This repository was archived by the owner on Dec 20, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 22
Expand file tree
/
Copy pathbuildCSPHeaders.js
More file actions
132 lines (112 loc) · 4.71 KB
/
buildCSPHeaders.js
File metadata and controls
132 lines (112 loc) · 4.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
// Local imports
const crunchHeaderValue = require('./crunchHeaderValue.js')
const devDirectives = {
'connect-src': ['webpack://*'],
'script-src': ["'unsafe-eval'"],
'style-src': ["'unsafe-inline'"],
}
function getCSPDirective(value, defaultValue, mergeDefaultDirectives = false) {
// if user configured value is false, return early
if (value === false) {
return [false]
}
// ensure any string values are split to enable removal of duplicates
const valueArray = [value].flat().reduce((accumulator, current) => {
if (typeof current !== 'string') {
return accumulator
}
accumulator.push(...current.trim().split(/\s+/))
return accumulator
}, [])
// flatten default values
const defaultValueArray = [defaultValue].flat()
// merge values with default if required
const mergedValueArray = mergeDefaultDirectives
? [...defaultValueArray, ...valueArray]
: valueArray
// de-duplicate merged values
const uniqueValueArray = [...new Set(mergedValueArray)]
// remove value "'none'" if the array contains other values
const validValueArray = uniqueValueArray.length > 1
? uniqueValueArray.filter((v) => v !== "'none'")
: uniqueValueArray
// only return user configured values if present, otherwise return default
return validValueArray.length > 0 ? validValueArray : defaultValueArray
}
module.exports = function buildCSPHeaders(options = {}) {
const {
contentSecurityPolicy = {},
isDev,
} = options
if (contentSecurityPolicy === false) {
return []
}
// ensure mergeDefaultDirectives option is a boolean, anything other than boolean `true` means `false`
const mergeDefaultDirectives = contentSecurityPolicy.mergeDefaultDirectives === true
// Content Security Policy
const directives = {
'base-uri': getCSPDirective(contentSecurityPolicy['base-uri'], "'none'", mergeDefaultDirectives),
'child-src': getCSPDirective(contentSecurityPolicy['child-src'], "'none'", mergeDefaultDirectives),
'connect-src': getCSPDirective(contentSecurityPolicy['connect-src'], "'self'", mergeDefaultDirectives),
'default-src': getCSPDirective(contentSecurityPolicy['default-src'], "'self'", mergeDefaultDirectives),
'font-src': getCSPDirective(contentSecurityPolicy['font-src'], "'self'", mergeDefaultDirectives),
'form-action': getCSPDirective(contentSecurityPolicy['form-action'], "'self'", mergeDefaultDirectives),
'frame-ancestors': getCSPDirective(contentSecurityPolicy['frame-ancestors'], "'none'", mergeDefaultDirectives),
'frame-src': getCSPDirective(contentSecurityPolicy['frame-src'], "'none'", mergeDefaultDirectives),
'img-src': getCSPDirective(contentSecurityPolicy['img-src'], "'self'", mergeDefaultDirectives),
'manifest-src': getCSPDirective(contentSecurityPolicy['manifest-src'], "'self'", mergeDefaultDirectives),
'media-src': getCSPDirective(contentSecurityPolicy['media-src'], "'self'", mergeDefaultDirectives),
'object-src': getCSPDirective(contentSecurityPolicy['object-src'], "'none'", mergeDefaultDirectives),
'script-src': getCSPDirective(contentSecurityPolicy['script-src'], "'self'", mergeDefaultDirectives),
'style-src': getCSPDirective(contentSecurityPolicy['style-src'], "'self'", mergeDefaultDirectives),
'worker-src': getCSPDirective(contentSecurityPolicy['worker-src'], "'self'", mergeDefaultDirectives),
}
const optionalDirectives = [
'block-all-mixed-content',
'plugin-types',
'navigate-to',
'require-sri-for',
'require-trusted-types-for',
'sandbox',
'script-src-attr',
'script-src-elem',
'style-src-attr',
'style-src-elem',
'trusted-types',
'upgrade-insecure-requests',
]
optionalDirectives.forEach(optionalDirective => {
if (contentSecurityPolicy[optionalDirective]) {
directives[optionalDirective] = getCSPDirective(contentSecurityPolicy[optionalDirective])
}
})
if (contentSecurityPolicy['report-to'] || contentSecurityPolicy['report-uri']) {
const reportDirectiveValue = getCSPDirective(contentSecurityPolicy['report-to'] || contentSecurityPolicy['report-uri'])
directives['report-uri'] = reportDirectiveValue
directives['report-to'] = reportDirectiveValue
}
Object.entries(contentSecurityPolicy).forEach(([key, value]) => {
if (value === false) {
delete directives[key]
}
})
if (isDev) {
Object.entries(devDirectives).forEach(([key, value]) => {
if (directives[key]) {
directives[key] = [...new Set(directives[key].concat(value))]
} else {
directives[key] = [...value]
}
})
}
const cspString = crunchHeaderValue(directives)
const cspHeaderNames = [
`Content-Security-Policy${contentSecurityPolicy.reportOnly ? '-Report-Only' : ''}`,
`X-Content-Security-Policy${contentSecurityPolicy.reportOnly ? '-Report-Only' : ''}`,
'X-WebKit-CSP',
]
return cspHeaderNames.map(headerName => ({
key: headerName,
value: cspString,
}))
}