npm
Sign UpSign In

trucks-transform-csp

1.0.5 • Public • Published

CSP Transform

Content security policy nonce and sha checksums

For each style and script in the shadow DOM add a nonce attribute and create content security policy HTML and text files alternatively you can use the sha option to avoid the use of attributes but you should be certain the elements will not be processed further otherwise the checksums might not match.

The generated text file is suitable for including as an HTTP header:

style-src 'self' 'nonce-9566b05df2a2e6503449f5de138e151f51a17ceb'; script-src 'self' 'nonce-fc76f6ed5eb71e5b9ceeb1298b7458e6d1bced7d'

The generated HTML file contains a <meta> element, for example:

<meta http-equiv="Content-Security-Policy" content="style-src 'self' 'nonce-9566b05df2a2e6503449f5de138e151f51a17ceb'; script-src 'self' 'nonce-fc76f6ed5eb71e5b9ceeb1298b7458e6d1bced7d'">

Install

npm i trucks-transform-csp --save-dev

For the command line interface see trucks-cli.

Usage

Use the csp key to configure this transform:

const trucks = require('trucks');

trucks(
  {
    files: ['components.html'],
    transforms: ['csp'],
    conf: {
      transforms: {
        csp: {
          sha: 'sha512',
          dir: 'build/csp'
        } 
      }
    }
  }, (err, res) => {
    if(err) {
      throw err; 
    }
    console.log(res);
  }
);

API

csp

public csp(state, conf)

Generates content security policy files for styles and scripts within the shadow DOM.

Each type is mapped to either a style_src or script_src policy using a prefix of 'self' unless disabled using the self option.

Unless the sha option is given the operation is in nonce mode which adds a nonce attribute to the matched elements, if the intention is to further process via the skate compiler you should enable the statics option so that the attribute is set as data-static-nonce.

When the sha option is specified attributes are not added but the output will be base64 encoded computed hashes of each element's content.

Generates the files csp.html containing a <meta> element describing the content security policy and a csp.txt file containing a value suitable for appending to a Content-Security-Policy HTTP header.

Use the dir, text and html options to change the output locations.

When dir is not given the default output directory is used.

Returns map of visitor functions.

See https://www.w3.org/TR/CSP2/.

  • state Object compiler state.
  • conf Object transform plugin configuration.

Options

  • self Boolean=true include 'self' in the output.
  • styles Boolean=true generate csp for styles.
  • scripts Boolean=true generate csp for scripts.
  • sha String use sha algorithm (sha256, sha384 or sha512).
  • text String=csp.txt name of the text output file.
  • html String=csp.html name of the html output file.
  • dir String override default output directory.
  • statics Boolean=false prefix attributes with data-static-.

License

MIT

Created by mkdoc on July 20, 2016

Readme

Keywords

none

Package Sidebar

Install

npm i trucks-transform-csp

Repository

github.com/tmpfs/trucks

Homepage

github.com/tmpfs/trucks#readme

Weekly Downloads

2

Version

1.0.5

License

MIT

Last publish

Collaborators

  • muji
  • tmpfs
Try on RunKit
Report malware