[FEATURE] CSP: Increase defaultPolicy2 to sap-target-level-3

SAP · Feb 24, 2023 · d29939c · d29939c
1 parent 8f33913
commit d29939c
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 10 deletions.
diff --git a/lib/middleware/MiddlewareManager.js b/lib/middleware/MiddlewareManager.js
@@ -184,7 +184,7 @@ class MiddlewareManager {
  const defaultSAPTargetConfig = {
  defaultPolicy: "sap-target-level-1",
  defaultPolicyIsReportOnly: true,
- defaultPolicy2: "sap-target-level-2",
+ defaultPolicy2: "sap-target-level-3",
  defaultPolicy2IsReportOnly: true,
  ignorePaths: ["test-resources/sap/ui/qunit/testrunner.html"]
  };

diff --git a/lib/server.js b/lib/server.js
@@ -99,7 +99,7 @@ async function _addSsl({app, key, cert}) {
  * @typedef {object} module:@ui5/server.SAPTargetCSPOptions
  * @property {string} [defaultPolicy="sap-target-level-1"]
  * @property {string} [defaultPolicyIsReportOnly=true]
- * @property {string} [defaultPolicy2="sap-target-level-2"]
+ * @property {string} [defaultPolicy2="sap-target-level-3"]
  * @property {string} [defaultPolicy2IsReportOnly=true]
  * @property {string[]} [ignorePaths=["test-resources/sap/ui/qunit/testrunner.html"]]
  */

diff --git a/test/lib/server/main.js b/test/lib/server/main.js
@@ -420,14 +420,14 @@ test("CSP (defaults)", async (t) => {
  t.regex(res.headers["content-security-policy-report-only"], /script-src\s+'self'\s+'unsafe-eval'\s*;/,
  "header should should have the expected content");
  }),
- request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-2").then((res) => {
+ request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-3").then((res) => {
  t.truthy(res.headers["content-security-policy"], "response should have enforcing csp header");
  t.regex(res.headers["content-security-policy"], /script-src\s+'self'\s*;/,
  "header should should have the expected content");
  t.is(res.headers["content-security-policy-report-only"], undefined,
  "response must not have report-only csp header");
  }),
- request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-2:report-only").then((res) => {
+ request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-3:report-only").then((res) => {
  t.is(res.headers["content-security-policy"], undefined,
  "response must not have enforcing csp header");
  t.truthy(res.headers["content-security-policy-report-only"],
@@ -484,8 +484,8 @@ test("CSP (sap policies)", async (t) => {
  request.get("/index.html"),
  request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-1"),
  request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-1:report-only"),
- request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-2"),
- request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-2:report-only"),
+ request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-3"),
+ request.get("/index.html?sap-ui-xx-csp-policy=sap-target-level-3:report-only"),
  request.get("/index.html?sap-ui-xx-csp-policy=default-src%20http%3a;"),
  request.get("/index.html?sap-ui-xx-csp-policy=default-src%20http%3a;:report-only"),
  request.get("/index.html?sap-ui-xx-csp-policy=default-src%20http%3a;:ro")

diff --git a/test/lib/server/middleware/MiddlewareManager.js b/test/lib/server/middleware/MiddlewareManager.js
@@ -841,7 +841,7 @@ test("addStandardMiddleware: CSP middleware configured correctly (enabled)", asy
  },
  defaultPolicy: "sap-target-level-1",
  defaultPolicyIsReportOnly: true,
- defaultPolicy2: "sap-target-level-2",
+ defaultPolicy2: "sap-target-level-3",
  defaultPolicy2IsReportOnly: true,
  ignorePaths: [
  "test-resources/sap/ui/qunit/testrunner.html",
@@ -864,7 +864,7 @@ test("addStandardMiddleware: CSP middleware configured correctly (custom)", asyn
  sendSAPTargetCSP: {
  defaultPolicy: "sap-target-level-1",
  defaultPolicyIsReportOnly: false,
- defaultPolicy2: "sap-target-level-3",
+ defaultPolicy2: "sap-target-level-2",
  defaultPolicy2IsReportOnly: true,
  ignorePaths: ["lord/tirek.html"]
  },
@@ -907,7 +907,7 @@ test("addStandardMiddleware: CSP middleware configured correctly (custom)", asyn
  },
  defaultPolicy: "sap-target-level-1",
  defaultPolicyIsReportOnly: false,
- defaultPolicy2: "sap-target-level-3",
+ defaultPolicy2: "sap-target-level-2",
  defaultPolicy2IsReportOnly: true,
  ignorePaths: [
  "lord/tirek.html",

diff --git a/test/lib/server/middleware/csp.js b/test/lib/server/middleware/csp.js
@@ -56,7 +56,7 @@ test("Default Settings", async (t) => {
  await new Promise((resolve) => {
  middleware({
  method: "GET",
- url: "/test.html?sap-ui-xx-csp-policy=sap-target-level-2",
+ url: "/test.html?sap-ui-xx-csp-policy=sap-target-level-3",
  headers: {}
  }, res, resolve);
  });