Socket
Socket
Sign inDemoInstall

content-security-policy

Package Overview
Dependencies
0
Maintainers
1
Versions
9
Alerts
File Explorer

Advanced tools

npm Scripts

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 0.3.0 to 0.3.1

.nyc_output/050b72e88462d676b60a1d34c788ea94.json
.nyc_output/41b9a528c92fd46cc9b020dd2af81520.json
.nyc_output/82c698838c0d2f1a750fc12810eda801.json
.nyc_output/c2d3c161133e68ce705978c426c61afc.json
.travis.yml

78

lib/index.js

@@ -0,1 +1,5 @@

/* jshint esversion: 6 */
/* jslint node: true */
'use strict';
/**

@@ -32,16 +36,16 @@ * Middleware to add Content-Security-Policy header http://www.w3.org/TR/CSP/

*/
module.exports.getCSP = function(options) {
var header = options["report-only"] ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy";
var srcs = [ "report-uri", "sandbox", "default-src", "script-src", "object-src", "style-src", "img-src", "media-src", "frame-src", "font-src", "connect-src" , "child-src", "form-action", "frame-ancestors", "plugin-types"];
var compiled = "";
srcs.forEach(function(src) {
var directive = getDirective(options, src);
module.exports.getCSP = function (options) {
const header = options['report-only'] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy';
const srcs = ['report-uri', 'sandbox', 'default-src', 'script-src', 'object-src', 'style-src', 'img-src', 'media-src', 'frame-src', 'font-src', 'connect-src', 'child-src', 'form-action', 'frame-ancestors', 'plugin-types'];
let compiled = '';
srcs.forEach(src => {
const directive = getDirective(options, src);
if (directive) {
compiled += directive + ";";
compiled += directive + ';';
}
});
return function(req, res, next) {
res.removeHeader("Content-Security-Policy-Report-Only");
res.removeHeader("Content-Security-Policy");
return function (req, res, next) {
res.removeHeader('Content-Security-Policy-Report-Only');
res.removeHeader('Content-Security-Policy');
res.setHeader(header, compiled);

@@ -53,23 +57,23 @@ next();

/** */
module.exports.SANDBOX_ALLOW_FORMS = "allow-forms";
module.exports.SANDBOX_ALLOW_FORMS = 'allow-forms';
/** */
module.exports.SANDBOX_ALLOW_SCRIPTS = "allow-scripts";
module.exports.SANDBOX_ALLOW_SCRIPTS = 'allow-scripts';
/** */
module.exports.SANDBOX_ALLOW_SAME = "allow-same-origin";
module.exports.SANDBOX_ALLOW_SAME = 'allow-same-origin';
/** */
module.exports.SANDBOX_ALLOW_TOP_NAVIGATION = "allow-top-navigation";
module.exports.SANDBOX_ALLOW_TOP_NAVIGATION = 'allow-top-navigation';
/** Allows loading resources from the same origin (same scheme, host and port). */
module.exports.SRC_SELF = "'self'";
module.exports.SRC_SELF = '\'self\'';
/** Prevents loading resources from any source. */
module.exports.SRC_NONE = "'none'";
module.exports.SRC_NONE = '\'none\'';
/** Allows use of inline source elements such as style attribute and onclick */
module.exports.SRC_USAFE_INLINE = "'unsafe-inline'";
module.exports.SRC_USAFE_INLINE = '\'unsafe-inline\'';
/** Allows unsafe dynamic code evaluation such as JavaScript eval() */
module.exports.SRC_UNSAFE_EVAL = "'unsafe-eval'";
module.exports.SRC_UNSAFE_EVAL = '\'unsafe-eval\'';
/** Allows loading resources via the data scheme (e.g. Base64 encoded images). */
module.exports.SRC_DATA = "data:";
module.exports.SRC_DATA = 'data:';
/** Wildcard, allows anything. */
module.exports.SRC_ANY = "*";
module.exports.SRC_ANY = '*';
/** Allows loading resources only over HTTPS on any domain. */
module.exports.SRC_HTTPS = "https:";
module.exports.SRC_HTTPS = 'https:';
/**

