mirror of
https://github.com/honojs/hono.git
synced 2024-11-28 00:26:24 +01:00
fix(secure-headers): optimize getPermissionsPolicyDirectives function (#3398)
This commit is contained in:
parent
c2b0de42a0
commit
3c4d4c2b59
@ -160,7 +160,7 @@ describe('Secure Headers Middleware', () => {
|
||||
expect(res.headers.get('X-XSS-Protection')).toEqual('1')
|
||||
})
|
||||
|
||||
it('should set Permission-Policy header', async () => {
|
||||
it('should set Permission-Policy header correctly', async () => {
|
||||
const app = new Hono()
|
||||
app.use(
|
||||
'/test',
|
||||
@ -173,13 +173,20 @@ describe('Secure Headers Middleware', () => {
|
||||
camera: false,
|
||||
microphone: true,
|
||||
geolocation: ['*'],
|
||||
usb: ['self', 'https://a.example.com', 'https://b.example.com'],
|
||||
accelerometer: ['https://*.example.com'],
|
||||
gyroscope: ['src'],
|
||||
magnetometer: ['https://a.example.com', 'https://b.example.com'],
|
||||
},
|
||||
})
|
||||
)
|
||||
|
||||
const res = await app.request('/test')
|
||||
expect(res.headers.get('Permissions-Policy')).toEqual(
|
||||
'fullscreen=(self), bluetooth=(none), payment=(self example.com), sync-xhr=(), camera=none, microphone=(), geolocation=(*)'
|
||||
'fullscreen=(self), bluetooth=none, payment=(self "example.com"), sync-xhr=(), camera=none, microphone=*, ' +
|
||||
'geolocation=*, usb=(self "https://a.example.com" "https://b.example.com"), ' +
|
||||
'accelerometer=("https://*.example.com"), gyroscope=(src), ' +
|
||||
'magnetometer=("https://a.example.com" "https://b.example.com")'
|
||||
)
|
||||
})
|
||||
it('CSP Setting', async () => {
|
||||
|
@ -278,12 +278,18 @@ function getPermissionsPolicyDirectives(policy: PermissionsPolicyOptions): strin
|
||||
const kebabDirective = camelToKebab(directive)
|
||||
|
||||
if (typeof value === 'boolean') {
|
||||
return `${kebabDirective}=${value ? '()' : 'none'}`
|
||||
return `${kebabDirective}=${value ? '*' : 'none'}`
|
||||
}
|
||||
|
||||
if (Array.isArray(value)) {
|
||||
const allowlist = value.length === 0 ? '()' : `(${value.join(' ')})`
|
||||
return `${kebabDirective}=${allowlist}`
|
||||
if (value.length === 0) {
|
||||
return `${kebabDirective}=()`
|
||||
}
|
||||
if (value.length === 1 && (value[0] === '*' || value[0] === 'none')) {
|
||||
return `${kebabDirective}=${value[0]}`
|
||||
}
|
||||
const allowlist = value.map((item) => (['self', 'src'].includes(item) ? item : `"${item}"`))
|
||||
return `${kebabDirective}=(${allowlist.join(' ')})`
|
||||
}
|
||||
|
||||
return ''
|
||||
|
Loading…
Reference in New Issue
Block a user