slackhq
diff --git a/‎README.md
+64-12 b/‎README.md
+64-12
diff --git a/‎package-lock.json
+1-1 b/‎package-lock.json
+1-1
diff --git a/‎package.json
+2-2 b/‎package.json
+2-2
@@ -12,10 +12,10 @@ This plugin will generate meta content for your Content Security Policy tag and
 
 All inline JS and CSS will be hashed, and inserted into the policy.
 
-
 ## Installation
 
 Install the plugin with npm:
+
 ```
 npm i --save-dev csp-html-webpack-plugin
 ```
@@ -29,21 +29,36 @@ new HtmlWebpackPlugin()
 new CspHtmlWebpackPlugin()
 ```
 
-Finally, add the following tag to your HTML template where you would like to add the CSP policy:
-```
-<meta http-equiv="Content-Security-Policy" content="">
-```
-
 ## Configuration
 
 This `CspHtmlWebpackPlugin` accepts 2 params with the following structure:
-* `{object}` Policy (optional) - a flat object which defines your CSP policy. Valid keys and values can be found on the [MDN CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) page. Values can either be a string or an array of strings.
-* `{object}` Additional Options (optional) - a flat object with the optional configuration options:
-  * `{boolean}` devAllowUnsafe - if you as the developer want to allow `unsafe-inline`/`unsafe-eval` and _not_ include hashes for inline scripts. If any hashes are included in the policy, modern browsers ignore the `unsafe-inline` rule.
-  * `{boolean|Function}` enabled - if false, or the function returns false, the empty CSP tag will be stripped from the html output. The `htmlPluginData` is passed into the function as it's first param.
-  * `{string}` hashingMethod - accepts 'sha256', 'sha384', 'sha512' - your node version must also accept this hashing method.
 
-_Note: CSP runs on all files created by HTMLWebpackPlugin. You can disable it for a particular instance by setting `disableCspPlugin` to `true` in the HTMLWebpackPlugin options
+- `{object}` Policy (optional) - a flat object which defines your CSP policy. Valid keys and values can be found on the [MDN CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) page. Values can either be a string or an array of strings.
+- `{object}` Additional Options (optional) - a flat object with the optional configuration options:
+  - `{boolean|Function}` enabled - if false, or the function returns false, the empty CSP tag will be stripped from the html output.
+    - The `htmlPluginData` is passed into the function as it's first param.
+    - If `enabled` is set the false, it will disable generating a CSP for all instances of `HtmlWebpackPlugin` in your webpack config.
+  - `{string}` hashingMethod - accepts 'sha256', 'sha384', 'sha512' - your node version must also accept this hashing method.
+  - `{object}` hashEnabled - a `<string, boolean>` entry for which policy rules are allowed to include hashes
+  - `{object}` nonceEnabled - a `<string, boolean>` entry for which policy rules are allowed to include nonces
+
+The plugin also adds a new config option onto each `HtmlWebpackPlugin` instance:
+
+- `{object}` cspPlugin - an object containing the following properties:
+  - `{boolean}` enabled - if false, the CSP tag will be removed from the HTML which this HtmlWebpackPlugin instance is generating.
+  - `{object}` policy - A custom policy which should be applied only to this instance of the HtmlWebpackPlugin
+  - `{object}` hashEnabled - a `<string, boolean>` entry for which policy rules are allowed to include hashes
+  - `{object}` nonceEnabled - a `<string, boolean>` entry for which policy rules are allowed to include nonces
+
+Note that policies and `hashEnabled` / `nonceEnabled` are merged in the following order:
+
+```
+> HtmlWebpackPlugin cspPlugin.policy
+> CspHtmlWebpackPlugin policy
+> CspHtmlWebpackPlugin defaultPolicy
+```
+
+If 2 policies have the same key/policy rule, the former policy will override the latter policy. Entries in a specific rule will not be merged; they will be replaced.
 
 #### Default Policy:
 
@@ -63,11 +78,40 @@ _Note: CSP runs on all files created by HTMLWebpackPlugin. You can disable it fo
   devAllowUnsafe: false,
   enabled: true
   hashingMethod: 'sha256',
+  hashEnabled: {
+    'script-src': true,
+    'style-src': true
+  },
+  nonceEnabled: {
+    'script-src': true,
+    'style-src': true
+  }
 }
 ```
 
 #### Full Configuration with all options:
+
 ```
+new HtmlWebpackPlugin({
+  cspPlugin: {
+    enabled: true,
+    policy: {
+      'base-uri': "'self'",
+      'object-src': "'none'",
+      'script-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"],
+      'style-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"]
+    },
+    hashEnabled: {
+      'script-src': true,
+      'style-src': true
+    },
+    nonceEnabled: {
+      'script-src': true,
+      'style-src': true
+    }
+  }
+});
+
 new CspHtmlWebpackPlugin({
   'base-uri': "'self'",
   'object-src': "'none'",
@@ -77,6 +121,14 @@ new CspHtmlWebpackPlugin({
   devAllowUnsafe: false,
   enabled: true
   hashingMethod: 'sha256',
+  hashEnabled: {
+    'script-src': true,
+    'style-src': true
+  },
+  nonceEnabled: {
+    'script-src': true,
+    'style-src': true
+  }
 })
 ```
 
 
@@ -1,13 +1,13 @@
 {
   "name": "csp-html-webpack-plugin",
-  "version": "2.5.0",
+  "version": "3.0.0-beta.2",
   "description": "A plugin which, when combined with HTMLWebpackPlugin, adds CSP tags to the HTML output",
   "main": "plugin.js",
   "scripts": {
     "eslint": "eslint .",
     "eslint:fix": "eslint . --fix",
     "jest": "jest --config=./jest.config.js plugin.jest.js",
-    "jest:watch": "jest --watch --config=./jest.config.js plugin.jest.js",
+    "jest:watch": "jest --watch --verbose=false --config=./jest.config.js plugin.jest.js",
     "jest:coverage:generate": "jest --coverage --config=./jest.config.js plugin.jest.js",
     "jest:coverage:clean": "rm -rf ./coverage",
     "jest:coverage:upload": "npx codecov --token=252086ef-c14d-4f29-ab36-720265249fa2",