Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TODOs: Features under consideration #1

Open
josh-hemphill opened this issue May 10, 2021 · 3 comments
Open

TODOs: Features under consideration #1

josh-hemphill opened this issue May 10, 2021 · 3 comments
Labels
pinned Long-running items

Comments

@josh-hemphill
Copy link
Owner

josh-hemphill commented May 10, 2021
edited

Nonce support

Unfortunately supporting nonces requires supporting SSR since a nonce has to be unique to each session, and it's on the implementer to create and manage sessions. This means creating an interface to much more efficiently identify where the nonces are needed and provide some sort of session information. The more I think about ways to implement it, the more complicated it becomes; this may be another feature that would need to be partially delegated to framework-specific plugins.

Early warning of disallowed source URLs

This seems pretty straight forward, and I plan to implement in the near future as this can be added without much reworking. It may add additional build time though as there are a greater variety of tags and attributes it would need to parse.

Parsing URLs and sources embedded in JS sources

This is a little more complicated since to understand what is embedded this might require framework specific plugins. I'm open to suggestions, but beyond providing a plugin interface, this might be beyond the scope of this package.

Other directives supporting hash and nonce values

The Mozilla docs aren't clear on how the nonce and hash source values relate to the other types of external resources like iframe, media, img, and workers, but it does list them, so I'll have to see what's going on with those.

Multiple hash algorithms per source

I plan on implementing this soontm. But it does require deviating from a configuration directly compatible with the csp-html-webpack-plugin which will take some more thought about what would be the most convenient way to implement it.
@josh-hemphill josh-hemphill pinned this issue May 10, 2021
@stale stale bot added the stale label Jul 9, 2021
@stale

This comment has been minimized.

Sign in to view
@stale stale bot added the stale label Sep 7, 2021
@stale stale bot closed this as completed Sep 14, 2021
@josh-hemphill josh-hemphill reopened this Sep 16, 2021
@stale stale bot removed the stale label Sep 16, 2021
Repository owner deleted a comment from stale bot Sep 16, 2021
@josh-hemphill josh-hemphill added the pinned Long-running items label Sep 16, 2021
@melloware
Copy link

I am the author of this plugin: https://github.com/melloware/csp-webpack-plugin

I took the original Slack plugin and added some more features Subresrouce Integrity and Trusted Types handling i thought you might be interested in adding those as well to this plugin.

Nice work I have been considering switching from CRA to Vite but not having a CSP plugin like mine was one of the things holding me up.

@ottopaulsen
Copy link

In the webpack plugin we used a config like this:

{
  styleTagFactory({ style }) {
    return `<style type="text/css" nonce="{{nonce}}">${style}</style>`;
  },
}

For us, that is an easy way to get the nonce-support we require.
Is something similar possible in this plugin?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pinned Long-running items
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ottopaulsen @melloware @josh-hemphill