README
CSP Transform
Content security policy nonce and sha checksums
For each style and script in the shadow DOM add a nonce
attribute and create content security policy HTML and text files alternatively you can use the sha
option to avoid the use of attributes but you should be certain the elements will not be processed further otherwise the checksums might not match.
The generated text file is suitable for including as an HTTP header:
style-src 'self' 'nonce-9566b05df2a2e6503449f5de138e151f51a17ceb'; script-src 'self' 'nonce-fc76f6ed5eb71e5b9ceeb1298b7458e6d1bced7d'
The generated HTML file contains a <meta>
element, for example:
<meta http-equiv="Content-Security-Policy" content="style-src 'self' 'nonce-9566b05df2a2e6503449f5de138e151f51a17ceb'; script-src 'self' 'nonce-fc76f6ed5eb71e5b9ceeb1298b7458e6d1bced7d'">
Install
npm i trucks-transform-csp --save-dev
For the command line interface see trucks-cli.
Usage
Use the csp
key to configure this transform:
const trucks = require('trucks');
trucks(
{
files: ['components.html'],
transforms: ['csp'],
conf: {
transforms: {
csp: {
sha: 'sha512',
dir: 'build/csp'
}
}
}
}, (err, res) => {
if(err) {
throw err;
}
console.log(res);
}
);
API
csp
public csp(state, conf)
Generates content security policy files for styles and scripts within the shadow DOM.
Each type is mapped to either a style_src
or script_src
policy using a
prefix of 'self'
unless disabled using the self
option.
Unless the sha
option is given the operation is in nonce
mode which
adds a nonce
attribute to the matched elements, if the intention is to
further process via the skate compiler you should enable the statics
option so that the attribute is set as data-static-nonce
.
When the sha
option is specified attributes are not added but the output
will be base64 encoded computed hashes of each element's content.
Generates the files csp.html
containing a <meta>
element describing
the content security policy and a csp.txt
file containing a value
suitable for appending to a Content-Security-Policy
HTTP header.
Use the dir
, text
and html
options to change the output locations.
When dir
is not given the default output directory is used.
Returns map of visitor functions.
See https://www.w3.org/TR/CSP2/.
state
Object compiler state.conf
Object transform plugin configuration.
Options
self
Boolean=true include'self'
in the output.styles
Boolean=true generate csp for styles.scripts
Boolean=true generate csp for scripts.sha
String use sha algorithm (sha256, sha384 or sha512).text
String=csp.txt name of the text output file.html
String=csp.html name of the html output file.dir
String override default output directory.statics
Boolean=false prefix attributes withdata-static-
.
License
MIT
Created by mkdoc on July 20, 2016