content-security-policy
Advanced tools
Comparing version 0.3.2 to 0.3.3
@@ -31,2 +31,3 @@ /* jshint esversion: 6 */ | ||
* @option child-src, Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe> (CSP2). | ||
* @option worker-src, Defines valid sources that can be loaded within a Worker, SharedWorker, or ServiceWorker (CSP3). | ||
* @option form-action, Defines valid sources that can be used as a HTML <form> action (CSP2). | ||
@@ -39,3 +40,3 @@ * @option frame-ancestors, Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>. Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY (CSP2). | ||
const header = options['report-only'] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'; | ||
const srcs = ['report-uri', 'sandbox', 'default-src', 'script-src', 'object-src', 'style-src', 'img-src', 'media-src', 'frame-src', 'font-src', 'connect-src', 'child-src', 'form-action', 'frame-ancestors', 'plugin-types']; | ||
const srcs = ['report-uri', 'sandbox', 'default-src', 'script-src', 'object-src', 'style-src', 'img-src', 'media-src', 'frame-src', 'font-src', 'connect-src', 'child-src', 'worker-src', 'form-action', 'frame-ancestors', 'plugin-types']; | ||
let compiled = ''; | ||
@@ -75,2 +76,4 @@ srcs.forEach(src => { | ||
module.exports.SRC_DATA = 'data:'; | ||
/** Allows loading resources via a blob. */ | ||
module.exports.SRC_BLOB = 'blob:'; | ||
/** Wildcard, allows anything. */ | ||
@@ -77,0 +80,0 @@ module.exports.SRC_ANY = '*'; |
{ | ||
"name": "content-security-policy", | ||
"description": "Middleware to add Content-Security-Policy header.", | ||
"version": "0.3.2", | ||
"version": "0.3.3", | ||
"author": { | ||
@@ -6,0 +6,0 @@ "name": "Samuel Erdtman", |
15161
118