Inicio Explorar Axuda
Iniciar sesión
Lawsun
/
ysjj-system
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: d230cfbce0
Ramas Etiquetas
ysjj-system
/
node_modules
/
egg-security
/
lib
/
middlewares
/
csp.js

csp.js 1.8 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. 'use strict';
    2. 

  2. 

  3. const extend = require('extend');
    4. 

  4. const platform = require('platform');
    5. 

  5. const utils = require('../utils');
    6. 

  6. 

  7. const HEADER = [
    8. 

  8.   'x-content-security-policy',
    9. 

  9.   'content-security-policy',
    10. 

  10. ];
    11. 

  11. const REPORT_ONLY_HEADER = [
    12. 

  12.   'x-content-security-policy-report-only',
    13. 

  13.   'content-security-policy-report-only',
    14. 

  14. ];
    15. 

  15. 

  16. module.exports = options => {
    17. 

  17.   return async function csp(ctx, next) {
    18. 

  18.     await next();
    19. 

  19. 

  20.     const opts = utils.merge(options, ctx.securityOptions.csp);
    21. 

  21.     if (utils.checkIfIgnore(opts, ctx)) return;
    22. 

  22. 

  23.     let finalHeader;
    24. 

  24.     let value;
    25. 

  25.     const matchedOption = extend(true, {}, opts.policy);
    26. 

  26.     const isIE = platform.parse(ctx.header['user-agent']).name === 'IE';
    27. 

  27.     const bufArray = [];
    28. 

  28. 

  29.     const headers = opts.reportOnly ? REPORT_ONLY_HEADER : HEADER;
    30. 

  30.     if (isIE && opts.supportIE) {
    31. 

  31.       finalHeader = headers[0];
    32. 

  32.     } else {
    33. 

  33.       finalHeader = headers[1];
    34. 

  34.     }
    35. 

  35. 

  36.     for (const key in matchedOption) {
    37. 

  37. 

  38.       value = matchedOption[key];
    39. 

  39.       value = Array.isArray(value) ? value : [ value ];
    40. 

  40. 

  41.       // Other arrays are splitted into strings EXCEPT `sandbox`
    42. 

  42.       if (key === 'sandbox' && value[0] === true) {
    43. 

  43.         bufArray.push(key);
    44. 

  44.       } else {
    45. 

  45.         if (key === 'script-src') {
    46. 

  46.           const hasNonce = value.some(function(val) {
    47. 

  47.             return val.indexOf('nonce-') !== -1;
    48. 

  48.           });
    49. 

  49. 

  50.           if (!hasNonce) {
    51. 

  51.             value.push('\'nonce-' + ctx.nonce + '\'');
    52. 

  52.           }
    53. 

  53.         }
    54. 

  54. 

  55.         value = value.map(function(d) {
    56. 

  56.           if (d.startsWith('.')) {
    57. 

  57.             d = '*' + d;
    58. 

  58.           }
    59. 

  59.           return d;
    60. 

  60.         });
    61. 

  61.         bufArray.push(key + ' ' + value.join(' '));
    62. 

  62.       }
    63. 

  63.     }
    64. 

  64.     const headerString = bufArray.join(';');
    65. 

  65.     ctx.set(finalHeader, headerString);
    66. 

  66.     ctx.set('x-csp-nonce', ctx.nonce);
    67. 

  67.   };
    68. 

  68. };
    69.