-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Server Option to Send SAP's Target CSPs by default
When option cspDefaults:true is given, the server now sends two policies for *.html files, both in report-only mode: - sap-target-level-1, which forbids inline scripts and only allows sources from self - sap-target-level-2, which additionally forbids 'eval' Each policy is sent with its own 'Content-Security-Policy-Report-Only' header. This might look uncommon, but simplifies automated validation of the violation reports that are sent by the browser. Browsers don't consistently report blocked-uri or source-file, but the original-policy is reported consistently. middleware/csp.js: - allow to define and send a 2nd default policy - skip execution for file types other than *.html and for HTTP methods other than POST and GET - use native capabilities of the express request object instead of parsing URLs with NodeJS means - when using the URL parameter, the shorter suffix ":ro" can now be used to activate the report-only mode server.js - add boolean server option 'cspDefaults' (default false) - enrich csp middleware configuration accordingly when option is set test/ - enhance for the new features
- Loading branch information
1 parent
aa57198
commit 9c0a37d
Showing
4 changed files
with
357 additions
and
71 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.