hwp-csp-plugin

Plugin to add Content-Security-Policy to HTML files generated by html-webpack-plugin

It was heavily inspired by csp-html-webpack-plugin, but it operates a bit differently.

Installation

npm i -D hwp-csp-plugin

Usage

import { HwpCspPlugin } from 'hwp-csp-plugin';

// Webpack configuration object
export default {

    plugins: [
        new HtmlWebpackPlugin({ /* ... */ }),
        new HwpCspPlugin(/* options */),
    ],
};

To configure the plugin, pass an object with the following keys to its constructor (all keys are optional):

enabled (boolean, defaults to true): whether to enable the plugin;
policy (Record<string, string | string[]>): Content Security Policy; keys are <directives>, values are <values>. Values can be a string ("'self' https:") or arrays (["'self'", 'https:'])
hashFunc (one of sha256, sha384 (default), sha512): hash function to generate hashes of inline scripts / styles;
hashEnabled: can be either boolean or an object with the following properties:
- script (boolean, defaults to true): whether to generate hashes of inline scripts;
- style (boolean, defaults to true): whether to generate hashes of inline styles;
addIntegrity (boolean, defaults to false): whether to add integrity attribute to inline scripts and styles (controlled by hashEnabled option).

Differences to csp-html-webpack-plugin

HwpCspPlugin intentionally does not support nonces. Nonces, by definition, must be used only once and be unique for every request.
HwpCspPlugin does not support html-webpack-plugin < 4.x
HwpCspPlugin does not enforce a default content security policy.
HwpCspPlugin uses a subjectively simpler approach to configuration and lets you shoot yourself in the foot.
HwpCspPlugin is written in TypeScript (not that it is a killer feature, but it hopefully simplifies maintenance)

Things to Do

Currently the plugin removes existing <meta http-equiv="Content-Security-Policy"/> metatags. However, it could be possible to have multiple CSPs. This needs to be investigated, and if so, then this behavior should be configurable;
Add callbacks allowing the user to modify the CSP before it is written to the file;
Consider unsafe-hashes and script-src-attr / style-src-attr.

Name		Name	Last commit message	Last commit date
Latest commit History 1,206 Commits
.github		.github
src		src
.gitignore		.gitignore
.npmrc		.npmrc
.prettierignore		.prettierignore
.prettierrc.json		.prettierrc.json
LICENSE		LICENSE
README.md		README.md
eslint.config.mjs		eslint.config.mjs
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Repository files navigation

hwp-csp-plugin

Installation

Usage

Differences to csp-html-webpack-plugin

Things to Do

About

Uh oh!

Releases 10

Sponsor this project

Uh oh!

Uh oh!

Contributors 5

Uh oh!

Languages

Uh oh!

License

sjinks/hwp-csp-plugin

Folders and files

Latest commit

History

Repository files navigation

hwp-csp-plugin

Installation

Usage

Differences to csp-html-webpack-plugin

Things to Do

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 10

Sponsor this project

Uh oh!

Uh oh!

Contributors 5

Uh oh!

Languages