helmet-csp - npm Package Compare versions

Comparing version 2.5.1 to 2.6.0

lib/check-options/check-directive/require-sri-for.js

lib/check-options/check-directive/index.js

		@@ -7,2 +7,3 @@ var config = require('../../config')
		reportUri: require('./report-uri'),
		requireSriFor: require('./require-sri-for'),
		boolean: require('./boolean')
		@@ -9,0 +10,0 @@ }

lib/check-options/check-directive/sandbox.js

		var isFunction = require('../../is-function')
		var config = require('../../config')

		module.exports = function sandboxCheck (key, value, options) {
		module.exports = function sandboxCheck (key, value) {
		if (value === false) { return }
		@@ -6,0 +6,0 @@ if (value === true) { return }

lib/check-options/check-directive/source-list.js

		@@ -30,3 +30,4 @@ var isFunction = require('../../is-function')

		if (!directiveInfo.hasUnsafes && (config.unsafes.indexOf(sourceExpression) !== -1)) {
		if ((!directiveInfo.hasUnsafes && (config.unsafes.indexOf(sourceExpression) !== -1)) \|\|
		(!directiveInfo.hasStrictDynamic && (config.strictDynamics.indexOf(sourceExpression) !== -1))) {
		throw new Error('"' + sourceExpression + '" does not make sense in ' + key + '. Remove it.')
		@@ -33,0 +34,0 @@ }

lib/check-options/index.js

		@@ -5,4 +5,4 @@ var checkDirective = require('./check-directive')
		module.exports = function (options) {
		if (!options) {
		throw new Error('csp must be called with arguments. See the documentation.')
		if (!isObject(options)) {
		throw new Error('csp must be called with an object argument. See the documentation.')
		}
		@@ -12,3 +12,3 @@

		var directivesExist = Object.prototype.toString.call(directives) === '[object Object]'
		var directivesExist = isObject(directives)
		if (!directivesExist \|\| Object.keys(directives).length === 0) {
		@@ -22,1 +22,5 @@ throw new Error('csp must have at least one directive under the "directives" key. See the documentation.')
		}

		function isObject (value) {
		return Object.prototype.toString.call(value) === '[object Object]'
		}

lib/config.json

		@@ -7,3 +7,6 @@ {
		"connect-src": { "type": "sourceList" },
		"default-src": { "type": "sourceList" },
		"default-src": {
		"type": "sourceList",
		"hasStrictDynamic": true
		},
		"font-src": { "type": "sourceList" },
		@@ -19,3 +22,4 @@ "form-action": { "type": "sourceList" },
		"type": "sourceList",
		"hasUnsafes": true
		"hasUnsafes": true,
		"hasStrictDynamic": true
		},
		@@ -30,2 +34,3 @@ "style-src": {
		"report-uri": { "type": "reportUri" },
		"require-sri-for": { "type": "requireSriFor" },
		"upgrade-insecure-requests": { "type": "boolean" },
		@@ -42,4 +47,6 @@ "worker-src": {
		],
		"mustQuote": ["none", "self", "unsafe-inline", "unsafe-eval"],
		"mustQuote": ["none", "self", "unsafe-inline", "unsafe-eval", "strict-dynamic"],
		"unsafes": ["'unsafe-inline'", "unsafe-inline", "'unsafe-eval'", "unsafe-eval"],
		"strictDynamics": ["'strict-dynamic'", "strict-dynamic"],
		"requireSriForValues": ["script", "style"],
		"sandboxDirectives": [
		@@ -46,0 +53,0 @@ "allow-forms",

package.json

		@@ -9,3 +9,3 @@ {
		"description": "Content Security Policy middleware.",
		"version": "2.5.1",
		"version": "2.6.0",
		"license": "MIT",
		@@ -29,3 +29,3 @@ "keywords": [
		"scripts": {
		"pretest": "standard",
		"pretest": "standard --fix",
		"test": "mocha"
		@@ -32,0 +32,0 @@ },

README.md

		@@ -54,4 +54,2 @@ Content Security Policy middleware

		The `report-uri` directive will also set the new `report-to` directive for forwards compatibility.

		Handling CSP violations
		@@ -58,0 +56,0 @@ -----------------------

.npmignore

New alerts