Add new output callback function

Author: fcsonline

README.md

@@ -41,6 +41,7 @@ This `CspHtmlWebpackPlugin` accepts 2 params with the following structure:
   - `{string}` hashingMethod - accepts 'sha256', 'sha384', 'sha512' - your node version must also accept this hashing method.
   - `{object}` hashEnabled - a `<string, boolean>` entry for which policy rules are allowed to include hashes
   - `{object}` nonceEnabled - a `<string, boolean>` entry for which policy rules are allowed to include nonces
+  - `{Function}` output (optional) - optional callback function receiving the computed CSP policy to implement custom logic instead of including meta tag.
 
 The plugin also adds a new config option onto each `HtmlWebpackPlugin` instance:
 

plugin.jest.js

@@ -852,4 +852,29 @@ describe('CspHtmlWebpackPlugin', () => {
       });
     });
   });
+
+  describe.only('Plugin output callback', () => {
+    it("doesn't modify the html if enabled is the bool false", done => {
+      // eslint-disable-next-line no-unused-vars
+      const mockCallback = jest.fn(csp => {});
+      const config = createWebpackConfig([
+        new HtmlWebpackPlugin({
+          filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html')
+        }),
+        new CspHtmlWebpackPlugin({}, { output: mockCallback })
+      ]);
+
+      webpackCompile(config, csps => {
+        const expected =
+          "base-uri 'self';" +
+          " object-src 'none';" +
+          " script-src 'unsafe-inline' 'self' 'unsafe-eval' 'nonce-mockedbase64string-1';" +
+          " style-src 'unsafe-inline' 'self' 'unsafe-eval'";
+
+        expect(mockCallback).toBeCalledWith(expected);
+        expect(csps['index.html']).not.toEqual(expected);
+        done();
+      });
+    });
+  });
 });

plugin.js

@@ -296,16 +296,6 @@ class CspHtmlWebpackPlugin {
       return compileCb(null, htmlPluginData);
     }
 
-    let metaTag = $('meta[http-equiv="Content-Security-Policy"]');
-
-    // Add element if it doesn't exist.
-    if (!metaTag.length) {
-      metaTag = cheerio.load('<meta http-equiv="Content-Security-Policy">')(
-        'meta'
-      );
-      metaTag.prependTo($('head'));
-    }
-
     // get all nonces for script and style tags
     const scriptNonce = this.setNonce($, 'script-src', 'script[src]');
     const styleNonce = this.setNonce($, 'style-src', 'link[rel="stylesheet"]');
@@ -314,21 +304,36 @@ class CspHtmlWebpackPlugin {
     const scriptShas = this.getShas($, 'script-src', 'script:not([src])');
     const styleShas = this.getShas($, 'style-src', 'style:not([href])');
 
-    // build the policy into the context attr of the csp meta tag
-    metaTag.attr(
-      'content',
-      this.buildPolicy({
-        ...this.policy,
-        'script-src': flatten([this.policy['script-src']]).concat(
-          scriptShas,
-          scriptNonce
-        ),
-        'style-src': flatten([this.policy['style-src']]).concat(
-          styleShas,
-          styleNonce
-        )
-      })
-    );
+    // build the CSP policy
+    const policy = this.buildPolicy({
+      ...this.policy,
+      'script-src': flatten([this.policy['script-src']]).concat(
+        scriptShas,
+        scriptNonce
+      ),
+      'style-src': flatten([this.policy['style-src']]).concat(
+        styleShas,
+        styleNonce
+      )
+    });
+
+    // Execute output callback if is defined
+    if (isFunction(this.opts.output)) {
+      this.opts.output(policy);
+    } else {
+      let metaTag = $('meta[http-equiv="Content-Security-Policy"]');
+
+      // Add element if it doesn't exist.
+      if (!metaTag.length) {
+        metaTag = cheerio.load('<meta http-equiv="Content-Security-Policy">')(
+          'meta'
+        );
+        metaTag.prependTo($('head'));
+      }
+
+      // includes the policy into the context attr of the csp meta tag
+      metaTag.attr('content', policy);
+    }
 
     // eslint-disable-next-line no-param-reassign
     htmlPluginData.html = $.html();