jekyll-csp (Jekyll Plugin)

This Jekyll plugin automatically builds an HTML content-security-policy for a Jekyll site. The plugin will scan .html files generated by Jekyll and attempt to locate images, styles, scripts, frames etc and build a content security policy HTML meta tag. The script will also generate SHA256 hashes for inline scripts and styles. If the script finds elements with style attributes <div style="color: red"></div>, the script will extract the style information and build a style element to which will also pass through the content security policy generation.

Example Output

Based on a Jekyll site page that contains a few inline style/script and an iframe to wikipedia.org, the following will be generated:

<meta http-equiv="Content-security-Policy" content="
  frame-src 
    'self' 
    https://www.wikipedia.org; 
  script-src 
    'self' 
    'sha256-AZXvsmuNxas/9sJWMstoDYy9X/jMKakhM3w1WL1CS1I='; 
  img-src 
    'self'; 
  style-src 
    'self' 
    'sha256-C6z/tOzBLL2qAZuhUCvypGKgcUawES+1dvwdnj+I6yo=' 
    'sha256-787PqQfLGYcuxsr3MEE9/I94mvhef0N/Kmxc3bJd87g=' 
    'sha256-NHS45kj4lhdQbZpwg50AtdnziM7N+XG0sFtclLyDtek='; ">

Config (via _config.yml)

You can slightly customize the generator using the following config within the jekyll site config file (_config.yml).

jekyll_csp:
  indentation: 2
  newlines: true
  debug: true
  inject_self: 
    - frame-src
    - style-src

• indentation Integer value for the indentation level, for each line. Use this to provide nicer, more readable output
• newline Boolean value to enable newlines for each Content-security-Policy content item. If false, the indentation value will be ignored
• debug Boolean value to enable debug output when building
• inject_self List of directives that you wish to inject the value 'self'. If unset, the default is style-src, script-src, frame-src and img-src.

Features

• Scans for .html files generated by Jekyll.
• Finds inline scripts such as <script>alert("Hello World!");</script> and generates an SHA256 hash.
• Finds inline styles such as <style>.hello { color: "red"; }</style> and generates an SHA256 hash.
• Creates or reuses an HTTP meta tag for the content security policy.
• Finds all images, styles, scripts and frames with external URLs and builds CSP.
• Converts style attributes into <style> elements.
• If a page already has a content-security-policy tag, (such as your index.html file), the script will reuse it.
• Image URLs such as https://strongscot.com/images/logo.svg will have a rule such as https://strongscot.com/images/

Upcoming Features

• Ability to specify how lax the domain rules can be. For example, https://strongscot.com/images/logo.svg would be converted to https://strongscot.com/images/ under strict and https://strongscot.com under relaxed.
• Ability in site.yaml file to specify what files it should parse, at the moment its only .html.

Installation

Add the plugin your Gemfile within the jekyll_plugins group:

group :jekyll_plugins do
  gem 'jekyll-csp'
  ... other gem files
end

Then install

bundle install

Nokogiri Error on Mac?

For some reason, Nokogiri will install with both the ARM (M1) and x86 variants which will confuse bundler. Best way I found to fix this was to open the Gemfile.lock and remove the:

nokogiri (1.11.3-arm64-darwin)
  racc (~> 1.4)

Or the x86 if you have an M1 mac.

Alternatively, you can add nokogiri to your Gemfile, like so:

group :jekyll_plugins do
  gem 'nokogiri'
  gem 'jekyll-csp'
  ... other gem files
end

License

MIT