Skip to content

feat: add option to add nonce to style-src directive #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add option to add nonce to style-src directive #81

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e22d95b
feat: add the ability to define style-src
codepunkt Jul 6, 2024
9add6e9
fix: update manifest.yml with styleSrc
codepunkt Jul 6, 2024
81fef24
fix: syntax error
codepunkt Jul 6, 2024
12a6f54
fix: add nonce to style tags
codepunkt Jul 6, 2024
0c88410
docs: update README.md to include `styleSrc`
codepunkt Jul 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# @netlify/plugin-csp-nonce

Use a [nonce](https://content-security-policy.com/nonce/) for the `script-src` directive of your Content Security Policy (CSP) to help prevent [cross-site scripting (XSS)](https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks#cross-site_scripting_xss) attacks.
Use a [nonce](https://content-security-policy.com/nonce/) for the `script-src` (and optionally `style-src`) directive of your Content Security Policy (CSP) to help prevent [cross-site scripting (XSS)](https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks#cross-site_scripting_xss) attacks.

This plugin deploys an edge function that adds a response header and transforms the HTML response body to contain a unique nonce on every request, along with an optional function to log CSP violations.

Expand Down Expand Up @@ -70,6 +70,12 @@ _Default: `[]`_

The glob expressions of path(s) that _should not_ invoke the CSP nonce edge function. Must be an array of strings. This value gets spread with common non-html filetype extensions (`*.css`, `*.js`, `*.svg`, etc).

#### `styleSrc`

_Default: `false`_

When true, adds nonce to the `style-src` directive of your Content Security Policy to prevent attackers from modifying the contents or appearance of your page.

## Debugging

### Limiting edge function invocations
Expand Down
3 changes: 3 additions & 0 deletions manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,6 @@ inputs:
- name: excludedPath
description: The glob expressions of path(s) that *should not* invoke the CSP nonce edge function. Must be an array of strings. This value gets spread with common non-html filetype extensions (*.css, *.js, *.svg, etc)
default: []
- name: styleSrc
description: When true, adds nonce to the `style-src` directive of your Content Security Policy to prevent attackers from modifying the contents or appearance of your page.
default: false
22 changes: 20 additions & 2 deletions src/__csp-nonce.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ type Params = {
unsafeEval: boolean;
path: string | string[];
excludedPath: string[];
styleSrc: boolean;
};
const params = inputs as Params;

Expand Down Expand Up @@ -78,7 +79,10 @@ const handler = async (request: Request, context: Context) => {
`https:`,
`http:`,
].filter(Boolean);
const scriptSrc = `script-src ${rules.join(" ")}`;

const joinedRules = rules.join(" ");
const scriptSrc = `script-src ${joinedRules}`;
const styleSrc = `style-src ${joinedRules}`;
const reportUri = `report-uri ${
params.reportUri || "/.netlify/functions/__csp-violations"
}`;
Expand All @@ -96,6 +100,12 @@ const handler = async (request: Request, context: Context) => {
// https://github.com/netlify/plugin-csp-nonce/issues/72
return d.replace("script-src ", `${scriptSrc} `).trim();
}
// intentionally add trailing space to avoid mangling `style-src-elem`
if (params.styleSrc && d.startsWith("style-src ")) {
// append with trailing space to include any user-supplied values
// https://github.com/netlify/plugin-csp-nonce/issues/72
return d.replace("style-src ", `${styleSrc} `).trim();
}
// intentionally omit report-uri: theirs should take precedence
return d;
})
Expand All @@ -104,18 +114,26 @@ const handler = async (request: Request, context: Context) => {
if (!directives.find((d) => d.startsWith("script-src "))) {
directives.push(scriptSrc);
}
if (params.styleSrc && !directives.find((d) => d.startsWith("style-src "))) {
directives.push(styleSrc);
}
if (!directives.find((d) => d.startsWith("report-uri"))) {
directives.push(reportUri);
}
const value = directives.join("; ");
response.headers.set(header, value);
} else {
// make a new ruleset of directives if no CSP present
const value = [scriptSrc, reportUri].join("; ");
const value = [scriptSrc, params.styleSrc && styleSrc, reportUri].filter(Boolean).join("; ");
response.headers.set(header, value);
}

const querySelectors = ["script", 'link[rel="preload"][as="script"]'];
if (params.styleSrc) {
querySelectors.push("style");
querySelectors.push('link[rel="preload"][as="style"]');
}

return new HTMLRewriter()
.on(querySelectors.join(","), {
element(element: HTMLElement) {
Expand Down