Optimize script size

bigskysoftware · Jul 17, 2024 · be8be09 · be8be09
1 parent da9fbb9
commit be8be09
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 13 deletions.
diff --git a/src/safe-nonce/safe-nonce.js b/src/safe-nonce/safe-nonce.js
@@ -1,22 +1,20 @@
 htmx.defineExtension('safe-nonce', {
   transformResponse: function(text, xhr, elt) {
-    if (htmx.config.inlineScriptNonce) {
-      htmx.config.inlineScriptNonce = '' // disable normal htmx nonce replacment so safe-nonce can do it instead
-    }
-    if (!htmx.config.refreshOnHistoryMiss) { 
-      htmx.config.refreshOnHistoryMiss = true // disable ajax fetching on history miss because it doesn't handle nonce replacment
-    }
+    let config = htmx.config
+    config.inlineScriptNonce = '' // disable normal htmx nonce replacment so safe-nonce can do it instead
+    config.refreshOnHistoryMiss = true // disable ajax fetching on history miss because it doesn't handle nonce replacment
     const nonce = xhr.getResponseHeader('HX-Nonce')
-    const pageNonce = htmx.config.safeInlineScriptNonce
+    const pageNonce = config.safeInlineScriptNonce
+    function escapeNonce(nonce) {
+      return new RegExp(`nonce="${nonce.replace(/[\\\[\]\/^*.+?$(){}'#:!=|]/g, '\\$&')}"`, 'g')
+    }
     if (pageNonce && pageNonce != nonce) {
-      // Protect from nonce reuse attacks by stripping all original page load nonces
-      const escapedPageNonce = new RegExp(`nonce="${pageNonce.replace(/[\\\[\]\/^*.+?$(){}'#:!=|]/g, '\\$&')}"`, 'g')
-      text = text.replace(escapedPageNonce, '')
+      // Protect from nonce reuse attacks by striping all original page load nonces
+      text = text.replace(escapeNonce(pageNonce), '')
     }
     if (pageNonce && nonce) {
       // Escape nonce value to make it safe as a RegEx and then swap the trusted nonce to the page load nonce to allow them to pass CSP checks
-      const escapedNonce = new RegExp(`nonce="${nonce.replace(/[\\\[\]\/^*.+?$(){}'#:!=|]/g, '\\$&')}"`, 'g')
-      return text.replace(escapedNonce, `nonce="${pageNonce}"`)
+      return text.replace(escapeNonce(nonce), `nonce="${pageNonce}"`)
     }
     return text
   }

diff --git a/src/safe-nonce/test/ext/safe-nonce.js b/src/safe-nonce/test/ext/safe-nonce.js
@@ -86,7 +86,7 @@ describe('safe-nonce extension tests', function() {
     }, 50)
   })
 
-  it('safe-nonce enabled but inlineScriptNonce set wrong blocks inline scripts running', function(done) {
+  it('safe-nonce enabled but safeInlineScriptNonce set wrong blocks inline scripts running', function(done) {
     window.i = 0 // set count to 0
     this.server.respondWith('GET', '/test', [200, { 'HX-Nonce': '6p1zabP/K+va3O8bi2yydg==' }, '<script nonce="6p1zabP/K+va3O8bi2yydg==">console.trace(); window.i++</script>'])
     htmx.config.safeInlineScriptNonce = 'invalid' // When set to an invalid value expect inline scripts to fail