Skip to content

Commit

Permalink
getDefaultDirectives should do a deep copy
Browse files Browse the repository at this point in the history
See [#463] and [#465].

[#463]: #463
[#465]: #465
  • Loading branch information
sohrb authored and EvanHahn committed Jun 1, 2024
1 parent 8d493c9 commit e8707b4
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
2 changes: 1 addition & 1 deletion middlewares/content-security-policy/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ const SHOULD_BE_QUOTED: ReadonlySet<string> = new Set([
"wasm-unsafe-eval",
]);

const getDefaultDirectives = () => ({ ...DEFAULT_DIRECTIVES });
const getDefaultDirectives = () => structuredClone(DEFAULT_DIRECTIVES);

const dashify = (str: string): string =>
str.replace(/[A-Z]/g, (capitalLetter) => "-" + capitalLetter.toLowerCase());
Expand Down
10 changes: 10 additions & 0 deletions test/content-security-policy.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -581,4 +581,14 @@ describe("getDefaultDirectives", () => {
contentSecurityPolicy.getDefaultDirectives,
);
});

it("returns a new copy each time", () => {
const one = getDefaultDirectives();
one["worker-src"] = ["ignored.example"];
(one["img-src"] as Array<string>).push("ignored.example");

const two = getDefaultDirectives();
expect(two).not.toHaveProperty("worker-src");
expect(two["img-src"]).not.toContain("ignored.example");
});
});

0 comments on commit e8707b4

Please sign in to comment.