Merge pull request #3 from dgrippisc/add-worker-src-blob

Add src-worker and blob:
erdtman · Jun 12, 2018 · 7803af4 · 7803af4
2 parents a5df2b9 + 173197f
commit 7803af4
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/lib/index.js b/lib/index.js
@@ -28,14 +28,15 @@
  * @option font-src, Defines valid sources of fonts.
  * @option connect-src, Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.
  * @option child-src, Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe> (CSP2).
+ * @option worker-src, Defines valid sources that can be loaded within a Worker, SharedWorker, or ServiceWorker (CSP3).
  * @option form-action, Defines valid sources that can be used as a HTML <form> action (CSP2).
  * @option frame-ancestors, Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>. Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY (CSP2).
  * @option plugin-types, Defines valid MIME types for plugins invoked via <object> and <embed>. To load an <applet> you must specify application/x-java-applet (CSP2).
  *
  */
 module.exports.getCSP = function (options) {
   const header = options['report-only'] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy';
-  const srcs = ['report-uri', 'sandbox', 'default-src', 'script-src', 'object-src', 'style-src', 'img-src', 'media-src', 'frame-src', 'font-src', 'connect-src', 'child-src', 'form-action', 'frame-ancestors', 'plugin-types'];
+  const srcs = ['report-uri', 'sandbox', 'default-src', 'script-src', 'object-src', 'style-src', 'img-src', 'media-src', 'frame-src', 'font-src', 'connect-src', 'child-src', 'worker-src', 'form-action', 'frame-ancestors', 'plugin-types'];
   let compiled = '';
   srcs.forEach(src => {
     const directive = getDirective(options, src);
@@ -70,6 +71,8 @@ module.exports.SRC_USAFE_INLINE = '\'unsafe-inline\'';
 module.exports.SRC_UNSAFE_EVAL = '\'unsafe-eval\'';
 /** Allows loading resources via the data scheme (e.g. Base64 encoded images). */
 module.exports.SRC_DATA = 'data:';
+/** Allows loading resources via a blob. */
+module.exports.SRC_BLOB = 'blob:';
 /** Wildcard, allows anything. */
 module.exports.SRC_ANY = '*';
 /** Allows loading resources only over HTTPS on any domain. */

diff --git a/test/index.js b/test/index.js
@@ -64,6 +64,7 @@ test('All policies', t => {
     'connect-src': 'abc',
     'child-src': 'def',
     'form-action': 'ghi',
+    'worker-src': CSP.SRC_BLOB,
     'frame-ancestors': [CSP.SRC_SELF, CSP.SRC_DATA],
     'plugin-types': CSP.SRC_NONE
   };
@@ -87,6 +88,7 @@ test('All policies', t => {
   t.true(result.value.indexOf('connect-src abc') > -1, 'connect-src');
   t.true(result.value.indexOf('child-src def') > -1, 'child-src');
   t.true(result.value.indexOf('form-action ghi') > -1, 'form-action');
+  t.true(result.value.indexOf('worker-src blob:') > -1, 'worker-src');
   t.true(result.value.indexOf('frame-ancestors \'self\' data:') > -1, 'frame-ancestors');
   t.true(result.value.indexOf('plugin-types \'none\'') > -1, 'plugin-types');
 });