Skip to content

Commit

Permalink
cleanup csp
Browse files Browse the repository at this point in the history
  • Loading branch information
@puncsky
puncsky committed Oct 31, 2020
1 parent c0e648c commit 8fbf53d
Show file tree
Hide file tree
Showing 5 changed files with 8 additions and 17 deletions.
11 changes: 2 additions & 9 deletions packages/web-server/src/middleware/csp/csp.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,11 @@ import filterEffectiveAttr, { effectiveAttr } from "./filterEffectiveAttr";
import repareKeyWords from "./repareKeyWords";
import * as log from "./log";

/**
* @desc 生成一条策略的字符串
*
* @return {String} 'default-src self'
*/
function generateSubPolicyStr(policy) {
return policy.map(repareKeyWords).join(" ");
}

// 默认配置-只允许该域名下内容
const defaultParams = {
// 是否显示警告信息
enableWarn: true,
policy: {
"default-src": ["self"],
Expand All @@ -34,9 +27,9 @@ function validatorPolicy(policy) {
}

/**
* @desc 设置响应头 Content-Security-Policy
* @desc Content-Security-Policy
*
* @param customPolicy {Object} 自定义安全策略 exp. { 'img-src': ['self'] };
* @param customPolicy {Object} exp. { 'img-src': ['self'] };
*/
export default function ({ enableWarn = true, policy = {} } = defaultParams) {
return async (ctx, next) => {
Expand Down
4 changes: 1 addition & 3 deletions packages/web-server/src/middleware/csp/filterEffectiveAttr.js
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
// 有效的安全策略命名
export const effectiveAttr = [
"default-src",
"child-src",
Expand All @@ -16,8 +15,7 @@ export const effectiveAttr = [
];

/**
* @desc 过滤无效安全策略并格式化
* 有效策略命名参照 effectiveAttr
* @desc filter invalid policies and format them
*
* @return {Array} exp. [['default-src', 'self'], ['img-src', 'self']]
*/
Expand Down
2 changes: 1 addition & 1 deletion packages/web-server/src/middleware/csp/repareKeyWords.js
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
const keyWords = ["none", "self", "unsafe-inline", "unsafe-eval"];

// 修复字符串self的书写问题 "self" => "'self'"
// convert "self" => "'self'"
export default function (str) {
return keyWords.includes(str) ? `'${str}'` : str;
}
5 changes: 2 additions & 3 deletions packages/web-server/src/middleware/middleware.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ import { isoReactRenderMiddleware } from "../iso-react-render/iso-react-render-m
import { Server } from "../server";
import { Context, Middleware, Next } from "../types";
import { cookieSessionMiddleware } from "./cookie-session-middleware";
// @ts-ignore
import csp from "./csp/csp";
import { csrfMiddleware, isPrefixMatched } from "./csrf-middleware";
import { initI18nMiddleware } from "./i18n-middleware";
import { staticServe } from "./static-serve";
import { uncaughtErrorMiddleware } from "./uncaught-error-middleware";
import { viewBaseState } from "./view-base-state";

const csp = require("./csp/csp");

export function initMiddleware(server: Server): void {
server.use(uncaughtErrorMiddleware(server));

Expand All @@ -38,7 +38,6 @@ export function initMiddleware(server: Server): void {

// security headers
const { noSecurityHeadersRoutes } = server.config.server;
// @ts-ignore
server.use(
htmlOnlyMiddleware({
postFunc: async (ctx: Context, _: Next) => {
Expand Down
3 changes: 2 additions & 1 deletion packages/web-server/tsconfig.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@
// "emitDecoratorMetadata": true /* Enables experimental support for emitting type metadata for decorators. */,
"lib": ["es7", "es6", "dom", "esnext"],
"types": ["node"],
"typeRoots": ["node_modules/@types", "src/types"]
"typeRoots": ["node_modules/@types", "src/types"],
"skipLibCheck": true
},
"include": ["src/**/*.ts", "src/**/*.tsx"],
"exclude": ["node_modules/**"],
Expand Down

0 comments on commit 8fbf53d

Please sign in to comment.