UNPKG

express-legacy-csp

Version:

Downgrade content-security-policy version and fidelity to support the requesting browser

github.com/Munter/express-legacy-csp

Munter/express-legacy-csp

99 lines (88 loc) 2.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
const expect = require('unexpected').clone(); const downgradeCsp3ToCsp2 = require('../lib/downgradeCsp3ToCsp2'); const parseCsp = require('../lib/parseCsp'); function normalizeParsedCsp(parsedCsp) { const result = {}; Object.keys(parsedCsp).forEach(key => { if (Array.isArray(parsedCsp[key])) { result[key] = [].concat(parsedCsp[key]).sort(); } else if (parsedCsp[key]) { result[key] = [parsedCsp[key]]; } }); return result; } expect.addAssertion( '<object|string> to come out as <object|string>', (expect, subject, value) => { if (typeof subject === 'string') { subject = parseCsp(subject); } if (typeof value === 'string') { value = parseCsp(value); } expect( normalizeParsedCsp(downgradeCsp3ToCsp2(normalizeParsedCsp(subject))), 'to satisfy', normalizeParsedCsp(value) ); } ); describe('downgradeCsp3ToCsp2', () => { it('should leave all directives not ending in -src untouched', () => { expect( 'report-uri http://mntr.dk', 'to come out as', 'report-uri http://mntr.dk' ); }); it("should replace 'unsafe-hashed-attributes' with 'unsafe-inline'", () => { expect( "script-src 'unsafe-hashed-attributes'", 'to come out as', "script-src 'unsafe-inline'" ); }); it("should leave 'unsafe-inline' when removing 'unsafe-hashed-attributes'", () => { expect( "script-src 'unsafe-inline' 'unsafe-hashed-attributes'", 'to come out as', "script-src 'unsafe-inline'" ); }); it("should leave 'nonce-...'", () => { expect( "script-src 'nonce-foo'", 'to come out as', "script-src 'nonce-foo'" ); }); it("should leave 'sha...'", () => { expect( "script-src 'sha256-XeYlw2NVzOfB1UCIJqCyGr+0n7bA4fFslFpvKu84IAw='", 'to come out as', "script-src 'sha256-XeYlw2NVzOfB1UCIJqCyGr+0n7bA4fFslFpvKu84IAw='" ); }); it("should replace 'strict-dynamic' with 'unsafe-inline'", () => { expect( "script-src 'strict-dynamic'", 'to come out as', "script-src 'unsafe-inline'" ); }); it("should leave 'unsafe-inline' when removing 'strict-dynamic'", () => { expect( "script-src 'unsafe-inline' 'strict-dynamic'", 'to come out as', "script-src 'unsafe-inline'" ); }); it('should drop the directives that were introduced in CSP3', () => { expect( "manifest-src 'self'; worker-src; report-to https://example.com; script-src 'self'", 'to come out as', "script-src 'self'" ); }); });