Palak Handa / startUpJalsa-Backend

Blame view

node_modules/helmet-csp/index.js 2.4 KB
edit raw normal view history
f7563de62   Palak Handa   first commit 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
  var camelize = require('camelize')
  var cspBuilder = require('content-security-policy-builder')
  var platform = require('platform')
  var containsFunction = require('./lib/contains-function')
  var getHeaderKeysForBrowser = require('./lib/get-header-keys-for-browser')
  var transformDirectivesForBrowser = require('./lib/transform-directives-for-browser')
  var parseDynamicDirectives = require('./lib/parse-dynamic-directives')
  var ALL_HEADERS = require('./lib/all-headers')
  
  module.exports = function csp (options) {
    options = options || {}
  
    var originalDirectives = camelize(options.directives || {})
    var directivesAreDynamic = containsFunction(originalDirectives)
    var shouldBrowserSniff = options.browserSniff !== false
  
    if (options.reportOnly && !originalDirectives.reportUri) {
      throw new Error('Please remove reportOnly or add a report-uri.')
    }
  
    if (shouldBrowserSniff) {
      return function csp (req, res, next) {
        var userAgent = req.headers['user-agent']
  
        var browser
        if (userAgent) {
          browser = platform.parse(userAgent)
        } else {
          browser = {}
        }
  
        var headerKeys
        if (options.setAllHeaders || !userAgent) {
          headerKeys = ALL_HEADERS
        } else {
          headerKeys = getHeaderKeysForBrowser(browser, options)
        }
  
        if (headerKeys.length === 0) {
          next()
          return
        }
  
        var directives = transformDirectivesForBrowser(browser, originalDirectives)
  
        if (directivesAreDynamic) {
          directives = parseDynamicDirectives(directives, [req, res])
        }
  
        var policyString = cspBuilder({ directives: directives })
  
        headerKeys.forEach(function (headerKey) {
          if (options.reportOnly) {
            headerKey += '-Report-Only'
          }
          res.setHeader(headerKey, policyString)
        })
  
        next()
      }
    } else {
      var headerKeys
      if (options.setAllHeaders) {
        headerKeys = ALL_HEADERS
      } else {
        headerKeys = ['Content-Security-Policy']
      }
  
      if (options.reportOnly) {
        headerKeys = headerKeys.map(function (headerKey) {
          return headerKey + '-Report-Only'
        })
      }
  
      return function csp (req, res, next) {
        var directives = parseDynamicDirectives(originalDirectives, [req, res])
        var policyString = cspBuilder({ directives: directives })
  
        headerKeys.forEach(function (headerKey) {
          res.setHeader(headerKey, policyString)
        })
        next()
      }
    }
  }