express-csp-header - npm Package Compare versions

Comparing version 0.0.3 to 0.1.0

index.js

 var cspHeader = require('csp-header');
 var crypto = require('crypto');
+var parseDomain = require('parse-domain');
 
@@ -14,4 +15,11 @@ function expressCsp(policies, reportUri){
 				req.nonce = crypto.randomBytes(16).toString('base64');
-				cspString = cspString.replace(/\%nonce\%/g, cspHeader.nonce(req.nonce));
+				cspString = cspString.replace(new RegExp(expressCsp.NONCE, 'g'), cspHeader.nonce(req.nonce));
 			}
+			if(cspString.indexOf(expressCsp.TLD) > -1){
+				var domain = parseDomain(req.hostname || req.host);
+				var tld = domain && domain.tld;
+				if(tld){
+					cspString = cspString.replace(new RegExp(expressCsp.TLD, 'g'), tld);
+				}
+			}
 			res.set('Content-Security-Policy', cspString);
@@ -27,3 +35,4 @@ next();
 expressCsp.NONCE = '%nonce%';
+expressCsp.TLD = '%tld%';
 
 module.exports = expressCsp;

package.json

 {
   "name": "express-csp-header",
-  "version": "0.0.3",
+  "version": "0.1.0",
   "description": "Content-Security-Policy middleware for Express",
@@ -32,4 +32,5 @@ "main": "index.js",
   "dependencies": {
-    "csp-header": "^0.0.3"
+    "csp-header": "^0.0.3",
+    "parse-domain": "^0.2.1"
   }
 }

README.md

@@ -32,2 +32,15 @@ # Content-Security-Policy middleware for Express
 
+### Auto tld
+
+If you have more than one tlds you may want to keep current tld in your security policy. And you able to do this by replacing tld by TLD constant:
+
+```js
+app.use(csp({
+    'script-src': [ `mystatic.${CSP.TLD}` ]
+}));
+// for myhost.com it will send: "Content-Security-Policy: script-src mystatic.com;"
+// for myhost.net it will send: "Content-Security-Policy: script-src mystatic.net;"
+// etc
+```
+
 ### report-uri parameter
@@ -44,3 +57,3 @@
 
-If you want to pass some params to the report uri just pass function instaed of string:
+If you want to pass some params to the report uri just pass function instead of string:
 
@@ -54,2 +67,6 @@ ```js
 // express will send header with a random nonce key "Content-Security-Policy: script-src 'self'; report-uri https://cspreport.com/send?time=1460467355592;"
-```
+```
+
+### Release notes:
+#### v0.1.0:
+ * Dynamic tld (thanks to [@msmirnov](https://github.com/msmirnov))

test/index.test.js

 var should = require('should'),
 	expressCsp = require('../'),
 	mockApp = {
-		use: function(middleware){
-			var req = {},
-				res = {
+		use: function(middleware, req, res){
+			var req = req || {},
+				res = res || {
 					headers: {},
@@ -52,2 +52,22 @@ set: function(headerName, headerVal){
 	});
+
+	it('should replace tld', function(){
+		var actual = mockApp.use(expressCsp({
+			'script-src': [ 'myhost.' + expressCsp.TLD ]
+		}), {
+			hostname: 'example.com'
+		});
+
+		actual.res.headers['Content-Security-Policy'].should.be.equal('script-src myhost.com;');
+	});
+
+	it('shouldn\'t replace tld if tld is not defined', function(){
+		var actual = mockApp.use(expressCsp({
+			'script-src': [ 'myhost.' + expressCsp.TLD ]
+		}), {
+			hostname: 'localhost'
+		});
+
+		actual.res.headers['Content-Security-Policy'].should.be.equal('script-src myhost.%tld%;');
+	});
 });
@@ -54,0 +74,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

6447

increased by29.02%

Lines of code

95

increased by35.71%

Number of lines in readme file

70

increased by34.62%

Worsened metrics

Dependency count

2

increased by100%

Dependency changes

• + Addedparse-domain@^0.2.1

• + Addedparse-domain@0.2.2(transitive)