From ecd4006f60ead86905a1c255924f562e0fee6bdc Mon Sep 17 00:00:00 2001 From: Tim Perry Date: Mon, 8 Jul 2024 15:34:34 +0200 Subject: [PATCH] Test (report-only) a CSP for stricter XSS protection --- .github/workflows/ci.yml | 3 +- Caddyfile | 4 +- automation/webpack.prod.ts | 69 +++++++- package-lock.json | 353 +++++++++++++++++++++++++++++++------ package.json | 5 +- 5 files changed, 372 insertions(+), 62 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 906d8792..fe39ed02 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,10 +35,11 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' env: POSTHOG_KEY: ${{ secrets.POSTHOG_KEY }} - SENTRY_DSN: ${{ secrets.SENTRY_DSN }} + SENTRY_DSN: ${{ env.SENTRY_DSN }} SENTRY_ORG: http-toolkit SENTRY_PROJECT: httptoolkit-ui SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} + REPORT_URI: ${{ env.REPORT_URI }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # To pull server without rate limit issues in CI - uses: actions/upload-artifact@v4 diff --git a/Caddyfile b/Caddyfile index 4fe2078b..f5761eae 100644 --- a/Caddyfile +++ b/Caddyfile @@ -14,8 +14,8 @@ @get method GET header @get Cache-Control "public, max-age=60, s-maxage=3600, stale-while-revalidate=600, stale-if-error=86400" - header Content-Security-Policy "frame-ancestors 'none'" header Referrer-Policy "strict-origin" - header X-Clacks-Overhead "GNU Terry Pratchett" # https://xclacksoverhead.org + + import /site/csp.caddyfile # Generated by webpack } \ No newline at end of file diff --git a/automation/webpack.prod.ts b/automation/webpack.prod.ts index ecd9e52a..0c60d6c8 100644 --- a/automation/webpack.prod.ts +++ b/automation/webpack.prod.ts @@ -1,11 +1,12 @@ import * as path from 'path'; import merge from "webpack-merge"; +import { RawSource } from 'webpack-sources'; import * as SentryPlugin from '@sentry/webpack-plugin'; import { InjectManifest } from 'workbox-webpack-plugin'; import * as ssri from "ssri"; - import { BundleAnalyzerPlugin } from 'webpack-bundle-analyzer'; +import CspHtmlWebpackPlugin from 'csp-html-webpack-plugin'; import common from "./webpack.common"; @@ -16,6 +17,14 @@ console.log(shouldPublishSentryRelease : "Sentry source map upload disabled - no token set" ); +const CSP_REPORT_URL = process.env.REPORT_URI && process.env.UI_VERSION + ? `${process.env.REPORT_URI}&sentry_release=${process.env.UI_VERSION}` + : false; +console.log(CSP_REPORT_URL + ? "CSP reporting enabled" + : `CSP reporting skipped (uri: ${process.env.REPORT_URI}. version: ${process.env.UI_VERSION})` +); + export default merge(common, { mode: "production", @@ -68,7 +77,13 @@ export default merge(common, { 'services', 'ui-update-worker.ts' ), - exclude: ['google-fonts', /^api\//, 'ui-update-worker.js', /.map$/], + exclude: [ + 'google-fonts', + /^api\//, + 'ui-update-worker.js', + /\.map$/, + /\.caddyfile$/ + ], maximumFileSizeToCacheInBytes: 100 * 1024 * 1024, manifestTransforms: [ (originalManifest: any, compilation: any) => { @@ -111,6 +126,52 @@ export default merge(common, { analyzerMode: 'static', openAnalyzer: false, excludeAssets: /api\/.*\.json/ - }) + }), + ...(CSP_REPORT_URL + ? [ + new CspHtmlWebpackPlugin({ + 'base-uri': "'self'", + 'default-src': "'none'", + 'object-src': "'none'", + 'frame-ancestors': "'none'", + 'img-src': ["'self'", 'https://httptoolkit.com', 'data:'], + 'font-src': ["'self'"], + 'style-src': ["'report-sample'", "'self'", "'unsafe-inline'"], + 'script-src': [ + "'report-sample'", + "'unsafe-eval'", // For both wasm & real eval() uses + "'self'", 'https://cdn.auth0.com/', 'https://cdn.eu.auth0.com/' + ], + 'connect-src': [ + "'self'", 'http://127.0.0.1:45456', 'http://127.0.0.1:45457', 'ws://127.0.0.1:45456', 'https://*.httptoolkit.tech', 'https://sentry.io', 'data:' + ], + 'report-uri': CSP_REPORT_URL, + 'report-to': 'csp-endpoint' + }, { + enabled: true, + hashEnabled: { + 'script-src': true, + 'style-src': false + }, + nonceEnabled: { + 'script-src': false, + 'style-src': false + }, + // Output CSP into a Caddy config file, that's imported by Caddyfile + processFn: ( + builtPolicy: any, + _htmlPluginData: any, + _obj: any, + compilation: any + ) => { + const header = ` + header Content-Security-Policy-Report-Only "${builtPolicy}" + header Reporting-Endpoints \`csp-endpoint="${CSP_REPORT_URL}"\` + `; + compilation.emitAsset('csp.caddyfile', new RawSource(header)); + } + } as any) + ] + : []) ] -}); +}); \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index afaa51ef..3e9895c5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -123,9 +123,10 @@ "@types/chai": "^4.1.7", "@types/chai-as-promised": "^7.1.0", "@types/chai-enzyme": "^0.6.6", + "@types/csp-html-webpack-plugin": "^3.0.5", "@types/enzyme": "^3.9.0", "@types/enzyme-adapter-react-16": "^1.0.5", - "@types/html-webpack-plugin": "3.2.0", + "@types/html-webpack-plugin": "3.2.9", "@types/mocha": "^7.0.1", "@types/node-fetch": "^2.1.4", "@types/puppeteer": "^5.4.0", @@ -147,6 +148,7 @@ "copy-webpack-plugin": "^12.0.2", "cross-env": "^7.0.3", "crypto-browserify": "^3.12.0", + "csp-html-webpack-plugin": "^5.1.0", "css-loader": "^6.9.1", "env-cmd": "^10.1.0", "enzyme": "^3.9.0", @@ -191,6 +193,7 @@ "webpack-cli": "^5.1.4", "webpack-dev-server": "^4.15.1", "webpack-merge": "^4.1.4", + "webpack-sources": "^3.2.3", "workbox-webpack-plugin": "^7.0.0", "worker-loader": "^3.0.8" } @@ -2037,6 +2040,16 @@ "webpack": ">=4.14.0" } }, + "node_modules/@beyonk/google-fonts-webpack-plugin/node_modules/webpack-sources": { + "version": "1.4.3", + "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-1.4.3.tgz", + "integrity": "sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ==", + "dev": true, + "dependencies": { + "source-list-map": "^2.0.0", + "source-map": "~0.6.1" + } + }, "node_modules/@discoveryjs/json-ext": { "version": "0.5.7", "resolved": "https://registry.npmjs.org/@discoveryjs/json-ext/-/json-ext-0.5.7.tgz", @@ -3501,6 +3514,53 @@ "@types/express": "*" } }, + "node_modules/@types/csp-html-webpack-plugin": { + "version": "3.0.5", + "resolved": "https://registry.npmjs.org/@types/csp-html-webpack-plugin/-/csp-html-webpack-plugin-3.0.5.tgz", + "integrity": "sha512-f1UcGxlNM7DB3VWQLGqzrKg32djDBN0o1SQfpwaIyfGdd2071owYDQB1YP62M1VNvR2to4J6PYWEmDwzC1IKfw==", + "dev": true, + "dependencies": { + "@types/html-webpack-plugin": "*", + "@types/tapable": "^1", + "@types/webpack": "^4" + } + }, + "node_modules/@types/csp-html-webpack-plugin/node_modules/@types/webpack": { + "version": "4.41.38", + "resolved": "https://registry.npmjs.org/@types/webpack/-/webpack-4.41.38.tgz", + "integrity": "sha512-oOW7E931XJU1mVfCnxCVgv8GLFL768pDO5u2Gzk82i8yTIgX6i7cntyZOkZYb/JtYM8252SN9bQp9tgkVDSsRw==", + "dev": true, + "dependencies": { + "@types/node": "*", + "@types/tapable": "^1", + "@types/uglify-js": "*", + "@types/webpack-sources": "*", + "anymatch": "^3.