From 8fbf53d08c9d5f9228c100ab37065bb4c433832f Mon Sep 17 00:00:00 2001 From: Tian Pan Date: Sat, 31 Oct 2020 00:20:12 -0700 Subject: [PATCH] cleanup csp --- packages/web-server/src/middleware/csp/csp.js | 11 ++--------- .../src/middleware/csp/filterEffectiveAttr.js | 4 +--- .../web-server/src/middleware/csp/repareKeyWords.js | 2 +- packages/web-server/src/middleware/middleware.ts | 5 ++--- packages/web-server/tsconfig.json | 3 ++- 5 files changed, 8 insertions(+), 17 deletions(-) diff --git a/packages/web-server/src/middleware/csp/csp.js b/packages/web-server/src/middleware/csp/csp.js index d9ce95e4..60ce6dee 100644 --- a/packages/web-server/src/middleware/csp/csp.js +++ b/packages/web-server/src/middleware/csp/csp.js @@ -3,18 +3,11 @@ import filterEffectiveAttr, { effectiveAttr } from "./filterEffectiveAttr"; import repareKeyWords from "./repareKeyWords"; import * as log from "./log"; -/** - * @desc 生成一条策略的字符串 - * - * @return {String} 'default-src self' - */ function generateSubPolicyStr(policy) { return policy.map(repareKeyWords).join(" "); } -// 默认配置-只允许该域名下内容 const defaultParams = { - // 是否显示警告信息 enableWarn: true, policy: { "default-src": ["self"], @@ -34,9 +27,9 @@ function validatorPolicy(policy) { } /** - * @desc 设置响应头 Content-Security-Policy + * @desc Content-Security-Policy * - * @param customPolicy {Object} 自定义安全策略 exp. { 'img-src': ['self'] }; + * @param customPolicy {Object} exp. { 'img-src': ['self'] }; */ export default function ({ enableWarn = true, policy = {} } = defaultParams) { return async (ctx, next) => { diff --git a/packages/web-server/src/middleware/csp/filterEffectiveAttr.js b/packages/web-server/src/middleware/csp/filterEffectiveAttr.js index c492b328..602a9cdf 100644 --- a/packages/web-server/src/middleware/csp/filterEffectiveAttr.js +++ b/packages/web-server/src/middleware/csp/filterEffectiveAttr.js @@ -1,4 +1,3 @@ -// 有效的安全策略命名 export const effectiveAttr = [ "default-src", "child-src", @@ -16,8 +15,7 @@ export const effectiveAttr = [ ]; /** - * @desc 过滤无效安全策略并格式化 - * 有效策略命名参照 effectiveAttr + * @desc filter invalid policies and format them * * @return {Array} exp. [['default-src', 'self'], ['img-src', 'self']] */ diff --git a/packages/web-server/src/middleware/csp/repareKeyWords.js b/packages/web-server/src/middleware/csp/repareKeyWords.js index 38727d41..978e0996 100644 --- a/packages/web-server/src/middleware/csp/repareKeyWords.js +++ b/packages/web-server/src/middleware/csp/repareKeyWords.js @@ -1,6 +1,6 @@ const keyWords = ["none", "self", "unsafe-inline", "unsafe-eval"]; -// 修复字符串self的书写问题 "self" => "'self'" +// convert "self" => "'self'" export default function (str) { return keyWords.includes(str) ? `'${str}'` : str; } diff --git a/packages/web-server/src/middleware/middleware.ts b/packages/web-server/src/middleware/middleware.ts index 5f75d1ad..0f07145c 100644 --- a/packages/web-server/src/middleware/middleware.ts +++ b/packages/web-server/src/middleware/middleware.ts @@ -5,14 +5,14 @@ import { isoReactRenderMiddleware } from "../iso-react-render/iso-react-render-m import { Server } from "../server"; import { Context, Middleware, Next } from "../types"; import { cookieSessionMiddleware } from "./cookie-session-middleware"; -// @ts-ignore -import csp from "./csp/csp"; import { csrfMiddleware, isPrefixMatched } from "./csrf-middleware"; import { initI18nMiddleware } from "./i18n-middleware"; import { staticServe } from "./static-serve"; import { uncaughtErrorMiddleware } from "./uncaught-error-middleware"; import { viewBaseState } from "./view-base-state"; +const csp = require("./csp/csp"); + export function initMiddleware(server: Server): void { server.use(uncaughtErrorMiddleware(server)); @@ -38,7 +38,6 @@ export function initMiddleware(server: Server): void { // security headers const { noSecurityHeadersRoutes } = server.config.server; - // @ts-ignore server.use( htmlOnlyMiddleware({ postFunc: async (ctx: Context, _: Next) => { diff --git a/packages/web-server/tsconfig.json b/packages/web-server/tsconfig.json index 0722e2d6..58fc71ca 100644 --- a/packages/web-server/tsconfig.json +++ b/packages/web-server/tsconfig.json @@ -31,7 +31,8 @@ // "emitDecoratorMetadata": true /* Enables experimental support for emitting type metadata for decorators. */, "lib": ["es7", "es6", "dom", "esnext"], "types": ["node"], - "typeRoots": ["node_modules/@types", "src/types"] + "typeRoots": ["node_modules/@types", "src/types"], + "skipLibCheck": true }, "include": ["src/**/*.ts", "src/**/*.tsx"], "exclude": ["node_modules/**"],