@elliemae/pui-cli 8.40.0 → 8.40.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/cjs/server/csp.js +34 -19
  2. package/dist/esm/server/csp.js +34 -19
  3. package/dist/types/tsconfig.tsbuildinfo +1 -1
  4. package/package.json +4 -4
package/dist/cjs/server/csp.js CHANGED
@@ -36,11 +36,12 @@ var import_node_fs = __toESM(require("node:fs"), 1);
36
36
  var import_node_path = __toESM(require("node:path"), 1);
37
37
  var import_crypto = __toESM(require("crypto"), 1);
38
38
  var import_express = __toESM(require("express"), 1);
39
- var import_helmet_csp = __toESM(require("helmet-csp"), 1);
39
+ var import_helmet = __toESM(require("helmet"), 1);
40
40
  const CSP_REPORT_URI = "/diagnostics/v1/csp";
41
41
  const sources = [
42
42
  "'self'",
43
43
  "http://localhost:*",
44
+ "https://localhost:*",
44
45
  "ws://localhost:*",
45
46
  "*.ice.com",
46
47
  "*.elliemae.io",
@@ -76,30 +77,44 @@ const getScriptSrc = () => {
76
77
  };
77
78
  const csp = (app) => {
78
79
  app.use((req, res, next) => {
79
- res.locals.cspNonce = import_crypto.default.randomBytes(16).toString("hex");
80
+ res.locals.cspNonce = import_crypto.default.randomBytes(32).toString("hex");
80
81
  next();
81
82
  });
82
83
  app.use(
83
- (0, import_helmet_csp.default)({
84
- directives: {
85
- defaultSrc: ["'self'"],
86
- baseUri: ["'self'"],
87
- blockAllMixedContent: [],
88
- connectSrc: sources,
89
- fontSrc: sources.concat(["data:"]),
90
- frameAncestors: sources,
91
- imgSrc: sources.concat(["data:"]),
92
- objectSrc: ["'none'"],
93
- scriptSrc: getScriptSrc(),
94
- scriptSrcAttr: ["'none'"],
95
- styleSrc: sources.concat(["'unsafe-inline'"]),
96
- upgradeInsecureRequests: [],
97
- reportUri: CSP_REPORT_URI
84
+ (0, import_helmet.default)({
85
+ contentSecurityPolicy: {
86
+ directives: {
87
+ baseUri: ["'self'"],
88
+ connectSrc: sources,
89
+ defaultSrc: ["'self'"],
90
+ fontSrc: sources.concat(["data:"]),
91
+ formAction: ["'self'"],
92
+ frameAncestors: sources,
93
+ frameSrc: sources,
94
+ imgSrc: sources.concat(["data:"]),
95
+ objectSrc: ["'none'"],
96
+ scriptSrc: getScriptSrc(),
97
+ scriptSrcAttr: ["'none'"],
98
+ styleSrc: sources.concat(["'unsafe-inline'"]),
99
+ workerSrc: sources,
100
+ upgradeInsecureRequests: [],
101
+ reportUri: CSP_REPORT_URI,
102
+ reportTo: CSP_REPORT_URI
103
+ },
104
+ reportOnly: true
98
105
  },
99
- reportOnly: true
106
+ xFrameOptions: false,
107
+ xPermittedCrossDomainPolicies: false,
108
+ xDownloadOptions: false,
109
+ xXssProtection: false
110
+ })
111
+ );
112
+ app.use(
113
+ CSP_REPORT_URI,
114
+ import_express.default.json({
115
+ type: ["application/csp-report", "application/reports+json"]
100
116
  })
101
117
  );
102
- app.use(CSP_REPORT_URI, import_express.default.json({ type: "application/csp-report" }));
103
118
  app.use(CSP_REPORT_URI, (req, res) => {
104
119
  console.log("CSP Violation: ", req.body);
105
120
  res.status(204).end();
package/dist/esm/server/csp.js CHANGED
@@ -2,11 +2,12 @@ import fs from "node:fs";
2
2
  import path from "node:path";
3
3
  import crypto from "crypto";
4
4
  import express from "express";
5
- import cspPolicy from "helmet-csp";
5
+ import helmet from "helmet";
6
6
  const CSP_REPORT_URI = "/diagnostics/v1/csp";
7
7
  const sources = [
8
8
  "'self'",
9
9
  "http://localhost:*",
10
+ "https://localhost:*",
10
11
  "ws://localhost:*",
11
12
  "*.ice.com",
12
13
  "*.elliemae.io",
@@ -42,30 +43,44 @@ const getScriptSrc = () => {
42
43
  };
43
44
  const csp = (app) => {
44
45
  app.use((req, res, next) => {
45
- res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
46
+ res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
46
47
  next();
47
48
  });
48
49
  app.use(
49
- cspPolicy({
50
- directives: {
51
- defaultSrc: ["'self'"],
52
- baseUri: ["'self'"],
53
- blockAllMixedContent: [],
54
- connectSrc: sources,
55
- fontSrc: sources.concat(["data:"]),
56
- frameAncestors: sources,
57
- imgSrc: sources.concat(["data:"]),
58
- objectSrc: ["'none'"],
59
- scriptSrc: getScriptSrc(),
60
- scriptSrcAttr: ["'none'"],
61
- styleSrc: sources.concat(["'unsafe-inline'"]),
62
- upgradeInsecureRequests: [],
63
- reportUri: CSP_REPORT_URI
50
+ helmet({
51
+ contentSecurityPolicy: {
52
+ directives: {
53
+ baseUri: ["'self'"],
54
+ connectSrc: sources,
55
+ defaultSrc: ["'self'"],
56
+ fontSrc: sources.concat(["data:"]),
57
+ formAction: ["'self'"],
58
+ frameAncestors: sources,
59
+ frameSrc: sources,
60
+ imgSrc: sources.concat(["data:"]),
61
+ objectSrc: ["'none'"],
62
+ scriptSrc: getScriptSrc(),
63
+ scriptSrcAttr: ["'none'"],
64
+ styleSrc: sources.concat(["'unsafe-inline'"]),
65
+ workerSrc: sources,
66
+ upgradeInsecureRequests: [],
67
+ reportUri: CSP_REPORT_URI,
68
+ reportTo: CSP_REPORT_URI
69
+ },
70
+ reportOnly: true
64
71
  },
65
- reportOnly: true
72
+ xFrameOptions: false,
73
+ xPermittedCrossDomainPolicies: false,
74
+ xDownloadOptions: false,
75
+ xXssProtection: false
76
+ })
77
+ );
78
+ app.use(
79
+ CSP_REPORT_URI,
80
+ express.json({
81
+ type: ["application/csp-report", "application/reports+json"]
66
82
  })
67
83
  );
68
- app.use(CSP_REPORT_URI, express.json({ type: "application/csp-report" }));
69
84
  app.use(CSP_REPORT_URI, (req, res) => {
70
85
  console.log("CSP Violation: ", req.body);
71
86
  res.status(204).end();