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/@types/csp-html-webpack-plugin/node_modules/anymatch": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", + "dev": true, + "dependencies": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/@types/csp-html-webpack-plugin/node_modules/normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/@types/d3-color": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/@types/d3-color/-/d3-color-1.4.2.tgz", @@ -3654,14 +3714,50 @@ "dev": true }, "node_modules/@types/html-webpack-plugin": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/@types/html-webpack-plugin/-/html-webpack-plugin-3.2.0.tgz", - "integrity": "sha512-in9rViBsTRB4ZApndZ12It68nGzSMHVK30JD7c49iLIHMFeTPbP7I7wevzMv7re2o0k5TlU6Ry/beyrmgWX7Bg==", + "version": "3.2.9", + "resolved": "https://registry.npmjs.org/@types/html-webpack-plugin/-/html-webpack-plugin-3.2.9.tgz", + "integrity": "sha512-puFExKcpqjZ27RYnRcsPLPXY+6tnBpyqVrJdLOx1NwiwCdqhyzLui8K2WVQTTUsR+0hhb2Y02Cjsdj540FlgZw==", "dev": true, "dependencies": { "@types/html-minifier": "*", - "@types/tapable": "*", - "@types/webpack": "*" + "@types/tapable": "^1", + "@types/webpack": "^4" + } + }, + "node_modules/@types/html-webpack-plugin/node_modules/@types/webpack": { + "version": "4.41.38", + "resolved": "https://registry.npmjs.org/@types/webpack/-/webpack-4.41.38.tgz", + "integrity": "sha512-oOW7E931XJU1mVfCnxCVgv8GLFL768pDO5u2Gzk82i8yTIgX6i7cntyZOkZYb/JtYM8252SN9bQp9tgkVDSsRw==", + "dev": true, + "dependencies": { + "@types/node": "*", + "@types/tapable": "^1", + "@types/uglify-js": "*", + "@types/webpack-sources": "*", + "anymatch": "^3.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/@types/html-webpack-plugin/node_modules/anymatch": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", + "dev": true, + "dependencies": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/@types/html-webpack-plugin/node_modules/normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true, + "engines": { + "node": ">=0.10.0" } }, "node_modules/@types/http-errors": { @@ -3953,6 +4049,12 @@ "@types/node": "*" } }, + "node_modules/@types/source-list-map": { + "version": "0.1.6", + "resolved": "https://registry.npmjs.org/@types/source-list-map/-/source-list-map-0.1.6.tgz", + "integrity": "sha512-5JcVt1u5HDmlXkwOD2nslZVllBBc7HDuOICfiZah2Z0is8M8g+ddAEawbmd3VjedfDHBzxCaXLs07QEmb7y54g==", + "dev": true + }, "node_modules/@types/ssri": { "version": "7.1.0", "resolved": "https://registry.npmjs.org/@types/ssri/-/ssri-7.1.0.tgz", @@ -4091,6 +4193,26 @@ "@types/webpack": "*" } }, + "node_modules/@types/webpack-sources": { + "version": "3.2.3", + "resolved": "https://registry.npmjs.org/@types/webpack-sources/-/webpack-sources-3.2.3.tgz", + "integrity": "sha512-4nZOdMwSPHZ4pTEZzSp0AsTM4K7Qmu40UKW4tJDiOVs20UzYF9l+qUe4s0ftfN0pin06n+5cWWDJXH+sbhAiDw==", + "dev": true, + "dependencies": { + "@types/node": "*", + "@types/source-list-map": "*", + "source-map": "^0.7.3" + } + }, + "node_modules/@types/webpack-sources/node_modules/source-map": { + "version": "0.7.4", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.4.tgz", + "integrity": "sha512-l3BikUxvPOcn5E74dZiq5BGsTb5yEwhaTSzccU6t4sDOH8NWJCstKO5QT2CvtFoK6F0saL7p9xHAqHOlCPJygA==", + "dev": true, + "engines": { + "node": ">= 8" + } + }, "node_modules/@types/webpack/node_modules/tapable": { "version": "2.2.1", "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.1.tgz", @@ -6743,6 +6865,20 @@ "node": ">=8" } }, + "node_modules/csp-html-webpack-plugin": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/csp-html-webpack-plugin/-/csp-html-webpack-plugin-5.1.0.tgz", + "integrity": "sha512-6l/s6hACE+UA01PLReNKZfgLZWM98f7ewWmE79maDWIbEXiPcIWQGB3LQR/Zw+hPBj4XPZZ5zNrrO+aygqaLaQ==", + "dev": true, + "dependencies": { + "cheerio": "^1.0.0-rc.5", + "lodash": "^4.17.20" + }, + "peerDependencies": { + "html-webpack-plugin": "^4 || ^5", + "webpack": "^4 || ^5" + } + }, "node_modules/css-box-model": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/css-box-model/-/css-box-model-1.2.0.tgz", @@ -19734,14 +19870,6 @@ "node": ">=8.0" } }, - "node_modules/unplugin/node_modules/webpack-sources": { - "version": "3.2.3", - "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.2.3.tgz", - "integrity": "sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==", - "engines": { - "node": ">=10.13.0" - } - }, "node_modules/unset-value": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/unset-value/-/unset-value-1.0.0.tgz", @@ -20604,13 +20732,11 @@ } }, "node_modules/webpack-sources": { - "version": "1.4.3", - "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-1.4.3.tgz", - "integrity": "sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ==", - "dev": true, - "dependencies": { - "source-list-map": "^2.0.0", - "source-map": "~0.6.1" + "version": "3.2.3", + "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.2.3.tgz", + "integrity": "sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==", + "engines": { + "node": ">=10.13.0" } }, "node_modules/webpack-virtual-modules": { @@ -20686,15 +20812,6 @@ "node": ">=6" } }, - "node_modules/webpack/node_modules/webpack-sources": { - "version": "3.2.3", - "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.2.3.tgz", - "integrity": "sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==", - "dev": true, - "engines": { - "node": ">=10.13.0" - } - }, "node_modules/websocket-driver": { "version": "0.7.4", "resolved": "https://registry.npmjs.org/websocket-driver/-/websocket-driver-0.7.4.tgz", @@ -21041,6 +21158,16 @@ "webpack": "^4.4.0 || ^5.9.0" } }, + "node_modules/workbox-webpack-plugin/node_modules/webpack-sources": { + "version": "1.4.3", + "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-1.4.3.tgz", + "integrity": "sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ==", + "dev": true, + "dependencies": { + "source-list-map": "^2.0.0", + "source-map": "~0.6.1" + } + }, "node_modules/workbox-window": { "version": "7.0.0", "resolved": "https://registry.npmjs.org/workbox-window/-/workbox-window-7.0.0.tgz", @@ -22762,6 +22889,18 @@ "node-fetch": "^2.1.2", "webpack-sources": "^1.1.0", "yauzl": "^2.8.0" + }, + "dependencies": { + "webpack-sources": { + "version": "1.4.3", + "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-1.4.3.tgz", + "integrity": "sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ==", + "dev": true, + "requires": { + "source-list-map": "^2.0.0", + "source-map": "~0.6.1" + } + } } }, "@discoveryjs/json-ext": { @@ -23780,6 +23919,49 @@ "@types/express": "*" } }, + "@types/csp-html-webpack-plugin": { + "version": "3.0.5", + "resolved": "https://registry.npmjs.org/@types/csp-html-webpack-plugin/-/csp-html-webpack-plugin-3.0.5.tgz", + "integrity": "sha512-f1UcGxlNM7DB3VWQLGqzrKg32djDBN0o1SQfpwaIyfGdd2071owYDQB1YP62M1VNvR2to4J6PYWEmDwzC1IKfw==", + "dev": true, + "requires": { + "@types/html-webpack-plugin": "*", + "@types/tapable": "^1", + "@types/webpack": "^4" + }, + "dependencies": { + "@types/webpack": { + "version": "4.41.38", + "resolved": "https://registry.npmjs.org/@types/webpack/-/webpack-4.41.38.tgz", + "integrity": "sha512-oOW7E931XJU1mVfCnxCVgv8GLFL768pDO5u2Gzk82i8yTIgX6i7cntyZOkZYb/JtYM8252SN9bQp9tgkVDSsRw==", + "dev": true, + "requires": { + "@types/node": "*", + "@types/tapable": "^1", + "@types/uglify-js": "*", + "@types/webpack-sources": "*", + "anymatch": "^3.0.0", + "source-map": "^0.6.0" + } + }, + "anymatch": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", + "dev": true, + "requires": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + } + }, + "normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true + } + } + }, "@types/d3-color": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/@types/d3-color/-/d3-color-1.4.2.tgz", @@ -23933,14 +24115,46 @@ "dev": true }, "@types/html-webpack-plugin": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/@types/html-webpack-plugin/-/html-webpack-plugin-3.2.0.tgz", - "integrity": "sha512-in9rViBsTRB4ZApndZ12It68nGzSMHVK30JD7c49iLIHMFeTPbP7I7wevzMv7re2o0k5TlU6Ry/beyrmgWX7Bg==", + "version": "3.2.9", + "resolved": "https://registry.npmjs.org/@types/html-webpack-plugin/-/html-webpack-plugin-3.2.9.tgz", + "integrity": "sha512-puFExKcpqjZ27RYnRcsPLPXY+6tnBpyqVrJdLOx1NwiwCdqhyzLui8K2WVQTTUsR+0hhb2Y02Cjsdj540FlgZw==", "dev": true, "requires": { "@types/html-minifier": "*", - "@types/tapable": "*", - "@types/webpack": "*" + "@types/tapable": "^1", + "@types/webpack": "^4" + }, + "dependencies": { + "@types/webpack": { + "version": "4.41.38", + "resolved": "https://registry.npmjs.org/@types/webpack/-/webpack-4.41.38.tgz", + "integrity": "sha512-oOW7E931XJU1mVfCnxCVgv8GLFL768pDO5u2Gzk82i8yTIgX6i7cntyZOkZYb/JtYM8252SN9bQp9tgkVDSsRw==", + "dev": true, + "requires": { + "@types/node": "*", + "@types/tapable": "^1", + "@types/uglify-js": "*", + "@types/webpack-sources": "*", + "anymatch": "^3.0.0", + "source-map": "^0.6.0" + } + }, + "anymatch": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", + "dev": true, + "requires": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + } + }, + "normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true + } } }, "@types/http-errors": { @@ -24234,6 +24448,12 @@ "@types/node": "*" } }, + "@types/source-list-map": { + "version": "0.1.6", + "resolved": "https://registry.npmjs.org/@types/source-list-map/-/source-list-map-0.1.6.tgz", + "integrity": "sha512-5JcVt1u5HDmlXkwOD2nslZVllBBc7HDuOICfiZah2Z0is8M8g+ddAEawbmd3VjedfDHBzxCaXLs07QEmb7y54g==", + "dev": true + }, "@types/ssri": { "version": "7.1.0", "resolved": "https://registry.npmjs.org/@types/ssri/-/ssri-7.1.0.tgz", @@ -24379,6 +24599,25 @@ "@types/webpack": "*" } }, + "@types/webpack-sources": { + "version": "3.2.3", + "resolved": "https://registry.npmjs.org/@types/webpack-sources/-/webpack-sources-3.2.3.tgz", + "integrity": "sha512-4nZOdMwSPHZ4pTEZzSp0AsTM4K7Qmu40UKW4tJDiOVs20UzYF9l+qUe4s0ftfN0pin06n+5cWWDJXH+sbhAiDw==", + "dev": true, + "requires": { + "@types/node": "*", + "@types/source-list-map": "*", + "source-map": "^0.7.3" + }, + "dependencies": { + "source-map": { + "version": "0.7.4", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.4.tgz", + "integrity": "sha512-l3BikUxvPOcn5E74dZiq5BGsTb5yEwhaTSzccU6t4sDOH8NWJCstKO5QT2CvtFoK6F0saL7p9xHAqHOlCPJygA==", + "dev": true + } + } + }, "@types/ws": { "version": "8.5.10", "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.5.10.tgz", @@ -26495,6 +26734,16 @@ "integrity": "sha512-v1plID3y9r/lPhviJ1wrXpLeyUIGAZ2SHNYTEapm7/8A9nLPoyvVp3RK/EPFqn5kEznyWgYZNsRtYYIWbuG8KA==", "dev": true }, + "csp-html-webpack-plugin": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/csp-html-webpack-plugin/-/csp-html-webpack-plugin-5.1.0.tgz", + "integrity": "sha512-6l/s6hACE+UA01PLReNKZfgLZWM98f7ewWmE79maDWIbEXiPcIWQGB3LQR/Zw+hPBj4XPZZ5zNrrO+aygqaLaQ==", + "dev": true, + "requires": { + "cheerio": "^1.0.0-rc.5", + "lodash": "^4.17.20" + } + }, "css-box-model": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/css-box-model/-/css-box-model-1.2.0.tgz", @@ -36501,11 +36750,6 @@ "requires": { "is-number": "^7.0.0" } - }, - "webpack-sources": { - "version": "3.2.3", - "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.2.3.tgz", - "integrity": "sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==" } } }, @@ -36843,12 +37087,6 @@ "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.1.tgz", "integrity": "sha512-GNzQvQTOIP6RyTfE2Qxb8ZVlNmw0n88vp1szwWRimP02mnTsx3Wtn5qRdqY9w2XduFNUgvOwhNnQsjwCp+kqaQ==", "dev": true - }, - "webpack-sources": { - "version": "3.2.3", - "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.2.3.tgz", - "integrity": "sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==", - "dev": true } } }, @@ -37181,14 +37419,9 @@ } }, "webpack-sources": { - "version": "1.4.3", - "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-1.4.3.tgz", - "integrity": "sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ==", - "dev": true, - "requires": { - "source-list-map": "^2.0.0", - "source-map": "~0.6.1" - } + "version": "3.2.3", + "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.2.3.tgz", + "integrity": "sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==" }, "webpack-virtual-modules": { "version": "0.5.0", @@ -37508,6 +37741,18 @@ "upath": "^1.2.0", "webpack-sources": "^1.4.3", "workbox-build": "7.0.0" + }, + "dependencies": { + "webpack-sources": { + "version": "1.4.3", + "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-1.4.3.tgz", + "integrity": "sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ==", + "dev": true, + "requires": { + "source-list-map": "^2.0.0", + "source-map": "~0.6.1" + } + } } }, "workbox-window": { diff --git a/package.json b/package.json index bccd258f..f874fe00 100644 --- a/package.json +++ b/package.json @@ -148,9 +148,10 @@ "@types/chai": "^4.1.7", "@types/chai-as-promised": "^7.1.0", "@types/chai-enzyme": "^0.6.6", + "@types/csp-html-webpack-plugin": "^3.0.5", "@types/enzyme": "^3.9.0", "@types/enzyme-adapter-react-16": "^1.0.5", - "@types/html-webpack-plugin": "3.2.0", + "@types/html-webpack-plugin": "3.2.9", "@types/mocha": "^7.0.1", "@types/node-fetch": "^2.1.4", "@types/puppeteer": "^5.4.0", @@ -172,6 +173,7 @@ "copy-webpack-plugin": "^12.0.2", "cross-env": "^7.0.3", "crypto-browserify": "^3.12.0", + "csp-html-webpack-plugin": "^5.1.0", "css-loader": "^6.9.1", "env-cmd": "^10.1.0", "enzyme": "^3.9.0", @@ -216,6 +218,7 @@ "webpack-cli": "^5.1.4", "webpack-dev-server": "^4.15.1", "webpack-merge": "^4.1.4", + "webpack-sources": "^3.2.3", "workbox-webpack-plugin": "^7.0.0", "worker-loader": "^3.0.8" }