorrect hashes generated causing CSP violations when styles and javascripts are inlined #154

warnyul opened this issue Dec 9, 2024 · 1 comment

Comments

@warnyul
Copy link

warnyul commented Dec 9, 2024
edited
Loading

Description

The @melloware/csp-webpack-plugin generates incorrect hashes, resulting in CSP violations when using the generated index.html file.

This issue mirrors the problem described in the original issue raised for slackhq/csp-html-webpack-plugin:

To help reproduce and diagnose the problem, I have created a GitHub repository and deployed the site for reference:

Observations

I think I’ve identified the root cause of the CSP violations. It’s related to cheerio when _useHtmlParser2 is set to true. In this mode, cheerio modifies the content of <style> and <script> tags by replacing special characters like <, >, and & with their HTML entities (&lt;, &gt;, &amp;).

This transformation causes a mismatch between the original tag content (used to generate the CSP hash) and the altered content in the output, resulting in CSP violations.

What type of issue is this? (place an x in one of the [ ])

  • bug
  • enhancement (feature request)
  • question
  • documentation related
  • testing related
  • discussion

Bug Report

Reproducible in:

@melloware/csp-webpack-plugin version: 6.0.4

node version: 22.10.0

OS version(s): macOS Sequoia 15.01, Ubuntu 24.04

Steps to reproduce:

  1. Clone the reproduction repository: git clone https://github.com/warnyul/bvarga.dev.git
  2. Checkout csp-2 branch: git checkout csp-2
  3. Install dependencies: npm install
  4. Build the project: npm run build
  5. Open index.html in dist folder using Safari or Google Chrome.

Expected result:

The hashes generated by the @melloware/csp-webpack-plugin should correctly match the content of the built files.

Actual result:

The hashes generated by the plugin do not match the content of the files, causing CSP violations in the browser when accessing the deployed site. Manually generated hashes work correctly when applied.
@melloware
Copy link
Owner

Feel free to submit a PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@warnyul @melloware