UNPKG

csp-header

Version:

Content-Security-Policy header generator

github.com/frux/csp/tree/master/packages/csp-header

frux/csp

171 lines (161 loc) 4.53 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
import { ALLOW_DOWNLOADS_WITHOUT_USER_ACTIVATION, ALLOW_DUPLICATES, ALLOW_FORMS, ALLOW_MODALS, ALLOW_ORIENTATION_LOCK, ALLOW_POINTER_LOCK, ALLOW_POPUPS, ALLOW_POPUPS_TO_ESCAPE_SANDBOX, ALLOW_PRESENTATION, ALLOW_SAME_ORIGIN, ALLOW_STORAGE_ACCESS_BY_USER_ACTIVATION, ALLOW_SCRIPTS, ALLOW_TOP_NAVIGATION, ALLOW_TOP_NAVIGATION_BY_USER_ACTIVATION, NO_REFERRER, NONE, NONE_WHEN_DOWNGRADE, ORIGIN, ORIGIN_WHEN_CROSS_ORIGIN, SCRIPT, SELF, STRICT_DYNAMIC, UNSAFE_EVAL, UNSAFE_HASHES, UNSAFE_INLINE, UNSAFE_URL, ALLOW, BLOCK, REPORT_SAMPLE, WASM_UNSAFE_EVAL, } from "./constants/values"; export interface CSPHeaderParams { directives?: Partial<CSPDirectives>; presets?: CSPPreset; reportUri?: string; } type DirectivesOfType<T> = { [K in keyof CSPDirectives]: CSPDirectives[K] extends T ? K : never; } extends Record<string, infer P> ? P : never; export type CSPDirectiveName = DirectivesOfType<any>; export type CSPListDirectiveName = DirectivesOfType<CSPListDirectiveValue>; export type CSPStringDirectiveName = DirectivesOfType<CSPStringDirectiveValue>; export type CSPBooleanDirectiveName = DirectivesOfType<CSPBooleanDirectiveValue>; export type CSPDirectiveValue = | CSPListDirectiveValue | CSPStringDirectiveValue | CSPBooleanDirectiveValue; export type CSPListDirectiveValue = (string | false)[]; export type CSPStringDirectiveValue = string; export type CSPBooleanDirectiveValue = boolean; export type CSPPreset = CSPPresetsObject | CSPPresetsArray; export type CSPPresetsObject = { [presetName: string]: Partial<CSPDirectives> }; export type CSPPresetsArray = Partial<CSPDirectives>[]; type TSource = string; type TNonce = `nonce-${string}`; type THash = `sha${"256" | "384" | "512"}-${string}`; type TMimeType = `${string}/${string}`; type TFetchDirective = | false | TSource | TNonce | THash | typeof NONE | typeof SELF | typeof UNSAFE_EVAL | typeof UNSAFE_HASHES | typeof UNSAFE_INLINE; type TAttrDirective = | false | THash | typeof NONE | typeof UNSAFE_INLINE | typeof UNSAFE_HASHES; type TDocumentDirective = | false | TSource | TNonce | THash | typeof NONE | typeof SELF | typeof UNSAFE_EVAL | typeof UNSAFE_HASHES | typeof UNSAFE_INLINE; type TNavigationDirective = | false | TSource | TNonce | THash | typeof NONE | typeof SELF | typeof UNSAFE_EVAL | typeof UNSAFE_HASHES | typeof UNSAFE_INLINE | typeof STRICT_DYNAMIC; type TWebRTCDirective = typeof ALLOW | typeof BLOCK; export type CSPDirectives = { "base-uri": (TDocumentDirective | typeof STRICT_DYNAMIC)[]; "block-all-mixed-content": boolean; "child-src": TFetchDirective[]; "connect-src": TFetchDirective[]; "default-src": (TFetchDirective | typeof STRICT_DYNAMIC)[]; "font-src": TFetchDirective[]; "form-action": TNavigationDirective[]; "frame-ancestors": (TSource | typeof SELF | typeof NONE)[]; "frame-src": TFetchDirective[]; "img-src": (TFetchDirective | typeof STRICT_DYNAMIC)[]; "manifest-src": TFetchDirective[]; "media-src": TFetchDirective[]; "navigate-to": TNavigationDirective[]; "object-src": TFetchDirective[]; "plugin-types": TMimeType[]; "prefetch-src": TFetchDirective[]; referrer: | typeof NO_REFERRER | typeof NONE_WHEN_DOWNGRADE | typeof ORIGIN | typeof ORIGIN_WHEN_CROSS_ORIGIN | typeof UNSAFE_URL; "report-to": string; "report-uri": string; "require-sri-for": ("script" | "style")[]; "require-trusted-types-for": typeof SCRIPT; sandbox: ( | typeof ALLOW_DOWNLOADS_WITHOUT_USER_ACTIVATION | typeof ALLOW_FORMS | typeof ALLOW_MODALS | typeof ALLOW_ORIENTATION_LOCK | typeof ALLOW_POINTER_LOCK | typeof ALLOW_POPUPS | typeof ALLOW_POPUPS_TO_ESCAPE_SANDBOX | typeof ALLOW_PRESENTATION | typeof ALLOW_SAME_ORIGIN | typeof ALLOW_SCRIPTS | typeof ALLOW_STORAGE_ACCESS_BY_USER_ACTIVATION | typeof ALLOW_TOP_NAVIGATION | typeof ALLOW_TOP_NAVIGATION_BY_USER_ACTIVATION )[]; "script-src": ( | TFetchDirective | typeof STRICT_DYNAMIC | typeof REPORT_SAMPLE | typeof WASM_UNSAFE_EVAL )[]; "script-src-attr": (TAttrDirective | typeof REPORT_SAMPLE)[]; "script-src-elem": ( | TFetchDirective | typeof STRICT_DYNAMIC | typeof REPORT_SAMPLE )[]; "style-src": TFetchDirective[] | typeof REPORT_SAMPLE; "style-src-attr": (TAttrDirective | typeof REPORT_SAMPLE)[]; "style-src-elem": (TFetchDirective | typeof REPORT_SAMPLE)[]; "trusted-types": (string | typeof NONE | typeof ALLOW_DUPLICATES)[]; "upgrade-insecure-requests": boolean; "worker-src": TFetchDirective[]; webrtc: TWebRTCDirective; };