express-csp-header - npm Package Compare versions

Comparing version 1.1.0 to 1.2.0

index.js

@@ -71,2 +71,3 @@ var cspHeader = require('csp-header');
 expressCsp.EVAL = cspHeader.EVAL;
+expressCsp.NONE = cspHeader.NONE;
 expressCsp.NONCE = '%nonce%';
@@ -73,0 +74,0 @@ expressCsp.TLD = '%tld%';

package.json

 {
   "name": "express-csp-header",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Content-Security-Policy middleware for Express",
@@ -32,5 +32,5 @@ "main": "index.js",
   "dependencies": {
-    "csp-header": "^0.0.3",
+    "csp-header": "^0.0.4",
     "parse-domain": "^0.2.1"
   }
 }

README.md

@@ -12,7 +12,9 @@ # Content-Security-Policy middleware for Express
         'style-src': [ csp.SELF, 'mystyles.net' ],
-        'img-src': [ 'data:', 'images.com' ]
+        'img-src': [ 'data:', 'images.com' ],
+        'worker-src': [ csp.NONE ],
+        'block-all-mixed-content': true
     }
 }));
 
-// express will send header "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' somehost.com; style-src 'self' mystyles.net; img-src data: images.com; report-uri https://cspreport.com/send;'
+// express will send header "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' somehost.com; style-src 'self' mystyles.net; img-src data: images.com; workers-src 'none'; block-all-mixed-content; report-uri https://cspreport.com/send;'
 ```
@@ -19,0 +21,0 @@

test/index.test.js

@@ -21,7 +21,11 @@ var should = require('should'),
 			policies: {
-				'script-src': [ expressCsp.SELF, 'myhost.com' ],
-				'style-src': [ expressCsp.SELF, expressCsp.INLINE ]
+				'default-src': [ expressCsp.SELF ],
+				'script-src': [ expressCsp.SELF, expressCsp.INLINE, 'somehost.com' ],
+				'style-src': [ expressCsp.SELF, 'mystyles.net' ],
+				'img-src': [ 'data:', 'images.com' ],
+				'worker-src': [ expressCsp.NONE ],
+				'block-all-mixed-content': true
 			}
 		}));
-		actual.res.headers['Content-Security-Policy'].should.be.equal('script-src \'self\' myhost.com; style-src \'self\' \'unsafe-inline\';');
+		actual.res.headers['Content-Security-Policy'].should.be.equal("default-src 'self'; script-src 'self' 'unsafe-inline' somehost.com; style-src 'self' mystyles.net; img-src data: images.com; worker-src 'none'; block-all-mixed-content;");
 	});
@@ -28,0 +32,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

10263

increased by4.38%

Lines of code

185

increased by2.78%

Number of lines in readme file

127

increased by1.6%

Dependency changes

• + Addedcsp-header@0.0.4(transitive)

• - Removedcsp-header@0.0.3(transitive)

• Updatedcsp-header@^0.0.4