CSP Webpack Plugin

This plugin takes result html from HtmlWebpackPlugin, generates content security policy and adds it to meta tag element.

Features

• compute hashes for inline script element
• extract domains for external script element
• insert content security policy in meta tag

Usage

Add this plugin in webpack config with custom content security policy

new HtmlWebpackPlugin(),
new CSPWebpackPlugin({
  'object-src': '\'none\'',
  'base-uri': '\'self\'',
  'script-src': ['\'unsafe-inline\'', '\'self\'', '\'unsafe-eval\'','http://ajax.googleapis.com'],
  'worker-src': ['\'self\'','blob:']
  })

Add this placeholder %%CSP_CONTENT%% to your index template

<meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%">