From c53525ca4bb5825d241d0f137ce3912d681e6548 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matthias=20O=C3=9Fwald?=
 <1410947+matz3@users.noreply.github.com>
Date: Mon, 27 Apr 2020 09:46:30 +0200
Subject: [PATCH] [FIX] CSP Middleware: Use native res.getHeader/setHeader
 methods (#312)

Using getHeader/setHeader instead of the express methods get/set to
allow using the middleware with a different server framework or as a
native Node.js server handler.

This also aligns the code with the other middleware which already use
getHeader/setHeader.
---
 lib/middleware/csp.js             |  8 ++++----
 test/lib/server/middleware/csp.js | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/lib/middleware/csp.js b/lib/middleware/csp.js
index d5a3ac91..541a3094 100644
--- a/lib/middleware/csp.js
+++ b/lib/middleware/csp.js
@@ -6,13 +6,13 @@ const HEADER_CONTENT_SECURITY_POLICY_REPORT_ONLY = "Content-Security-Policy-Repo
 const rPolicy = /^([-_a-zA-Z0-9]+)(:report-only|:ro)?$/i;
 
 function addHeader(res, header, value) {
-	const current = res.get(header);
+	const current = res.getHeader(header);
 	if ( current == null ) {
-		res.set(header, value);
+		res.setHeader(header, value);
 	} else if ( Array.isArray(current) ) {
-		res.set(header, [...current, value]);
+		res.setHeader(header, [...current, value]);
 	} else {
-		res.set(header, [current, value]);
+		res.setHeader(header, [current, value]);
 	}
 }
 
diff --git a/test/lib/server/middleware/csp.js b/test/lib/server/middleware/csp.js
index 086774c4..9c1786ef 100644
--- a/test/lib/server/middleware/csp.js
+++ b/test/lib/server/middleware/csp.js
@@ -5,10 +5,10 @@ test("Default Settings", (t) => {
 	t.plan(3 + 7); // fourth request should end in middleware and not call next!
 	const middleware = cspMiddleware("sap-ui-xx-csp-policy", {});
 	const res = {
-		get: function() {
+		getHeader: function() {
 			return undefined;
 		},
-		set: function(header, value) {
+		setHeader: function(header, value) {
 			t.fail(`should not be called with header ${header} and value ${value}`);
 		}
 	};
@@ -54,10 +54,10 @@ test("Custom Settings", (t) => {
 	});
 	let expected;
 	const res = {
-		get: function() {
+		getHeader: function() {
 			return undefined;
 		},
-		set: function(header, value) {
+		setHeader: function(header, value) {
 			if ( header.toLowerCase() === "content-security-policy" ) {
 				t.is(value, expected.shift(), "should have the expected value");
 			} else {
@@ -92,10 +92,10 @@ test("No Dynamic Policy Definition", (t) => {
 		allowDynamicPolicyDefinition: false
 	});
 	const res = {
-		get: function() {
+		getHeader: function() {
 			return undefined;
 		},
-		set: function(header, value) {
+		setHeader: function(header, value) {
 			if ( header.toLowerCase() === "content-security-policy" ) {
 				t.is(value, expected.shift(), "should have the expected value");
 			} else {
@@ -124,10 +124,10 @@ test("Header Manipulation", (t) => {
 	});
 	let cspHeader = "default-src: spdy:";
 	const res = {
-		get: function() {
+		getHeader: function() {
 			return cspHeader;
 		},
-		set: function(header, value) {
+		setHeader: function(header, value) {
 			if ( header.toLowerCase() === "content-security-policy" ) {
 				cspHeader = value;
 			} else {