Launch Week Day 2: Introducing Reports: An Extensible Reporting Framework for Socket Data.Learn More →
helmet-csp
Advanced tools
helmet-csp - npm Package Compare versions
+1
-1
@@ -45,3 +45,3 @@ var camelize = require('camelize') | ||
| if (directivesAreDynamic) { | ||
| directives = parseDynamicDirectives(directives, [req]) | ||
| directives = parseDynamicDirectives(directives, [req, res]) | ||
| } | ||
@@ -48,0 +48,0 @@ |
+2
-2
@@ -8,3 +8,3 @@ { | ||
| "description": "Content Security Policy middleware.", | ||
| "version": "1.0.1", | ||
| "version": "1.0.2", | ||
| "license": "MIT", | ||
@@ -40,4 +40,4 @@ "keywords": [ | ||
| "devDependencies": { | ||
| "connect": "^3.3.5", | ||
| "content-security-policy-parser": "^0.1.0", | ||
| "express": "^4.13.3", | ||
| "lodash": "^3.7.0", | ||
@@ -44,0 +44,0 @@ "mocha": "^2.3.4", |
+12
-8
@@ -6,2 +6,4 @@ Content Security Policy middleware | ||
| [_Looking for a changelog?_](https://github.com/helmetjs/helmet/blob/master/HISTORY.md) | ||
| Content Security Policy helps prevent unwanted content being injected into your webpages; this can mitigate XSS vulnerabilities, unintended frames, malicious frames, and more. If you want to learn how CSP works, check out the fantastic [HTML5 Rocks guide](http://www.html5rocks.com/en/tutorials/security/content-security-policy/), the [Content Security Policy Reference](http://content-security-policy.com/), and the [Content Security Policy specification](http://www.w3.org/TR/CSP/). This module helps set Content Security Policies. | ||
@@ -75,3 +77,3 @@ | ||
| app.use(function (req, res, next) { | ||
| req.locals.nonce = uuid.v4() | ||
| res.locals.nonce = uuid.v4() | ||
| next() | ||
@@ -81,13 +83,15 @@ }) | ||
| app.use(csp({ | ||
| scriptSrc: [ | ||
| "'self'", | ||
| function (req) { | ||
| return "'nonce-" + req.locals.nonce + "'" // 'nonce-614d9122-d5b0-4760-aecf-3a5d17cf0ac9' | ||
| } | ||
| ] | ||
| directives: { | ||
| scriptSrc: [ | ||
| "'self'", | ||
| function (req, res) { | ||
| return "'nonce-" + res.locals.nonce + "'" // 'nonce-614d9122-d5b0-4760-aecf-3a5d17cf0ac9' | ||
| } | ||
| ] | ||
| } | ||
| })) | ||
| app.use(function (req, res) { | ||
| res.end('<script nonce="' + req.nonce + '">alert(1 + 1);</script>') | ||
| res.end('<script nonce="' + res.locals.nonce + '">alert(1 + 1);</script>') | ||
| }) | ||
| ``` |
+5
-5
@@ -5,3 +5,3 @@ var csp = require('..') | ||
| var parseCsp = require('content-security-policy-parser') | ||
| var connect = require('connect') | ||
| var express = require('express') | ||
| var request = require('supertest') | ||
@@ -14,4 +14,4 @@ var assert = require('assert') | ||
| 'script-src': ['scripts.biz'], | ||
| styleSrc: ['styles.biz', function (req) { | ||
| return req.nonce | ||
| styleSrc: ['styles.biz', function (req, res) { | ||
| return res.locals.nonce | ||
| }], | ||
@@ -32,5 +32,5 @@ objectSrc: [], | ||
| function use (options) { | ||
| var result = connect() | ||
| var result = express() | ||
| result.use(function (req, res, next) { | ||
| req.nonce = 'abc123' | ||
| res.locals.nonce = 'abc123' | ||
| next() | ||
@@ -37,0 +37,0 @@ }) |
No alert changes
Improved metrics
- Total package byte prevSize
26603
0.6%- Number of lines in readme file
95
4.4%No dependency changes