Closed KohanTorabi closed 3 years ago
This is expected - you can see that the default processFn
is responsible for writing all HTML changes made by this plugin: https://github.com/slackhq/csp-html-webpack-plugin/blob/master/plugin.js#L44-L47
To fix this, you should add the lines highlighted in the link above into your custom processFn
function. Specifically, overwriting htmlPluginData.html
with the new html from $.html()
THANKS A LOT
Take a look at this and enjoy
const CspHtmlWebpackPlugin = require('csp-html-webpack-plugin')
const RawSource = require('webpack-sources').RawSource
const crypto = require('crypto')
const cheerio = require('cheerio')
const get = require('lodash.get')
const webpackNonce = crypto.randomBytes(16).toString('base64')
const externalUrls = [
'https://fonts.googleapis.com',
'https://www.googletagmanager.com',
]
function generateServeHeaderFile(builtPolicy, _htmlPluginData, $, compilation) {
let metaTag = $('meta[http-equiv="Content-Security-Policy"]')
// Add element if it doesn't exist.
if (!metaTag.length) {
metaTag = cheerio.load('<meta http-equiv="Content-Security-Policy">')(
'meta'
)
metaTag.prependTo($('head'))
}
// build the policy into the context attr of the csp meta tag
metaTag.attr('content', builtPolicy)
// https://github.com/slackhq/csp-html-webpack-plugin/issues/79#issuecomment-752296938
_htmlPluginData.html = get(_htmlPluginData, 'plugin.options.xhtml', false)
? $.xml()
: $.html()
const header = `{
"headers": [
{
"source": "/**/**",
"headers": [
{
"key": "Content-Security-Policy",
"value": "${builtPolicy}"
},
{
"key": "Referrer-Policy",
"value": "strict-origin"
},
{
"key": "Permissions-Policy",
"value": "accelerometer=(self), ambient-light-sensor=(self), autoplay=(self), battery=(self), camera=(self), cross-origin-isolated=(self), display-capture=(self), document-domain=(self), encrypted-media=(self), execution-while-not-rendered=(self), execution-while-out-of-viewport=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), keyboard-map=(self), magnetometer=(self), microphone=(self), midi=(self), navigation-override=(self), payment=(self), picture-in-picture=(self), publickey-credentials-get=(self), screen-wake-lock=(self), sync-xhr=(self), usb=(self), web-share=(self), xr-spatial-tracking=(self)"
}
]
}
]
}`
compilation.emitAsset('../serve.json', new RawSource(header))
}
module.exports = [
new CspHtmlWebpackPlugin(
{
'base-uri': "'self'",
'object-src': "'self'",
'script-src': [
"'self'",
"'unsafe-eval'",
// "'unsafe-inline'",
`'nonce-${webpackNonce}'`
].concat(externalUrls),
'style-src': [
"'self'",
"'unsafe-inline'"
// `'nonce-${webpackNonce}'`
].concat(externalUrls)
},
{
enabled: true,
hashingMethod: 'sha256',
hashEnabled: {
'script-src': false,
'style-src': false
},
nonceEnabled: {
'script-src': true,
'style-src': false
},
processFn: generateServeHeaderFile
}
)
]
Description
When I use a custom processFn to procces the built policy, nonces aren't set in HTML elements. It works fine when I remove my custom processFn from additional Options
What type of issue is this? (place an
x
in one of the[ ]
)Reproducible in:
slackhq/csp-html-webpack-plugin version: 4.0.0
Here is my code: