@backstage/backend-defaults
Version:
Backend defaults used by Backstage backend apps
63 lines (57 loc) • 1.95 kB
JavaScript
;
var helmet = require('helmet');
var kebabCase = require('lodash/kebabCase');
function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
var helmet__default = /*#__PURE__*/_interopDefaultCompat(helmet);
var kebabCase__default = /*#__PURE__*/_interopDefaultCompat(kebabCase);
function readHelmetOptions(config) {
const cspOptions = readCspDirectives(config);
return {
contentSecurityPolicy: {
useDefaults: false,
directives: applyCspDirectives(cspOptions)
},
// These are all disabled in order to maintain backwards compatibility
// when bumping helmet v5. We can't enable these by default because
// there is no way for users to configure them.
// TODO(Rugvip): We should give control of this setup to consumers
crossOriginEmbedderPolicy: false,
crossOriginOpenerPolicy: false,
crossOriginResourcePolicy: false,
originAgentCluster: false
};
}
function readCspDirectives(config) {
const cc = config?.getOptionalConfig("csp");
if (!cc) {
return void 0;
}
const result = {};
for (const key of cc.keys()) {
if (cc.get(key) === false) {
result[key] = false;
} else {
result[key] = cc.getStringArray(key);
}
}
return result;
}
function applyCspDirectives(directives) {
const result = helmet__default.default.contentSecurityPolicy.getDefaultDirectives();
result["script-src"] = ["'self'", "'unsafe-eval'"];
delete result["form-action"];
if (directives) {
for (const [key, value] of Object.entries(directives)) {
const kebabCaseKey = kebabCase__default.default(key);
if (value === false) {
delete result[kebabCaseKey];
} else {
result[kebabCaseKey] = value;
}
}
}
return result;
}
exports.applyCspDirectives = applyCspDirectives;
exports.readHelmetOptions = readHelmetOptions;
//# sourceMappingURL=readHelmetOptions.cjs.js.map