Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add src-worker and blob: #3

Merged
merged 1 commit into from Jun 12, 2018
Merged

Add src-worker and blob: #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 4 additions & 1 deletion lib/index.js
View file
Open in desktop
Expand Up @@ -28,14 +28,15 @@
* @option font-src, Defines valid sources of fonts.
* @option connect-src, Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.
* @option child-src, Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe> (CSP2).
* @option worker-src, Defines valid sources that can be loaded within a Worker, SharedWorker, or ServiceWorker (CSP3).
* @option form-action, Defines valid sources that can be used as a HTML <form> action (CSP2).
* @option frame-ancestors, Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>. Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY (CSP2).
* @option plugin-types, Defines valid MIME types for plugins invoked via <object> and <embed>. To load an <applet> you must specify application/x-java-applet (CSP2).
*
*/
module.exports.getCSP = function (options) {
const header = options['report-only'] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy';
const srcs = ['report-uri', 'sandbox', 'default-src', 'script-src', 'object-src', 'style-src', 'img-src', 'media-src', 'frame-src', 'font-src', 'connect-src', 'child-src', 'form-action', 'frame-ancestors', 'plugin-types'];
const srcs = ['report-uri', 'sandbox', 'default-src', 'script-src', 'object-src', 'style-src', 'img-src', 'media-src', 'frame-src', 'font-src', 'connect-src', 'child-src', 'worker-src', 'form-action', 'frame-ancestors', 'plugin-types'];
let compiled = '';
srcs.forEach(src => {
const directive = getDirective(options, src);
Expand Down Expand Up @@ -70,6 +71,8 @@ module.exports.SRC_USAFE_INLINE = '\'unsafe-inline\'';
module.exports.SRC_UNSAFE_EVAL = '\'unsafe-eval\'';
/** Allows loading resources via the data scheme (e.g. Base64 encoded images). */
module.exports.SRC_DATA = 'data:';
/** Allows loading resources via a blob. */
module.exports.SRC_BLOB = 'blob:';
/** Wildcard, allows anything. */
module.exports.SRC_ANY = '*';
/** Allows loading resources only over HTTPS on any domain. */
Expand Down
2 changes: 2 additions & 0 deletions test/index.js
View file
Open in desktop
Expand Up @@ -64,6 +64,7 @@ test('All policies', t => {
'connect-src': 'abc',
'child-src': 'def',
'form-action': 'ghi',
'worker-src': CSP.SRC_BLOB,
'frame-ancestors': [CSP.SRC_SELF, CSP.SRC_DATA],
'plugin-types': CSP.SRC_NONE
};
Expand All @@ -87,6 +88,7 @@ test('All policies', t => {
t.true(result.value.indexOf('connect-src abc') > -1, 'connect-src');
t.true(result.value.indexOf('child-src def') > -1, 'child-src');
t.true(result.value.indexOf('form-action ghi') > -1, 'form-action');
t.true(result.value.indexOf('worker-src blob:') > -1, 'worker-src');
t.true(result.value.indexOf('frame-ancestors \'self\' data:') > -1, 'frame-ancestors');
t.true(result.value.indexOf('plugin-types \'none\'') > -1, 'plugin-types');
});