index.js
1.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
"use strict";
function parseActionOption(actionOption) {
var invalidActionErr = new Error('action must be undefined, "DENY", "ALLOW-FROM", or "SAMEORIGIN".');
if (actionOption === undefined) {
actionOption = 'SAMEORIGIN';
}
else if (actionOption instanceof String) {
actionOption = actionOption.valueOf();
}
var result;
if (typeof actionOption === 'string') {
result = actionOption.toUpperCase();
}
else {
throw invalidActionErr;
}
if (result === 'ALLOWFROM') {
result = 'ALLOW-FROM';
}
else if (result === 'SAME-ORIGIN') {
result = 'SAMEORIGIN';
}
if (['DENY', 'ALLOW-FROM', 'SAMEORIGIN'].indexOf(result) === -1) {
throw invalidActionErr;
}
return result;
}
function parseDomainOption(domainOption) {
if (domainOption instanceof String) {
domainOption = domainOption.valueOf();
}
if (typeof domainOption !== 'string') {
throw new Error('ALLOW-FROM action requires a string domain parameter.');
}
else if (!domainOption.length) {
throw new Error('domain parameter must not be empty.');
}
return domainOption;
}
function getHeaderValueFromOptions(options) {
options = options || {};
var action = parseActionOption(options.action);
if (action === 'ALLOW-FROM') {
var domain = parseDomainOption(options.domain);
return action + " " + domain;
}
else {
return action;
}
}
module.exports = function frameguard(options) {
var headerValue = getHeaderValueFromOptions(options);
return function frameguard(_req, res, next) {
res.setHeader('X-Frame-Options', headerValue);
next();
};
};