hwp-csp-plugin
v2.2.1
Published
Content Security Policy plugin for html-webpack-plugin
Downloads
219
Maintainers
Readme
hwp-csp-plugin
Plugin to add Content-Security-Policy to HTML files generated by html-webpack-plugin
It was heavily inspired by csp-html-webpack-plugin, but it operates a bit differently.
Installation
npm i -D hwp-csp-plugin
Usage
import { HwpCspPlugin } from 'hwp-csp-plugin';
// Webpack configuration object
export default {
plugins: [
new HtmlWebpackPlugin({ /* ... */ }),
new HwpCspPlugin(/* options */),
],
};
To configure the plugin, pass an object with the following keys to its constructor (all keys are optional):
enabled
(boolean
, defaults totrue
): whether to enable the plugin;policy
(Record<string, string | string[]
>): Content Security Policy; keys are<directives>
, values are<values>
. Values can be a string ("'self' https:"
) or arrays (["'self'", 'https:']
)hashFunc
(one ofsha256
,sha384
(default),sha512
): hash function to generate hashes of inline scripts / styles;hashEnabled
: can be eitherboolean
or an object with the following properties:script
(boolean
, defaults totrue
): whether to generate hashes of inline scripts;style
(boolean
, defaults totrue
): whether to generate hashes of inline styles;
addIntegrity
(boolean
, defaults tofalse
): whether to addintegrity
attribute to inline scripts and styles (controlled byhashEnabled
option).
Differences to csp-html-webpack-plugin
- HwpCspPlugin intentionally does not support nonces. Nonces, by definition, must be used only once and be unique for every request.
- HwpCspPlugin does not support
html-webpack-plugin
< 4.x - HwpCspPlugin does not enforce a default content security policy.
- HwpCspPlugin uses a subjectively simpler approach to configuration and lets you shoot yourself in the foot.
- HwpCspPlugin is written in TypeScript (not that it is a killer feature, but it hopefully simplifies maintenance)
Things to Do
- [ ] Currently the plugin removes existing
<meta http-equiv="Content-Security-Policy"/>
metatags. However, it could be possible to have multiple CSPs. This needs to be investigated, and if so, then this behavior should be configurable; - [ ] Add callbacks allowing the user to modify the CSP before it is written to the file;
- [ ] Consider
unsafe-hashes
andscript-src-attr
/style-src-attr
.