This plugin will generate meta content for your Content Security Policy tag and input the correct data into your HTML template, generated by html-webpack-plugin.
All inline JS and CSS will be hashed, and inserted into the policy.
Install the plugin with npm:
npm i --save-dev csp-html-webpack-plugin
In the plugins section of your webpack config file, include the following:
new HtmlWebpackPlugin()
new CspHtmlWebpackPlugin()
This CspHtmlWebpackPlugin
accepts 2 params with the following structure:
{object}
Policy (optional) - a flat object which defines your CSP policy. Valid keys and values can be found on the MDN CSP page. Values can either be a string or an array of strings.{object}
Additional Options (optional) - a flat object with the optional configuration options:{boolean|Function}
enabled - if false, or the function returns false, the empty CSP tag will be stripped from the html output.- The
htmlPluginData
is passed into the function as it's first param. - If
enabled
is set the false, it will disable generating a CSP for all instances ofHtmlWebpackPlugin
in your webpack config.
- The
{string}
hashingMethod - accepts 'sha256', 'sha384', 'sha512' - your node version must also accept this hashing method.{object}
hashEnabled - a<string, boolean>
entry for which policy rules are allowed to include hashes{object}
nonceEnabled - a<string, boolean>
entry for which policy rules are allowed to include nonces
The plugin also adds a new config option onto each HtmlWebpackPlugin
instance:
{object}
cspPlugin - an object containing the following properties:{boolean}
enabled - if false, the CSP tag will be removed from the HTML which this HtmlWebpackPlugin instance is generating.{object}
policy - A custom policy which should be applied only to this instance of the HtmlWebpackPlugin{object}
hashEnabled - a<string, boolean>
entry for which policy rules are allowed to include hashes{object}
nonceEnabled - a<string, boolean>
entry for which policy rules are allowed to include nonces
Note that policies and hashEnabled
/ nonceEnabled
are merged in the following order:
> HtmlWebpackPlugin cspPlugin.policy
> CspHtmlWebpackPlugin policy
> CspHtmlWebpackPlugin defaultPolicy
If 2 policies have the same key/policy rule, the former policy will override the latter policy. Entries in a specific rule will not be merged; they will be replaced.
{
'base-uri': "'self'",
'object-src': "'none'",
'script-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"],
'style-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"]
};
{
devAllowUnsafe: false,
enabled: true
hashingMethod: 'sha256',
hashEnabled: {
'script-src': true,
'style-src': true
},
nonceEnabled: {
'script-src': true,
'style-src': true
}
}
new HtmlWebpackPlugin({
cspPlugin: {
enabled: true,
policy: {
'base-uri': "'self'",
'object-src': "'none'",
'script-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"],
'style-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"]
},
hashEnabled: {
'script-src': true,
'style-src': true
},
nonceEnabled: {
'script-src': true,
'style-src': true
}
}
});
new CspHtmlWebpackPlugin({
'base-uri': "'self'",
'object-src': "'none'",
'script-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"],
'style-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"]
}, {
devAllowUnsafe: false,
enabled: true
hashingMethod: 'sha256',
hashEnabled: {
'script-src': true,
'style-src': true
},
nonceEnabled: {
'script-src': true,
'style-src': true
}
})
Contributions are most welcome! Please see the included contributing file for more information.
This project is licensed under MIT. Please see the included license file for more information.