content-security-policy
Advanced tools
Comparing version 0.3.0 to 0.3.1
@@ -0,1 +1,5 @@ | ||
/* jshint esversion: 6 */ | ||
/* jslint node: true */ | ||
'use strict'; | ||
/** | ||
@@ -32,16 +36,16 @@ * Middleware to add Content-Security-Policy header http://www.w3.org/TR/CSP/ | ||
*/ | ||
module.exports.getCSP = function(options) { | ||
var header = options["report-only"] ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy"; | ||
var srcs = [ "report-uri", "sandbox", "default-src", "script-src", "object-src", "style-src", "img-src", "media-src", "frame-src", "font-src", "connect-src" , "child-src", "form-action", "frame-ancestors", "plugin-types"]; | ||
var compiled = ""; | ||
srcs.forEach(function(src) { | ||
var directive = getDirective(options, src); | ||
module.exports.getCSP = function (options) { | ||
const header = options['report-only'] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'; | ||
const srcs = ['report-uri', 'sandbox', 'default-src', 'script-src', 'object-src', 'style-src', 'img-src', 'media-src', 'frame-src', 'font-src', 'connect-src', 'child-src', 'form-action', 'frame-ancestors', 'plugin-types']; | ||
let compiled = ''; | ||
srcs.forEach(src => { | ||
const directive = getDirective(options, src); | ||
if (directive) { | ||
compiled += directive + ";"; | ||
compiled += directive + ';'; | ||
} | ||
}); | ||
return function(req, res, next) { | ||
res.removeHeader("Content-Security-Policy-Report-Only"); | ||
res.removeHeader("Content-Security-Policy"); | ||
return function (req, res, next) { | ||
res.removeHeader('Content-Security-Policy-Report-Only'); | ||
res.removeHeader('Content-Security-Policy'); | ||
res.setHeader(header, compiled); | ||
@@ -53,23 +57,23 @@ next(); | ||
/** */ | ||
module.exports.SANDBOX_ALLOW_FORMS = "allow-forms"; | ||
module.exports.SANDBOX_ALLOW_FORMS = 'allow-forms'; | ||
/** */ | ||
module.exports.SANDBOX_ALLOW_SCRIPTS = "allow-scripts"; | ||
module.exports.SANDBOX_ALLOW_SCRIPTS = 'allow-scripts'; | ||
/** */ | ||
module.exports.SANDBOX_ALLOW_SAME = "allow-same-origin"; | ||
module.exports.SANDBOX_ALLOW_SAME = 'allow-same-origin'; | ||
/** */ | ||
module.exports.SANDBOX_ALLOW_TOP_NAVIGATION = "allow-top-navigation"; | ||
module.exports.SANDBOX_ALLOW_TOP_NAVIGATION = 'allow-top-navigation'; | ||
/** Allows loading resources from the same origin (same scheme, host and port). */ | ||
module.exports.SRC_SELF = "'self'"; | ||
module.exports.SRC_SELF = '\'self\''; | ||
/** Prevents loading resources from any source. */ | ||
module.exports.SRC_NONE = "'none'"; | ||
module.exports.SRC_NONE = '\'none\''; | ||
/** Allows use of inline source elements such as style attribute and onclick */ | ||
module.exports.SRC_USAFE_INLINE = "'unsafe-inline'"; | ||
module.exports.SRC_USAFE_INLINE = '\'unsafe-inline\''; | ||
/** Allows unsafe dynamic code evaluation such as JavaScript eval() */ | ||
module.exports.SRC_UNSAFE_EVAL = "'unsafe-eval'"; | ||
module.exports.SRC_UNSAFE_EVAL = '\'unsafe-eval\''; | ||
/** Allows loading resources via the data scheme (e.g. Base64 encoded images). */ | ||
module.exports.SRC_DATA = "data:"; | ||
module.exports.SRC_DATA = 'data:'; | ||
/** Wildcard, allows anything. */ | ||
module.exports.SRC_ANY = "*"; | ||
module.exports.SRC_ANY = '*'; | ||
/** Allows loading resources only over HTTPS on any domain. */ | ||
module.exports.SRC_HTTPS = "https:"; | ||
module.exports.SRC_HTTPS = 'https:'; | ||
/** | ||
@@ -81,12 +85,12 @@ * This policy allows images, scripts, AJAX, and CSS from the same origin, and | ||
module.exports.STARTER_OPTIONS = { | ||
"default-src" : module.exports.SRC_NONE, | ||
"script-src" : module.exports.SRC_SELF, | ||
"connect-src" : module.exports.SRC_SELF, | ||
"img-src" : module.exports.SRC_SELF, | ||
"style-src" : module.exports.SRC_SELF, | ||
"font-src" : module.exports.SRC_SELF, | ||
"child-src" : module.exports.SRC_SELF, | ||
"form-action" : module.exports.SRC_SELF, | ||
"frame-ancestors" : module.exports.SRC_SELF, | ||
"plugin-types" : module.exports.SRC_NONE | ||
'default-src': module.exports.SRC_NONE, | ||
'script-src': module.exports.SRC_SELF, | ||
'connect-src': module.exports.SRC_SELF, | ||
