index.js
3.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
var camelize_1 = __importDefault(require("camelize"));
var content_security_policy_builder_1 = __importDefault(require("content-security-policy-builder"));
var bowser_1 = __importDefault(require("bowser"));
var is_function_1 = __importDefault(require("./lib/is-function"));
var check_options_1 = __importDefault(require("./lib/check-options"));
var contains_function_1 = __importDefault(require("./lib/contains-function"));
var get_header_keys_for_browser_1 = __importDefault(require("./lib/get-header-keys-for-browser"));
var transform_directives_for_browser_1 = __importDefault(require("./lib/transform-directives-for-browser"));
var parse_dynamic_directives_1 = __importDefault(require("./lib/parse-dynamic-directives"));
var config_1 = __importDefault(require("./lib/config"));
module.exports = function csp(options) {
check_options_1.default(options);
var originalDirectives = camelize_1.default(options.directives || {});
var directivesAreDynamic = contains_function_1.default(originalDirectives);
var shouldBrowserSniff = options.browserSniff !== false;
if (shouldBrowserSniff) {
return function csp(req, res, next) {
var userAgent = req.headers['user-agent'];
var browser;
if (userAgent) {
browser = bowser_1.default.getParser(userAgent);
}
else {
browser = undefined;
}
var headerKeys;
if (options.setAllHeaders || !userAgent) {
headerKeys = config_1.default.allHeaders;
}
else {
headerKeys = get_header_keys_for_browser_1.default(browser, options);
}
if (headerKeys.length === 0) {
next();
return;
}
var directives = transform_directives_for_browser_1.default(browser, originalDirectives);
if (directivesAreDynamic) {
directives = parse_dynamic_directives_1.default(directives, [req, res]);
}
var policyString = content_security_policy_builder_1.default({ directives: directives });
headerKeys.forEach(function (headerKey) {
if (is_function_1.default(options.reportOnly) && options.reportOnly(req, res) ||
!is_function_1.default(options.reportOnly) && options.reportOnly) {
headerKey += '-Report-Only';
}
res.setHeader(headerKey, policyString);
});
next();
};
}
else {
var headerKeys_1 = options.setAllHeaders ? config_1.default.allHeaders : ['Content-Security-Policy'];
return function csp(req, res, next) {
var directives = parse_dynamic_directives_1.default(originalDirectives, [req, res]);
var policyString = content_security_policy_builder_1.default({ directives: directives });
if (is_function_1.default(options.reportOnly) && options.reportOnly(req, res) ||
!is_function_1.default(options.reportOnly) && options.reportOnly) {
headerKeys_1.forEach(function (headerKey) {
res.setHeader(headerKey + "-Report-Only", policyString);
});
}
else {
headerKeys_1.forEach(function (headerKey) {
res.setHeader(headerKey, policyString);
});
}
next();
};
}
};