UNPKG

express-extendcsp

Version:

Extend the Content Security Policy on the fly (for development)

github.com/papandreou/express-extendcsp

papandreou/express-extendcsp

155 lines (138 loc) 5.11 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
const expect = require('unexpected').clone().use(require('unexpected-express')); const expressExtendCsp = require('../lib/expressExtendCsp'); const express = require('express'); let config; beforeEach(function () { config = {}; }); expect.addAssertion( '<string|undefined> to come out as <any>', function (expect, subject, value) { return expect( express() .use(expressExtendCsp(config)) .use(function (req, res) { if (subject !== undefined) { res.setHeader('Content-Security-Policy', subject); } res.send( '<!DOCTYPE html>\n<html><head></head><body>foo</body></html>' ); }), 'to yield exchange', { request: '/', response: { headers: { 'Content-Security-Policy': value, }, }, } ); } ); describe('expressExtendCsp', function () { describe('extending the csp', function () { it('should not do anything when no config is passed', function () { config = undefined; return expect('style-src https:', 'to come out as', 'style-src https:'); }); it('should not do anything when config.add is not defined', function () { return expect('style-src https:', 'to come out as', 'style-src https:'); }); it('should not do anything when there is no Content-Security-Policy header already', function () { config = { add: { styleSrc: ['somewhereovertherainbow.com'] } }; return expect(undefined, 'to come out as', undefined); }); it('should add to an existing directive, array case', function () { config = { add: { styleSrc: ['somewhereovertherainbow.com'] } }; return expect( 'style-src https:', 'to come out as', 'style-src https: somewhereovertherainbow.com' ); }); it('should add to an existing directive, string case', function () { config = { add: { styleSrc: 'somewhereovertherainbow.com' } }; return expect( 'style-src https:', 'to come out as', 'style-src https: somewhereovertherainbow.com' ); }); it('should add to an existing directive, non-camel cased key', function () { config = { add: { 'style-src': 'somewhereovertherainbow.com' } }; return expect( 'style-src https:', 'to come out as', 'style-src https: somewhereovertherainbow.com' ); }); describe('with a broken or irregular existing CSP', function () { it('should tolerate a semicolon at the end', function () { config = { add: { 'style-src': 'somewhereovertherainbow.com' } }; return expect( 'script-src *;', 'to come out as', 'script-src *; style-src somewhereovertherainbow.com' ); }); it('should tolerate an empty directive when adding to it', function () { config = { add: { 'style-src': 'somewhereovertherainbow.com' } }; return expect( 'style-src', 'to come out as', 'style-src somewhereovertherainbow.com' ); }); it('should tolerate an empty directive when adding to a different one', function () { config = { add: { 'style-src': 'somewhereovertherainbow.com' } }; return expect( 'script-src;', 'to come out as', 'script-src; style-src somewhereovertherainbow.com' ); }); }); it("should remove the 'none' token when adding to an empty directive", function () { config = { add: { styleSrc: ['somewhereovertherainbow.com'] } }; return expect( "style-src 'none'", 'to come out as', 'style-src somewhereovertherainbow.com' ); }); it('should add a new directive', function () { config = { add: { styleSrc: ['somewhereovertherainbow.com'] } }; return expect( "connect-src 'self'", 'to come out as', "connect-src 'self'; style-src somewhereovertherainbow.com" ); }); it('should take default-src into account when adding a new directive that falls back to default-src', function () { config = { add: { styleSrc: ['somewhereovertherainbow.com'] } }; return expect( "default-src 'self'", 'to come out as', "default-src 'self'; style-src 'self' somewhereovertherainbow.com" ); }); it("should handle a default-src of 'none' when adding a new directive that falls back to default-src", function () { config = { add: { styleSrc: ['somewhereovertherainbow.com'] } }; return expect( "default-src 'none'", 'to come out as', "default-src 'none'; style-src somewhereovertherainbow.com" ); }); it('should disregard default-src when adding a new directive that does not fall back to it per spec', function () { config = { add: { childSrc: ['somewhereovertherainbow.com'] } }; return expect( "default-src 'self'", 'to come out as', "default-src 'self'; child-src somewhereovertherainbow.com" ); }); }); });