{"id":20163385,"url":"https://github.com/sjinks/hwp-csp-plugin","last_synced_at":"2025-04-10T00:36:36.422Z","repository":{"id":36979499,"uuid":"269474961","full_name":"sjinks/hwp-csp-plugin","owner":"sjinks","description":"Content Security Policy plugin for html-webpack-plugin","archived":false,"fork":false,"pushed_at":"2025-03-03T07:25:09.000Z","size":3002,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-05T05:02:22.283Z","etag":null,"topics":["content-security-policy","csp","html-webpack-plugin","html-webpack-plugin-plugin","security"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sjinks.png","metadata":{"funding":{"custom":["https://www.paypal.com/donate/?hosted_button_id=SAG6877JDJ3KU","https://send.monobank.ua/jar/7rosVfiwKM"]},"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-04T22:06:04.000Z","updated_at":"2025-03-03T07:25:12.000Z","dependencies_parsed_at":"2025-03-17T10:30:30.645Z","dependency_job_id":null,"html_url":"https://github.com/sjinks/hwp-csp-plugin","commit_stats":{"total_commits":814,"total_committers":6,"mean_commits":"135.66666666666666","dds":0.3513513513513513,"last_synced_commit":"9a082e8f544f8b1cb127c5af6d240a435c511242"},"previous_names":[],"tags_count":30,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fhwp-csp-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fhwp-csp-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fhwp-csp-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fhwp-csp-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sjinks","download_url":"https://codeload.github.com/sjinks/hwp-csp-plugin/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247452422,"owners_count":20941096,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["content-security-policy","csp","html-webpack-plugin","html-webpack-plugin-plugin","security"],"created_at":"2024-11-14T00:29:19.619Z","updated_at":"2025-04-10T00:36:36.396Z","avatar_url":"https://github.com/sjinks.png","language":"TypeScript","readme":"# hwp-csp-plugin\n\n![Build \u0026 Test CI](https://github.com/sjinks/hwp-csp-plugin/workflows/Build%20\u0026%20Test%20CI/badge.svg)\n\nPlugin to add Content-Security-Policy to HTML files generated by [html-webpack-plugin](https://www.npmjs.com/package/html-webpack-plugin)\n\nIt was heavily inspired by [csp-html-webpack-plugin](https://github.com/slackhq/csp-html-webpack-plugin/), but it operates a bit differently.\n\n## Installation\n\n```shell\nnpm i -D hwp-csp-plugin\n```\n\n## Usage\n\n```js\nimport { HwpCspPlugin } from 'hwp-csp-plugin';\n\n// Webpack configuration object\nexport default {\n\n    plugins: [\n        new HtmlWebpackPlugin({ /* ... */ }),\n        new HwpCspPlugin(/* options */),\n    ],\n};\n```\n\nTo configure the plugin, pass an object with the following keys to its constructor (all keys are optional):\n  * `enabled` (`boolean`, defaults to `true`): whether to enable the plugin;\n  * `policy` (`Record\u003cstring, string | string[]`\u003e): [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy); keys are `\u003cdirectives\u003e`, values are `\u003cvalues\u003e`. Values can be a string (`\"'self' https:\"`) or arrays (`[\"'self'\", 'https:']`)\n  * `hashFunc` (one of `sha256`, `sha384` (default), `sha512`): hash function to [generate hashes of inline scripts / styles](https://content-security-policy.com/hash/);\n  * `hashEnabled`: can be either `boolean` or an object with the following properties:\n    * `script` (`boolean`, defaults to `true`): whether to generate hashes of inline scripts;\n    * `style` (`boolean`, defaults to `true`): whether to generate hashes of inline styles;\n  * `addIntegrity` (`boolean`, defaults to `false`): whether to add `integrity` attribute to inline scripts and styles (controlled by `hashEnabled` option).\n\n## Differences to csp-html-webpack-plugin\n\n1. HwpCspPlugin intentionally does not support [nonces](https://content-security-policy.com/nonce/). Nonces, by definition, must be used only once and be unique for every request.\n2. HwpCspPlugin does not support `html-webpack-plugin` \u003c 4.x\n3. HwpCspPlugin does not enforce a default content security policy.\n4. HwpCspPlugin uses a subjectively simpler approach to configuration and lets you shoot yourself in the foot.\n5. HwpCspPlugin is written in TypeScript (not that it is a killer feature, but it hopefully simplifies maintenance)\n\n## Things to Do\n\n  - [ ] Currently the plugin removes existing `\u003cmeta http-equiv=\"Content-Security-Policy\"/\u003e` metatags. However, it [could be possible](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#Multiple_content_security_policies) to have multiple CSPs. This needs to be investigated, and if so, then this behavior should be configurable;\n  - [ ] Add callbacks allowing the user to modify the CSP before it is written to the file;\n  - [ ] Consider `unsafe-hashes` and `script-src-attr` / `style-src-attr`.\n","funding_links":["https://www.paypal.com/donate/?hosted_button_id=SAG6877JDJ3KU","https://send.monobank.ua/jar/7rosVfiwKM"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsjinks%2Fhwp-csp-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsjinks%2Fhwp-csp-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsjinks%2Fhwp-csp-plugin/lists"}