forked from helmetjs/feature-policy
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathindex.ts
107 lines (90 loc) · 3.33 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
import { IncomingMessage, ServerResponse } from "http";
interface PermissionsPolicyOptions {
features: Record<string, string[]>;
}
const reserveredKeywords = new Set(["self", "src", "*", "none"]);
function isPlainObject(value: unknown): value is Record<string, unknown> {
return typeof value === "object" && !Array.isArray(value) && value !== null;
}
function isQuoted(value: string) {
return /^".*"$/.test(value);
}
const dashify = (str: string): string =>
str.replace(/[A-Z]/g, (capitalLetter) => "-" + capitalLetter.toLowerCase());
function getHeaderValueFromOptions(options: unknown): string {
if (!isPlainObject(options)) {
throw new Error(
"permissionsPolicy must be called with an object argument. See the documentation."
);
}
const { features } = options;
if (!isPlainObject(features)) {
throw new Error(
'permissionsPolicy must have a single key, "features", which is an object of features. See the documentation.'
);
}
const result = Object.entries(features)
.map(([featureKeyCamelCase, featureValue]) => {
if (!Array.isArray(featureValue)) {
throw new Error(
`The value of the "${featureKeyCamelCase}" feature must be array of strings.`
);
}
const allowedValuesSeen: Set<string> = new Set();
featureValue.forEach((allowedValue) => {
if (typeof allowedValue !== "string") {
throw new Error(
`The value of the "${featureKeyCamelCase}" feature contains a non-string, which is not supported.`
);
} else if (allowedValuesSeen.has(allowedValue)) {
throw new Error(
`The value of the "${featureKeyCamelCase}" feature contains duplicates, which it shouldn't.`
);
} else if (allowedValue === "'self'") {
throw new Error("self must not be quoted.");
} else if (allowedValue === "'none'") {
throw new Error("none must not be quoted.");
} else if (allowedValue === "'src'") {
throw new Error("src must not be quoted.");
} else if (
!reserveredKeywords.has(allowedValue) &&
!isQuoted(allowedValue)
) {
throw new Error("values beside reserved keywords must be quoted.");
}
allowedValuesSeen.add(allowedValue);
});
if (featureValue.length > 1) {
if (allowedValuesSeen.has("*")) {
throw new Error(
`The value of the "${featureKeyCamelCase}" feature cannot contain * and other values.`
);
} else if (allowedValuesSeen.has("'none'")) {
throw new Error(
`The value of the "${featureKeyCamelCase}" feature cannot contain 'none' and other values.`
);
}
}
const featureKeyDashed = dashify(featureKeyCamelCase);
const featureValuesUnion = featureValue.join(" ");
return `${featureKeyDashed}=(${featureValuesUnion})`;
})
.join(", ");
if (result.length === 0) {
throw new Error("At least one feature is required.");
}
return result;
}
export = function permissionsPolicy(
options: Readonly<PermissionsPolicyOptions>
) {
const headerValue = getHeaderValueFromOptions(options);
return function permissionsPolicy(
_req: IncomingMessage,
res: ServerResponse,
next: () => void
) {
res.setHeader("Permissions-Policy", headerValue);
next();
};
};