index.js
2.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
var camelize = require('camelize')
var cspBuilder = require('content-security-policy-builder')
var platform = require('platform')
var containsFunction = require('./lib/contains-function')
var getHeaderKeysForBrowser = require('./lib/get-header-keys-for-browser')
var transformDirectivesForBrowser = require('./lib/transform-directives-for-browser')
var parseDynamicDirectives = require('./lib/parse-dynamic-directives')
var ALL_HEADERS = require('./lib/all-headers')
module.exports = function csp (options) {
options = options || {}
var originalDirectives = camelize(options.directives || {})
var directivesAreDynamic = containsFunction(originalDirectives)
var shouldBrowserSniff = options.browserSniff !== false
if (options.reportOnly && !originalDirectives.reportUri) {
throw new Error('Please remove reportOnly or add a report-uri.')
}
if (shouldBrowserSniff) {
return function csp (req, res, next) {
var userAgent = req.headers['user-agent']
var browser
if (userAgent) {
browser = platform.parse(userAgent)
} else {
browser = {}
}
var headerKeys
if (options.setAllHeaders || !userAgent) {
headerKeys = ALL_HEADERS
} else {
headerKeys = getHeaderKeysForBrowser(browser, options)
}
if (headerKeys.length === 0) {
next()
return
}
var directives = transformDirectivesForBrowser(browser, originalDirectives)
if (directivesAreDynamic) {
directives = parseDynamicDirectives(directives, [req, res])
}
var policyString = cspBuilder({ directives: directives })
headerKeys.forEach(function (headerKey) {
if (options.reportOnly) {
headerKey += '-Report-Only'
}
res.setHeader(headerKey, policyString)
})
next()
}
} else {
var headerKeys
if (options.setAllHeaders) {
headerKeys = ALL_HEADERS
} else {
headerKeys = ['Content-Security-Policy']
}
if (options.reportOnly) {
headerKeys = headerKeys.map(function (headerKey) {
return headerKey + '-Report-Only'
})
}
return function csp (req, res, next) {
var directives = parseDynamicDirectives(originalDirectives, [req, res])
var policyString = cspBuilder({ directives: directives })
headerKeys.forEach(function (headerKey) {
res.setHeader(headerKey, policyString)
})
next()
}
}
}