Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/e73b025/jekyll-content-security-policy-generator

This Jekyll plugin generates a content-security-policy HTML meta tag for your static site based on images, styles, scripts, frames and more found within each static page. Also converts style attributes to style tags and generates SHA256 hashes for them.
https://github.com/e73b025/jekyll-content-security-policy-generator

content-security-policy inline-scripts jekyll jekyll-plugin nokogiri plugin ruby static-site xss

Last synced: 3 months ago
JSON representation

This Jekyll plugin generates a content-security-policy HTML meta tag for your static site based on images, styles, scripts, frames and more found within each static page. Also converts style attributes to style tags and generates SHA256 hashes for them.

Awesome Lists containing this project

README 

        
# jekyll-content-security-policy-generator Plugin



![Jekyll Image Cover](Cover.png)



[![Gem Version](https://badge.fury.io/rb/jekyll-content-security-policy-generator.svg)](https://badge.fury.io/rb/jekyll-content-security-policy-generator)



This Jekyll plugin automatically builds an HTML content-security-policy for a Jekyll site. The plugin

will scan ```.html``` files generated by Jekyll and attempt to locate images, styles, scripts, frames etc and build a

content security policy HTML meta tag. The script will also generate SHA256 hashes for inline scripts and styles. If

the script finds elements with style attributes ```
```, the script will extract the style

information and build a style element to which will also pass through the content security policy generation.



## Goal



To speed up development of Jekyll based sites whilst also helping to generate secure HTML files protected from XSS.



## Features



* Scans for ```.html``` files generated by Jekyll.

* Finds inline scripts such as ```alert("Hello World!");``` and generates an SHA256 hash.

* Finds inline styles such as ```.hello { color: "red"; }``` and generates an SHA256 hash.

* Creates or reuses an HTTP meta tag for the content security policy.

* Finds all images, styles, scripts and frames with external URLs and builds CSP.

* Converts style attributes into `````` elements.

* If a page already has a content-security-policy tag, (such as your index.html file), the script will reuse it.

* Image URLs such as https://strongscot.com/images/logo.svg will have a rule such as https://strongscot.com/images/



## Upcoming Features



* Ability to specify how lax the domain rules can be. For example, ```https://strongscot.com/images/logo.svg``` would be converted to

```https://strongscot.com/images/``` under strict and ```https://strongscot.com``` under relaxed.

* Ability in site.yaml file to specify what files it should parse, at the moment its only ```.html```.



## Installation



Add the plugin your Gemfile within the jekyll_plugins group:



```

group :jekyll_plugins do

  gem 'jekyll-content-security-policy-generator'

  ... other gem files

end

```



Then install



```

bundle install

```



## Nokogiri Error on Mac?



For some reason, Nokogiri will install with both the ARM (M1) and x86 variants which will confuse bundler. Best way I found to fix this was to open the Gemfile.lock and remove the:



```

nokogiri (1.11.3-arm64-darwin)

  racc (~> 1.4)

```



Or the x86 if you have an M1 mac.



Alternatively, you can add ```nokogiri``` to your Gemfile, like so:



```

group :jekyll_plugins do

  gem 'nokogiri'

  gem 'jekyll-content-security-policy-generator'

  ... other gem files

end

```



## Support



https://strongscot.com