helmet - npm Package Compare versions

Comparing version 0.2.2 to 0.2.3

lib/middleware/csp.js

@@ -41,3 +41,3 @@ // jshint quotmark: false
     _.each(options, function (value) {
-        if (_(value).isArray()) {
+        if (Array.isArray(value)) {
             MUST_BE_QUOTED.forEach(function (must) {
@@ -91,4 +91,4 @@ if (value.indexOf(must) !== -1) {
                     headers.push('X-Content-Security-Policy');
-                    if ((policy.sandbox === null) || (policy.sandbox === undefined)) {
-                        policy.sandbox = true;
+                    if (!setAllHeaders) {
+                        policy = { sandbox: policy.sandbox };
                     }
@@ -113,2 +113,6 @@ }
                         var value = options[key];
+                        if (Array.isArray(value)) {
+                            // Clone the array so we don't later mutate `options` by mistake
+                            value = value.slice();
+                        }
 
@@ -134,3 +138,2 @@ if (key == 'connect-src') {
                                 } else {
-                                    policy[key] = policy[key].slice();
                                     policy[key].splice(index, 1);
@@ -143,3 +146,2 @@ }
                                 } else {
-                                    policy[key] = policy[key].slice();
                                     policy[key].splice(index, 1);
@@ -193,3 +195,3 @@ }
                 return 'sandbox';
-            } else if (_(value).isArray()) {
+            } else if (Array.isArray(value)) {
                 return key + ' ' + value.join(' ');
@@ -205,9 +207,11 @@ } else {
 
-        headers.forEach(function (header) {
-            var headerName = header;
-            if (reportOnly) {
-                headerName += '-Report-Only';
-            }
-            res.setHeader(headerName, policyString);
-        });
+        if (policyString) {
+            headers.forEach(function (header) {
+                var headerName = header;
+                if (reportOnly) {
+                    headerName += '-Report-Only';
+                }
+                res.setHeader(headerName, policyString);
+            });
+        }
 
@@ -214,0 +218,0 @@ next();

package.json

@@ -7,4 +7,4 @@ {
   ],
-  "description": "Security header middleware collection for Express/Connect",
-  "version": "0.2.2",
+  "description": "Security middleware collection for Express/Connect",
+  "version": "0.2.3",
   "keywords": [
@@ -11,0 +11,0 @@ "security",

test/csp.js

@@ -51,2 +51,6 @@ // jshint quotmark: false
         },
+        'Opera 21': {
+            string: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.132 Safari/537.36 OPR/21.0.1432.67',
+            header: 'Content-Security-Policy'
+        },
         'Safari 5.1': {
@@ -63,2 +67,20 @@ string: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10',
             header: 'Content-Security-Policy'
+        },
+        'Internet Explorer 8': {
+            string: 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)',
+            special: true
+        },
+        'Internet Explorer 9': {
+            string: 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)',
+            special: true
+        },
+        'Internet Explorer 10': {
+            string: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
+            header: 'X-Content-Security-Policy',
+            special: true
+        },
+        'Internet Explorer 11': {
+            string: 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',
+            header: 'X-Content-Security-Policy',
+            special: true
         }
@@ -139,3 +161,3 @@ };
 
-    _.each(AGENTS, function(agent) {
+    _.each(AGENTS, function(agent, name) {
 
@@ -146,3 +168,3 @@ if (agent.special) {
 
-        it('sets the header properly for ' + agent.name, function (done) {
+        it('sets the header properly for ' + name, function (done) {
             var app = use(POLICY);
@@ -186,14 +208,22 @@ var header = agent.header;
 
-    it("doesn't set the property for Safari 5.1 by default", function (done) {
-        var app = use(POLICY);
-        request(app).get('/').set('User-Agent', AGENTS['Safari 5.1'].string)
-        .end(function(err, res) {
-            if (err) {
-                return done(err);
-            }
-            assert(res.header['X-WebKit-CSP'] === undefined);
-            assert(res.header['Content-Security-Policy'] === undefined);
-            assert(res.header['X-Content-Security-Policy'] === undefined);
-            done();
+    [
+        'Safari 5.1',
+        'Internet Explorer 8',
+        'Internet Explorer 9'
+    ].forEach(function (browser) {
+
+        it("doesn't set the property for " + browser + " by default", function (done) {
+            var app = use(POLICY);
+            request(app).get('/').set('User-Agent', AGENTS[browser].string)
+            .end(function(err, res) {
+                if (err) {
+                    return done(err);
+                }
+                assert(res.header['X-WebKit-CSP'] === undefined);
+                assert(res.header['Content-Security-Policy'] === undefined);
+                assert(res.header['X-Content-Security-Policy'] === undefined);
+                done();
+            });
         });
+
     });
@@ -210,2 +240,32 @@
 
+    [10, 11].forEach(function (version) {
+
+        var ua = AGENTS['Internet Explorer ' + version];
+
+        it('sets the header for IE ' + version + ' if sandbox is true', function (done) {
+            var app = use({ sandbox: true });
+            request(app).get('/').set('User-Agent', ua.string)
+            .expect(ua.header, 'sandbox', done);
+        });
+
+        it('sets the header for IE ' + version + ' if sandbox is an array', function (done) {
+            var app = use({ sandbox: ['allow-forms', 'allow-scripts'] });
+            request(app).get('/').set('User-Agent', ua.string)
+            .expect(ua.header, /sandbox allow-forms allow-scripts/, done);
+        });
+
+        it("doesn't set the header for IE " + version + " if sandbox isn't specified", function (done) {
+            var app = use({ 'default-src': ["'self'"] });
+            request(app).get('/').set('User-Agent', ua.string)
+            .end(function (err, res) {
+                if (err) {
+                    return done(err);
+                }
+                assert(res.header[ua.header] === undefined);
+                done();
+            });
+        });
+
+    });
+
     it("doesn't splice the original array", function (done) {
@@ -212,0 +272,0 @@ var app = use({

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

41027

increased by6.45%

Number of package files

28

increased by3.7%

Lines of code

853

increased by7.03%

No dependency changes