@@ -81,12 +85,12 @@ * This policy allows images, scripts, AJAX, and CSS from the same origin, and

module.exports.STARTER_OPTIONS = {
"default-src" : module.exports.SRC_NONE,
"script-src" : module.exports.SRC_SELF,
"connect-src" : module.exports.SRC_SELF,
"img-src" : module.exports.SRC_SELF,
"style-src" : module.exports.SRC_SELF,
"font-src" : module.exports.SRC_SELF,
"child-src" : module.exports.SRC_SELF,
"form-action" : module.exports.SRC_SELF,
"frame-ancestors" : module.exports.SRC_SELF,
"plugin-types" : module.exports.SRC_NONE
'default-src': module.exports.SRC_NONE,
'script-src': module.exports.SRC_SELF,
'connect-src': module.exports.SRC_SELF,
'img-src': module.exports.SRC_SELF,
'style-src': module.exports.SRC_SELF,
'font-src': module.exports.SRC_SELF,
'child-src': module.exports.SRC_SELF,
'form-action': module.exports.SRC_SELF,
'frame-ancestors': module.exports.SRC_SELF,
'plugin-types': module.exports.SRC_NONE
};

@@ -103,3 +107,3 @@

*/
function getDirective(options, name) {
function getDirective (options, name) {
if (!options[name]) {

@@ -109,10 +113,10 @@ return null;

if (typeof options[name] === "string") {
return name + " " + options[name];
if (typeof options[name] === 'string') {
return name + ' ' + options[name];
}
if (Array.isArray(options[name])) {
var result = name + " ";
options[name].forEach(function(value) {
result += value + " ";
let result = name + ' ';
options[name].forEach(value => {
result += value + ' ';
});

@@ -119,0 +123,0 @@ return result;

22

package.json
{
"name": "content-security-policy",
"description": "Middleware to add Content-Security-Policy header.",
"version": "0.3.0",
"version": "0.3.1",
"author": {

@@ -30,9 +30,23 @@ "name": "Samuel Erdtman",

},
"main": "./lib",
"main": "lib/index.js",
"dependencies": {},
"devDependencies": {
"mocha": "1.13.x"
"ava": "*",
"live-server": "*",
"npm-run-all": "*",
"nyc": "*",
"semistandard": "*",
"watch": "*"
},
"scripts": {
"test": "mocha -u tdd"
"clean": "rm -rf coverage/ .nyc_output/",
"pretest": "semistandard",
"test": "ava test",
"coverage": "nyc npm test",
"coveragehtml": "nyc report -r html",
"precoveragehtml": "npm run coverage",
"coveralls": "nyc report --reporter=text-lcov | coveralls",
"live": "live-server -q --port=4003 --ignorePattern='(js|css|png)$' coverage",
"watch": "watch 'npm run coveragehtml' test lib",
"dev": "npm-run-all -p --silent watch live"
},

@@ -39,0 +53,0 @@ "engines": {

68

README.md

@@ -5,43 +5,41 @@ # content-security-policy

## Install
$ npm install content-security-policy
```
$ npm install content-security-policy --save
```
## Tests
```
$ npm install --dev
$ npm test
```
## Usage
```js
const csp = require('content-security-policy');
const express = require('express');
const app = express();
### Connect
const cspPolicy = {
'report-uri': '/reporting',
'default-src': csp.SRC_NONE,
'script-src': [ csp.SRC_SELF, csp.SRC_DATA ]
};
var connect = require('connect');
var csp = require('content-security-policy');
// Using the example starter policy that will allow most common requests to 'self'
var server = connect.createServer(csp.getCSP(CSP.STARTER_OPTIONS));
server.listen(3030);
### Express
const globalCSP = csp.getCSP(csp.STARTER_OPTIONS);
const localCSP = csp.getCSP(cspPolicy);
var csp = require('content-security-policy');
var express = require('express');
var app = express();
var cspPolicy = {
"report-uri" : "/reporting",
"default-src" : CSP.SRC_NONE,
"script-src" : [ CSP.SRC_SELF ]
};
var globalCSP = csp.getCSP(csp.STARTER_OPTIONS);
var localCSP = csp.getCSP(cspPolicy);
// Insert before 'app.router'
app.use(globalCSP); // This will apply this policy to all requests
app.use(app.router);
app.get('/settings',
localCSP, // This will apply the local policy just to this page
function(req, res) {
res.render('settings');
});
// This will apply this policy to all requests if no local policy is set
app.use(globalCSP);
app.get('/', (req, res) => {
res.send('Using global content security policy!');
});
// This will apply the local policy just to this path, overriding the globla policy
app.get('/local', localCSP, (req, res) => {
res.send('Using path local content security policy!');
});
app.listen(3000, () => {
console.log('Example app listening on port 3000!');
});
```
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc