Allow string values for script- and style-src policies

plugin.js

@@ -2,6 +2,7 @@ const cheerio = require('cheerio');
 const crypto = require('crypto');
 const uniq = require('lodash/uniq');
 const compact = require('lodash/compact');
+const flatten = require('lodash/flatten');
 const isFunction = require('lodash/isFunction');
 
 const defaultPolicy = {
@@ -114,8 +115,13 @@ class CspHtmlWebpackPlugin {
  .map((i, element) => this.hash($(element).html()))
  .get();
 
- policyObj['script-src'] = policyObj['script-src'].concat(inlineSrc);
- policyObj['style-src'] = policyObj['style-src'].concat(inlineStyle);
+ // Wrapped in flatten([]) to handle both when policy is a string and an array
+ policyObj['script-src'] = flatten([policyObj['script-src']]).concat(
+ inlineSrc
+ );
+ policyObj['style-src'] = flatten([policyObj['style-src']]).concat(
+ inlineStyle
+ );
 
  $('meta[http-equiv="Content-Security-Policy"]').attr(
  'content',

spec/plugin.spec.js

@@ -297,4 +297,39 @@ describe('CspHtmlWebpackPlugin', () => {
  );
  }).toThrow(new Error(`'invalid' is not a valid hashing method`));
  });
+
+ it('handles string values for policies where the hash is appended', done => {
+ const webpackConfig = {
+ entry: path.join(__dirname, 'fixtures/index.js'),
+ output: { path: OUTPUT_DIR, filename: 'index.bundle.js' },
+ plugins: [
+ new HtmlWebpackPlugin({
+ filename: path.join(OUTPUT_DIR, 'index.html'),
+ template: path.join(__dirname, 'fixtures', 'with-js.html'),
+ inject: 'body',
+ }),
+ new CspHtmlWebpackPlugin({
+ 'script-src': "'self'",
+ 'style-src': "'self'",
+ }),
+ ],
+ };
+
+ testCspHtmlWebpackPlugin(
+ webpackConfig,
+ 'index.html',
+ (cspPolicy, _, doneFn) => {
+ const expected =
+ "base-uri 'self';" +
+ " object-src 'none';" +
+ " script-src 'self' 'sha256-9nPWXYBnlIeJ9HmieIATDv9Ab5plt35XZiT48TfEkJI=';" +
+ " style-src 'self'";
+
+ expect(cspPolicy).toEqual(expected);
+
+ doneFn();
+ },
+ done
+ );
+ });
 });