csprefabricate
Version:
Generate valid and secure Content Security Policies (CSP) with TypeScript.
249 lines (248 loc) • 4.62 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.GOOGLE_ANALYTICS_WITH_SIGNALS_CSP = exports.GOOGLE_ANALYTICS_CSP = exports.BASELINE_STRICT_CSP = void 0;
const types_1 = require("./types");
// List of supported domains for Google Signals from https://www.google.com/supported_domains
const googleSupportedTLDs = [
".com",
".ad",
".ae",
".com.af",
".com.ag",
".al",
".am",
".co.ao",
".com.ar",
".as",
".at",
".com.au",
".az",
".ba",
".com.bd",
".be",
".bf",
".bg",
".com.bh",
".bi",
".bj",
".com.bn",
".com.bo",
".com.br",
".bs",
".bt",
".co.bw",
".by",
".com.bz",
".ca",
".cd",
".cf",
".cg",
".ch",
".ci",
".co.ck",
".cl",
".cm",
".cn",
".com.co",
".co.cr",
".com.cu",
".cv",
".com.cy",
".cz",
".de",
".dj",
".dk",
".dm",
".com.do",
".dz",
".com.ec",
".ee",
".com.eg",
".es",
".com.et",
".fi",
".com.fj",
".fm",
".fr",
".ga",
".ge",
".gg",
".com.gh",
".com.gi",
".gl",
".gm",
".gr",
".com.gt",
".gy",
".com.hk",
".hn",
".hr",
".ht",
".hu",
".co.id",
".ie",
".co.il",
".im",
".co.in",
".iq",
".is",
".it",
".je",
".com.jm",
".jo",
".co.jp",
".co.ke",
".com.kh",
".ki",
".kg",
".co.kr",
".com.kw",
".kz",
".la",
".com.lb",
".li",
".lk",
".co.ls",
".lt",
".lu",
".lv",
".com.ly",
".co.ma",
".md",
".me",
".mg",
".mk",
".ml",
".com.mm",
".mn",
".com.mt",
".mu",
".mv",
".mw",
".com.mx",
".com.my",
".co.mz",
".com.na",
".com.ng",
".com.ni",
".ne",
".nl",
".no",
".com.np",
".nr",
".nu",
".co.nz",
".com.om",
".com.pa",
".com.pe",
".com.pg",
".com.ph",
".com.pk",
".pl",
".pn",
".com.pr",
".ps",
".pt",
".com.py",
".com.qa",
".ro",
".ru",
".rw",
".com.sa",
".com.sb",
".sc",
".se",
".com.sg",
".sh",
".si",
".sk",
".com.sl",
".sn",
".so",
".sm",
".sr",
".st",
".com.sv",
".td",
".tg",
".co.th",
".com.tj",
".tl",
".tm",
".tn",
".to",
".com.tr",
".tt",
".com.tw",
".co.tz",
".com.ua",
".co.ug",
".co.uk",
".com.uy",
".co.uz",
".com.vc",
".co.ve",
".co.vi",
".com.vn",
".vu",
".ws",
".rs",
".co.za",
".co.zm",
".co.zw",
".cat",
];
exports.BASELINE_STRICT_CSP = {
[types_1.Directive.DEFAULT_SRC]: ["'self'"],
[types_1.Directive.SCRIPT_SRC]: ["'self'"],
[types_1.Directive.STYLE_SRC]: ["'self'"],
[types_1.Directive.IMG_SRC]: ["'self'"],
[types_1.Directive.OBJECT_SRC]: ["'none'"],
[types_1.Directive.BASE_URI]: ["'self'"],
[types_1.Directive.FORM_ACTION]: ["'self'"],
};
/**
* Google Analytics Content Security Policy based on the official guidelines.
* https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
*/
exports.GOOGLE_ANALYTICS_CSP = {
...exports.BASELINE_STRICT_CSP,
[types_1.Directive.DEFAULT_SRC]: ["'self'"],
[types_1.Directive.SCRIPT_SRC]: ["'self'", "*.googletagmanager.com"],
[types_1.Directive.IMG_SRC]: [
"'self'",
"https://*.google-analytics.com",
"https://*.googletagmanager.com",
],
[types_1.Directive.CONNECT_SRC]: [
"'self'",
"https://*.google-analytics.com",
"https://*.analytics.google.com",
"https://*.googletagmanager.com",
],
};
exports.GOOGLE_ANALYTICS_WITH_SIGNALS_CSP = {
...exports.BASELINE_STRICT_CSP,
...exports.GOOGLE_ANALYTICS_CSP,
[types_1.Directive.IMG_SRC]: [
"'self'",
"https://*.google-analytics.com",
"https://*.googletagmanager.com",
"https://*.g.doubleclick.net",
"https://*.google.com",
{ "https://*.google.": googleSupportedTLDs },
],
[types_1.Directive.CONNECT_SRC]: [
"'self'",
"https://*.google-analytics.com",
"https://*.googletagmanager.com",
"https://*.g.doubleclick.net",
"https://pagead2.googlesyndication.com",
{ "https://*.google": googleSupportedTLDs },
],
[types_1.Directive.FRAME_SRC]: [
"'self'",
"https://td.doubleclick.net",
"https://www.googletagmanager.com",
],
};