x-xss-protection - npm Package Compare versions

Comparing version 0.2.0 to 1.0.0

index.js

		@@ -1,30 +0,22 @@
		module.exports = function xXssProtection(options) {

		module.exports = function xXssProtection (options) {
		if (options && options.setOnOldIE) {

		return function xXssProtection(req, res, next) {
		res.setHeader('X-XSS-Protection', '1; mode=block');
		next();
		};

		return function xXssProtection (req, res, next) {
		res.setHeader('X-XSS-Protection', '1; mode=block')
		next()
		}
		} else {
		return function xXssProtection (req, res, next) {
		var matches = /msie\s*(\d+)/i.exec(req.headers['user-agent'])

		return function xXssProtection(req, res, next) {

		var matches = /msie\s*(\d+)/i.exec(req.headers['user-agent']);

		var value;
		var value
		if (!matches \|\| (parseFloat(matches[1]) >= 9)) {
		value = '1; mode=block';
		value = '1; mode=block'
		} else {
		value = '0';
		value = '0'
		}

		res.setHeader('X-XSS-Protection', value);
		next();

		};

		res.setHeader('X-XSS-Protection', value)
		next()
		}
		}

		};
		}

package.json

		@@ -8,3 +8,4 @@ {
		"description": "Middleware to set the X-XSS-Protection header",
		"version": "0.2.0",
		"version": "1.0.0",
		"license": "MIT",
		"keywords": [
		@@ -24,11 +25,19 @@ "helmet",
		"scripts": {
		"test": "mocha"
		"test": "standard && mocha"
		},
		"devDependencies": {
		"async": "^0.9.0",
		"async": "^1.5.0",
		"connect": "^3.3.1",
		"mocha": "^2.0.1",
		"mocha": "^2.3.4",
		"rfile": "^1.0.0",
		"supertest": "^0.15.0"
		"standard": "^5.4.1",
		"supertest": "^1.1.0"
		},
		"standard": {
		"globals": [
		"describe",
		"beforeEach",
		"it"
		]
		}
		}

README.md

		@@ -1,21 +0,22 @@
		# X-XSS-Protection middleware

		X-XSS-Protection middleware
		===========================
		[![Build Status](https://travis-ci.org/helmetjs/x-xss-protection.svg?branch=master)](https://travis-ci.org/helmetjs/x-xss-protection)
		[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/)

		Trying to prevent: Cross-site scripting attacks (XSS), a subset of the above.
		The `X-XSS-Protection` HTTP header is a basic protection against XSS. It was originally [by Microsoft](http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx) but Chrome has since adopted it as well.

		How we mitigate this: The `X-XSS-Protection` HTTP header is a basic protection against XSS. It was originally [by Microsoft](http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx) but Chrome has since adopted it as well. To use it:
		This middleware sets the `X-XSS-Protection` header. On modern browsers, it will set the value to `1; mode=block`. On old versions of Internet Explorer, this creates a vulnerability (see [here](http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/) and [here](http://technet.microsoft.com/en-us/security/bulletin/MS10-002)), and so the header is set to `0` to disable it.

		To use this middleware:

		```javascript
		var xssFilter = require('x-xss-protection');
		app.use(xssFilter());
		var xssFilter = require('x-xss-protection')
		app.use(xssFilter())
		```

		This sets the `X-XSS-Protection` header. On modern browsers, it will set the value to `1; mode=block`. On old versions of Internet Explorer, this creates a vulnerability (see [here](http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/) and [here](http://technet.microsoft.com/en-us/security/bulletin/MS10-002)), and so the header is set to `0` to disable it. To force the header on all versions of IE, add the option:
		To force the header to be set to `1; mode=block` on all versions of IE, add the option:

		```javascript
		app.use(xssFilter({ setOnOldIE: true }));
		app.use(xssFilter({ setOnOldIE: true }))
		// This has some security problems for old IE!
		```

		Limitations: This isn't anywhere near as thorough as Content Security Policy. It's only properly supported on IE9+ and Chrome; no other major browsers support it at this time. Old versions of IE support it in a buggy way, which we disable by default.

test/index.js

		@@ -1,29 +0,29 @@
		var xssFilter = require('..');
		var xssFilter = require('..')

		var connect = require('connect');
		var request = require('supertest');
		var rfile = require('rfile');
		var each = require('async').each;
		var assert = require('assert');
		var connect = require('connect')
		var request = require('supertest')
		var rfile = require('rfile')
		var each = require('async').each
		var assert = require('assert')

		describe('xssFilter', function () {
		function grabList(filename) {
		describe('x-xss-protection', function () {
		function grabList (filename) {
		return rfile(filename)
		.split('\n')
		.filter(function (line) {
		return line.trim() !== '';
		});
		.split('\n')
		.filter(function (line) {
		return line.trim() !== ''
		})
		}

		var enabledBrowsers = grabList('./enabled_browser_list.txt');
		var disabledBrowsers = grabList('./disabled_browser_list.txt');
		var enabledBrowsers = grabList('./enabled_browser_list.txt')
		var disabledBrowsers = grabList('./disabled_browser_list.txt')

		var app;
		var app
		beforeEach(function () {
		app = connect();
		app.use(xssFilter());
		app = connect()
		app.use(xssFilter())
		app.use(function (req, res) {
		res.end('Hello world!');
		});
		});
		res.end('Hello world!')
		})
		})

		@@ -33,5 +33,5 @@ it('enables it for supported browsers', function (done) {
		request(app).get('/').set('User-Agent', useragent)
		.expect('X-XSS-Protection', '1; mode=block', callback);
		}, done);
		});
		.expect('X-XSS-Protection', '1; mode=block', callback)
		}, done)
		})

		@@ -41,32 +41,32 @@ it('disables it for unsupported browsers', function (done) {
		request(app).get('/').set('User-Agent', useragent)
		.expect('X-XSS-Protection', '0', callback);
		}, done);
		});
		.expect('X-XSS-Protection', '0', callback)
		}, done)
		})

		it('sets header if there is an empty user-agent', function (done) {
		request(app).get('/').set('User-Agent', '')
		.expect('X-XSS-Protection', '1; mode=block', done);
		});
		.expect('X-XSS-Protection', '1; mode=block', done)
		})

		it('sets header if there is no user-agent', function (done) {
		request(app).get('/').unset('User-Agent')
		.expect('X-XSS-Protection', '1; mode=block', done);
		});
		.expect('X-XSS-Protection', '1; mode=block', done)
		})

		it('allows you to force the header for unsupported browsers', function (done) {
		app = connect();
		app.use(xssFilter({ setOnOldIE: true }));
		app = connect()
		app.use(xssFilter({ setOnOldIE: true }))
		app.use(function (req, res) {
		res.end('Hello world!');
		});
		res.end('Hello world!')
		})
		each(disabledBrowsers, function (useragent, callback) {
		request(app).get('/').set('User-Agent', useragent)
		.expect('X-XSS-Protection', '1; mode=block', callback);
		}, done);
		});
		.expect('X-XSS-Protection', '1; mode=block', callback)
		}, done)
		})

		it('names its function and middleware', function () {
		assert.equal(xssFilter.name, 'xXssProtection');
		assert.equal(xssFilter().name, 'xXssProtection');
		});
		});
		assert.equal(xssFilter.name, 'xXssProtection')
		assert.equal(xssFilter().name, 'xXssProtection')
		})
		})

.travis.yml

Sorry, the diff of this file is not supported yet

x-xss-protection - npm Package Compare versions

Fixed alerts

Improved metrics

Worsened metrics