feat: add strictDynamic as a config option (#129)

hrishikesh-k · web-flow · commit 84522aab71f3 · 2025-03-27T13:04:26.000Z
diff --git a/manifest.yml b/manifest.yml
@@ -5,6 +5,9 @@ inputs:
     default: true
   - name: reportUri
     description: The relative or absolute URL to report any violations. If not defined, violations are reported to the __csp-violations function, which this plugin deploys.
+  - name: strictDynamic
+    description: When true, dynamically trust scripts via nonce or hash instead of static allowlists, enhancing security.
+    default: true
   - name: unsafeEval
     description: When true, adds 'unsafe-eval' to CSP for easier adoption. Set to false to have a safer policy if your code and code dependencies does not use eval().
     default: true
diff --git a/src/__csp-nonce.ts b/src/__csp-nonce.ts
@@ -24,7 +24,7 @@ params.reportUri = params.reportUri || "/.netlify/functions/__csp-violations";
 // @ts-ignore
 params.distribution = Netlify.env.get("CSP_NONCE_DISTRIBUTION");
 
-params.strictDynamic = true;
+params.strictDynamic = params.strictDynamic ?? true;
 params.unsafeInline = params.unsafeInline ?? true;
 params.self = params.self ?? true;
 params.https = true;