'img-src': module.exports.SRC_SELF, | ||
'style-src': module.exports.SRC_SELF, | ||
'font-src': module.exports.SRC_SELF, | ||
'child-src': module.exports.SRC_SELF, | ||
'form-action': module.exports.SRC_SELF, | ||
'frame-ancestors': module.exports.SRC_SELF, | ||
'plugin-types': module.exports.SRC_NONE | ||
}; | ||
@@ -103,3 +107,3 @@ | ||
*/ | ||
function getDirective(options, name) { | ||
function getDirective (options, name) { | ||
if (!options[name]) { | ||
@@ -109,10 +113,10 @@ return null; | ||
if (typeof options[name] === "string") { | ||
return name + " " + options[name]; | ||
if (typeof options[name] === 'string') { | ||
return name + ' ' + options[name]; | ||
} | ||
if (Array.isArray(options[name])) { | ||
var result = name + " "; | ||
options[name].forEach(function(value) { | ||
result += value + " "; | ||
let result = name + ' '; | ||
options[name].forEach(value => { | ||
result += value + ' '; | ||
}); | ||
@@ -119,0 +123,0 @@ return result; |
{ | ||
"name": "content-security-policy", | ||
"description": "Middleware to add Content-Security-Policy header.", | ||
"version": "0.3.0", | ||
"version": "0.3.1", | ||
"author": { | ||
@@ -30,9 +30,23 @@ "name": "Samuel Erdtman", | ||
}, | ||
"main": "./lib", | ||
"main": "lib/index.js", | ||
"dependencies": {}, | ||
"devDependencies": { | ||
"mocha": "1.13.x" | ||
"ava": "*", | ||
"live-server": "*", | ||
"npm-run-all": "*", | ||
"nyc": "*", | ||
"semistandard": "*", | ||
"watch": "*" | ||
}, | ||
"scripts": { | ||
"test": "mocha -u tdd" | ||
"clean": "rm -rf coverage/ .nyc_output/", | ||
"pretest": "semistandard", | ||
"test": "ava test", | ||
"coverage": "nyc npm test", | ||
"coveragehtml": "nyc report -r html", | ||
"precoveragehtml": "npm run coverage", | ||
"coveralls": "nyc report --reporter=text-lcov | coveralls", | ||
"live": "live-server -q --port=4003 --ignorePattern='(js|css|png)$' coverage", | ||
"watch": "watch 'npm run coveragehtml' test lib", | ||
"dev": "npm-run-all -p --silent watch live" | ||
}, | ||
@@ -39,0 +53,0 @@ "engines": { |
@@ -5,43 +5,41 @@ # content-security-policy | ||
## Install | ||
$ npm install content-security-policy | ||
``` | ||
$ npm install content-security-policy --save | ||
``` | ||
## Tests | ||
``` | ||
$ npm install --dev | ||
$ npm test | ||
``` | ||
## Usage | ||
```js | ||
const csp = require('content-security-policy'); | ||
const express = require('express'); | ||
const app = express(); | ||
### Connect | ||
const cspPolicy = { | ||
'report-uri': '/reporting', | ||
'default-src': csp.SRC_NONE, | ||
'script-src': [ csp.SRC_SELF, csp.SRC_DATA ] | ||
}; | ||
var connect = require('connect'); | ||
var csp = require('content-security-policy'); | ||
// Using the example starter policy that will allow most common requests to 'self' | ||
var server = connect.createServer(csp.getCSP(CSP.STARTER_OPTIONS)); | ||
server.listen(3030); | ||
### Express | ||
const globalCSP = csp.getCSP(csp.STARTER_OPTIONS); | ||
const localCSP = csp.getCSP(cspPolicy); | ||
var csp = require('content-security-policy'); | ||
var express = require('express'); | ||
var app = express(); | ||
var cspPolicy = { | ||
"report-uri" : "/reporting", | ||
"default-src" : CSP.SRC_NONE, | ||
"script-src" : [ CSP.SRC_SELF ] | ||
}; | ||
var globalCSP = csp.getCSP(csp.STARTER_OPTIONS); | ||
var localCSP = csp.getCSP(cspPolicy); | ||
// Insert before 'app.router' | ||
app.use(globalCSP); // This will apply this policy to all requests | ||
app.use(app.router); | ||
app.get('/settings', | ||
localCSP, // This will apply the local policy just to this page | ||
function(req, res) { | ||
res.render('settings'); | ||
}); | ||
// This will apply this policy to all requests if no local policy is set | ||
app.use(globalCSP); | ||
app.get('/', (req, res) => { | ||
res.send('Using global content security policy!'); | ||
}); | ||
// This will apply the local policy just to this path, overriding the globla policy | ||
app.get('/local', localCSP, (req, res) => { | ||
res.send('Using path local content security policy!'); | ||
}); | ||
app.listen(3000, () => { | ||
console.log('Example app listening on port 3000!'); | ||
}); | ||
``` |
14615
10
115
6
45