inline-csp-hash

Plugin to generate hash for inline scripts and styles for CSP

Usage no npm install needed!

<script type="module">
  import inlineCspHash from 'https://cdn.skypack.dev/inline-csp-hash';
</script>

README

inline-csp-hash

Build and Test CI npm version Scrutinizer Code Quality Code Coverage Build Status

Plugin to generate hash for inline scripts and styles for CSP.

This plugin is insipred by hash-csp, and operates mostly the same way.

Installation

npm install inline-csp-hash --save

Usage

const gulp = require('gulp');
const hashstream = require('inline-csp-hash');

gulp.task('inline-hash', () => {
  return gulp.src('src/*.html')
    .pipe(hashstream({
      what: 'script',
      replace_cb: (s, hashes) => s.replace(/script-src 'self'[^;]*/, "script-src 'self' " + hashes.join(" "))
    }))
    .pipe(hashstream({
      what: 'style',
      replace_cb: (s, hashes) => s.replace(/style-src 'self'[^;]*/, "style-src 'self' " + hashes.join(" "))
    }))
    .pipe(gulp.dest('dist/'))
  ;
});

Options

  • what: script (default) or style: which tags to process (scripts and styles are processed separately because they are controlled by different CSP directives: script-src and style-src)
  • hash: sha256 (default), sha384, or sha512: hash algorithm to use. SHA family is the only one according to the specification
  • replace_cb: callback to inject gathered hashes into the source file

Tests

Have mocha installed and run npm test