Added the X-Xss-Protection header

marekdedic · Jun 5, 2024 · e3e9bc6 · e3e9bc6
1 parent fc45832
commit e3e9bc6
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/src/headers.ts b/src/headers.ts
@@ -10,12 +10,17 @@ import {
   buildXContentTypeOptionsValue,
   type XContentTypeOptionsSpec,
 } from "./headers/XContentTypeOptions";
+import {
+  buildXXssProtectionValue,
+  type XXssProtectionSpec,
+} from "./headers/XXssProtection";
 
 /* eslint-disable @typescript-eslint/naming-convention -- These are header names */
 interface HeaderValueSpecMap {
   "Referrer-Policy": ReferrerPolicySpec;
   "Strict-Transport-Security": StrictTransportSecuritySpec;
   "X-Content-Type-Options": XContentTypeOptionsSpec;
+  "X-Xss-Protection": XXssProtectionSpec;
 }
 /* eslint-enable */
 
@@ -64,6 +69,8 @@ function buildHeaderValue<
       return buildStrictTransportSecurityValue(value);
     case "X-Content-Type-Options":
       return buildXContentTypeOptionsValue();
+    case "X-Xss-Protection":
+      return buildXXssProtectionValue(value);
   }
   throw new Error('Unknown header type "' + header + '".');
 }

diff --git a/src/headers/XXssProtection.ts b/src/headers/XXssProtection.ts
@@ -0,0 +1,27 @@
+export type XXssProtectionSpec =
+  | {
+      mode: "block";
+    }
+  | {
+      mode: "disabled";
+    }
+  | {
+      mode: "sanitize";
+    }
+  | {
+      mode: "sanitize+report";
+      reportUri: string;
+    };
+
+export function buildXXssProtectionValue(spec: XXssProtectionSpec): string {
+  switch (spec.mode) {
+    case "block":
+      return "1; mode=block";
+    case "disabled":
+      return "0";
+    case "sanitize":
+      return "1";
+    case "sanitize+report":
+      return '"1; report=' + spec.reportUri.replaceAll('"', '\\"') + '"';
+  }
+}