x-xss-protection - npm Package Compare versions

Comparing version 1.2.0 to 1.3.0

CHANGELOG.md

 # Changelog
 
+## 1.3.0 - 2019-09-01
+### Added
+- Added `mode: null` to disable `mode=block`
+
+### Changed
+- Minor performance improvements with Internet Explorer <9 detection
+
 ## 1.2.0 - 2019-06-15
@@ -4,0 +11,0 @@ ### Added

dist/index.d.ts

 /// <reference types="node" />
 import { IncomingMessage, ServerResponse } from 'http';
 interface XXssProtectionOptions {
+    mode?: 'block' | null;
     reportUri?: string;
@@ -5,0 +6,0 @@ setOnOldIE?: boolean;

dist/index.js

 "use strict";
+function doesUserAgentMatchOldInternetExplorer(userAgent) {
+    if (!userAgent) {
+        return false;
+    }
+    var matches = /msie\s*(\d{1,2})/i.exec(userAgent);
+    return matches ? parseFloat(matches[1]) < 9 : false;
+}
+function getHeaderValueFromOptions(options) {
+    var directives = ['1'];
+    var isBlockMode;
+    if ('mode' in options) {
+        if (options.mode === 'block') {
+            isBlockMode = true;
+        }
+        else if (options.mode === null) {
+            isBlockMode = false;
+        }
+        else {
+            throw new Error('The `mode` option must be set to "block" or null.');
+        }
+    }
+    else {
+        isBlockMode = true;
+    }
+    if (isBlockMode) {
+        directives.push('mode=block');
+    }
+    if (options.reportUri) {
+        directives.push("report=" + options.reportUri);
+    }
+    return directives.join('; ');
+}
 module.exports = function xXssProtection(options) {
     if (options === void 0) { options = {}; }
-    var headerValue = '1; mode=block';
-    if (options.reportUri) {
-        headerValue += "; report=" + options.reportUri;
-    }
+    var headerValue = getHeaderValueFromOptions(options);
     if (options.setOnOldIE) {
@@ -16,10 +45,3 @@ return function xXssProtection(_req, res, next) {
         return function xXssProtection(req, res, next) {
-            var matches = /msie\s*(\d+)/i.exec(req.headers['user-agent'] || '');
-            var value;
-            if (!matches || parseFloat(matches[1]) >= 9) {
-                value = headerValue;
-            }
-            else {
-                value = '0';
-            }
+            var value = doesUserAgentMatchOldInternetExplorer(req.headers['user-agent']) ? '0' : headerValue;
             res.setHeader('X-XSS-Protection', value);
@@ -26,0 +48,0 @@ next();

package.json

@@ -8,3 +8,3 @@ {
   "description": "Middleware to set the X-XSS-Protection header",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "license": "MIT",
@@ -50,14 +50,14 @@ "keywords": [
     "@types/connect": "^3.4.32",
-    "@types/jest": "^24.0.14",
-    "@types/supertest": "^2.0.7",
-    "@typescript-eslint/eslint-plugin": "^1.9.0",
-    "@typescript-eslint/parser": "^1.9.0",
+    "@types/jest": "^24.0.18",
+    "@types/supertest": "^2.0.8",
+    "@typescript-eslint/eslint-plugin": "^2.0.0",
+    "@typescript-eslint/parser": "^2.0.0",
     "connect": "^3.7.0",
     "eslint": "^5.16.0",
     "eslint-config-helmet": "^0.2.0",
-    "jest": "^24.8.0",
+    "jest": "^24.9.0",
     "supertest": "^4.0.2",
     "ts-jest": "^24.0.2",
-    "typescript": "^3.5.2"
+    "typescript": "^3.6.2"
   }
 }

README.md

@@ -28,1 +28,7 @@ X-XSS-Protection middleware
 ```
+
+To remove `mode=block` from the header, which isn't recommended, set the `mode` option to `null`:
+
+```javascript
+app.use(xssFilter({ mode: null }))
+```

No alert changes

Improved metrics

Total package byte prevSize

6730

increased by16.84%

Lines of code

59

increased by63.89%

Number of lines in readme file

34

increased by21.43%

No dependency changes