@blamejs/blamejs-shop 0.3.13 → 0.3.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/security-middleware.js +28 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.3.x
|
|
10
10
|
|
|
11
|
+
- v0.3.14 (2026-05-30) — **Drop the inert Document-Policy header that only produced browser warnings.** Container-rendered pages were sending a Document-Policy response header whose feature tokens (document-write, unsized-media, oversized-images) are no longer recognized by current browsers — so it enforced nothing while making the browser log a warning for each token on every page. The header is now omitted; every other security header (Content-Security-Policy, Permissions-Policy, HSTS, X-Frame-Options, the COOP/CORP set, and the rest) is unchanged. The edge and container paths now agree — neither sends Document-Policy — closing a header-parity gap. **Fixed:** *No more Document-Policy console warnings* — The Document-Policy header is no longer emitted on container-rendered pages. Its tokens were rejected by current browsers (the policy applied nothing and logged a warning per token on every page), so the header is dropped rather than shipped inert; the full set of other security headers is retained unchanged. Edge and container responses are now consistent.
|
|
12
|
+
|
|
11
13
|
- v0.3.13 (2026-05-30) — **Updated runtime hardens the storage and audit layers; admin error pages no longer show raw database text.** The vendored blamejs runtime is updated to v0.14.7, which tightens the data and audit layers the shop is built on: database queries are checked against each table's declared columns (a reference to an undeclared column fails closed), the database encryption key is bound to its deployment so a copied key can't be unsealed elsewhere, raw SQL fragments refuse embedded string literals so values bind through placeholders, audit-chain purges can require two authorizers, and breach-notification deadlines raise a running clock. Separately, when an admin form action fails the console now shows a short generic message with the correct status instead of rendering a raw database or parser string into its error banner. No operator action is required. **Changed:** *Vendored runtime updated to v0.14.7 (storage + audit hardening)* — The underlying runtime now checks every database query against the table's declared columns and fails closed on an undeclared reference, binds the database encryption key to its data directory and key path so a relocated key won't unseal, refuses embedded string literals in raw SQL fragments, supports two-authorizer dual control on audit-chain purges, can compute sealed-column lookup hashes as a keyed MAC, and ships a running clock for breach-notification deadlines. The shop inherits these protections; no configuration change is needed. **Fixed:** *Console error banners show a safe message, not internal text* — Every admin HTML form handler now routes a thrown error through one shared classifier: a duplicate key becomes a 409 "That value is already in use.", a missing referenced record a generic not-found, malformed input a generic "Invalid input.", and an unexpected failure a generic message whose detail is recorded server-side rather than shown. Operator-facing validation messages are unchanged. This closes the path where a create form could render a raw database constraint string into its error banner, matching the API behavior the bearer path already had.
|
|
12
14
|
|
|
13
15
|
- v0.3.12 (2026-05-30) — **Currency and outbound-host validation consolidated behind one shared check.** Input validation that was duplicated across the codebase is now a single shared module. Currency codes are validated against the ISO 4217 catalog consistently wherever the admin binds money — the same check the gift-card flow gained last release — and the outbound webhook host guard (refusing loopback, private, link-local, reserved, and cloud-metadata destinations, including trailing-dot forms) is one shared function used by both the delivery and registration paths. The shared module composes the framework's Unicode codepoint catalog so free-text fields can reject control, bidi-override, and zero-width characters when needed. Behavior is equal-or-stricter than before; no operator action is required. **Changed:** *Currency validation is consistently ISO 4217* — Admin paths that bind a currency now validate it against the ISO 4217 catalog in one place, so a code that isn't a real currency is rejected consistently rather than only in some flows. · *Outbound-host SSRF guard is a single shared check* — The webhook delivery and registration paths now share one host guard — loopback, private (RFC 1918), link-local, reserved, and cloud-metadata addresses (by IP literal or known name, including trailing-dot forms) are refused identically on both, so the two can't drift apart.
|
package/lib/asset-manifest.json
CHANGED
|
@@ -142,6 +142,33 @@ function clientKey(req) {
|
|
|
142
142
|
return sock || "unknown";
|
|
143
143
|
}
|
|
144
144
|
|
|
145
|
+
/**
|
|
146
|
+
* Build the security-headers options for createApp's
|
|
147
|
+
* `middleware.securityHeaders`. The vendored blamejs default emits a
|
|
148
|
+
* `Document-Policy` header asserting `document-write=?0`,
|
|
149
|
+
* `unsized-media=?0`, and `oversized-images=?0`. Current Chromium
|
|
150
|
+
* recognizes none of those three feature names — it parses the header,
|
|
151
|
+
* rejects every token, logs "Unrecognized document policy feature name
|
|
152
|
+
* <x>" to the console, and applies nothing. The header is therefore
|
|
153
|
+
* inert: it adds console noise on every container response while
|
|
154
|
+
* enforcing no policy. (The recognized Document-Policy feature set today
|
|
155
|
+
* is `force-load-at-top` / `js-profiling` /
|
|
156
|
+
* `include-js-call-stacks-in-crash-reports` / `expect-no-linked-resources`
|
|
157
|
+
* / `network-efficiency-guardrails` — none of which is a control this
|
|
158
|
+
* storefront needs to assert.) We have no valid, useful Document-Policy
|
|
159
|
+
* to send, so disable the header rather than ship one the browser
|
|
160
|
+
* rejects. This also matches the edge: the Worker's `_SECURITY_HEADERS`
|
|
161
|
+
* set (worker/index.js) emits no Document-Policy, so suppressing it on
|
|
162
|
+
* the container makes the two substrates header-consistent. Every other
|
|
163
|
+
* vendored default (HSTS, CSP, Permissions-Policy, COOP/CORP, X-Frame-
|
|
164
|
+
* Options, etc.) stays ON. Pass-through to the framework primitive — we
|
|
165
|
+
* compose its `documentPolicy: false` override, never patch the vendored
|
|
166
|
+
* tree.
|
|
167
|
+
*/
|
|
168
|
+
function securityHeadersOpts() {
|
|
169
|
+
return { documentPolicy: false };
|
|
170
|
+
}
|
|
171
|
+
|
|
145
172
|
/**
|
|
146
173
|
* Build the GLOBAL rate-limit options for createApp's
|
|
147
174
|
* `middleware.rateLimit`. Token-bucket so a bursty-but-bounded browsing
|
|
@@ -282,6 +309,7 @@ function mountRouteGuards(r) {
|
|
|
282
309
|
|
|
283
310
|
module.exports = {
|
|
284
311
|
clientKey: clientKey,
|
|
312
|
+
securityHeadersOpts: securityHeadersOpts,
|
|
285
313
|
globalRateLimitOpts: globalRateLimitOpts,
|
|
286
314
|
mountRouteGuards: mountRouteGuards,
|
|
287
315
|
WEBHOOK_PATHS: WEBHOOK_PATHS,
|
package/package.json
CHANGED