UNPKG

ember-cli-content-security-policy

Version:

This addon adds the Content-Security-Policy header to response sent from the Ember CLI Express server.

github.com/rwjblue/ember-cli-content-security-policy

rwjblue/ember-cli-content-security-policy

49 lines (39 loc) 1.41 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import { assert } from '@ember/debug'; // reads addon config stored in meta element function readAddonConfig(appInstance) { let config = appInstance.resolveRegistration('config:environment'); let addonConfig = config['ember-cli-content-security-policy']; // TODO: do not require policy to be stored in config object // if already available through CSP meta element assert( 'Required configuration is available at run-time', typeof addonConfig === 'object' && typeof addonConfig.reportOnly === 'boolean' && typeof addonConfig.policy === 'string' ); return config['ember-cli-content-security-policy']; } export function initialize(appInstance) { let fastboot = appInstance.lookup('service:fastboot'); if (!fastboot || !fastboot.get('isFastBoot')) { // nothing to do if application does not run in FastBoot or // does not even have a FastBoot service return; } let { policy, reportOnly } = readAddonConfig(appInstance); let header = reportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'; let responseHeaders = fastboot.get('response.headers'); // do not override existing CSP header if ( responseHeaders.has('Content-Security-Policy-Report-Only') || responseHeaders.has('Content-Security-Policy') ) { return; } responseHeaders.set(header, policy); } export default { initialize, };