npm - @hmcts/rpx-xui-node-lib - Versions diffs - 2.30.7-2541-v2 → 2.30.7-new-csp - Mend

@hmcts/rpx-xui-node-lib 2.30.7-2541-v2 → 2.30.7-new-csp

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/common/util/contentSecurityPolicy.d.ts.map +1 -1
package/dist/common/util/contentSecurityPolicy.js +0 -2
package/dist/common/util/contentSecurityPolicy.js.map +1 -1
package/dist/common/util/csp.d.ts +9 -0
package/dist/common/util/csp.d.ts.map +1 -0
package/dist/common/util/csp.js +33 -0
package/dist/common/util/csp.js.map +1 -0
package/package.json +5 -1

package/dist/common/util/contentSecurityPolicy.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"contentSecurityPolicy.d.ts","sourceRoot":"","sources":["../../../src/common/util/contentSecurityPolicy.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe;;;;;;;;;;;;;~~CAsD3B~~,CAAA;AAED,eAAO,MAAM,wBAAwB,GAAI,QAAQ,GAAG,QAEnD,CAAA"}
1	+ {"version":3,"file":"contentSecurityPolicy.d.ts","sourceRoot":"","sources":["../../../src/common/util/contentSecurityPolicy.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe;;;;;;;;;;;;;CAoD3B,CAAA;AAED,eAAO,MAAM,wBAAwB,GAAI,QAAQ,GAAG,QAEnD,CAAA"}

package/dist/common/util/contentSecurityPolicy.js CHANGED Viewed

@@ -41,7 +41,6 @@ exports.SECURITY_POLICY = {
         mediaSrc: ["'self'"],
         scriptSrc: [
             "'self'",
-            "'unsafe-inline'",
             "'unsafe-eval'",
             'https://*.google-analytics.com',
             'https://*.googletagmanager.com',
@@ -49,7 +48,6 @@ exports.SECURITY_POLICY = {
         ],
         styleSrc: [
             "'self'",
-            "'unsafe-inline'",
             'https://fonts.googleapis.com',
             'https://fonts.gstatic.com',
             'https://www.googletagmanager.com',

package/dist/common/util/contentSecurityPolicy.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"contentSecurityPolicy.js","sourceRoot":"","sources":["../../../src/common/util/contentSecurityPolicy.ts"],"names":[],"mappings":";;;AAAa,QAAA,eAAe,GAAG;IAC3B,UAAU,EAAE;QACR,UAAU,EAAE;YACR,oBAAoB;YACpB,UAAU;YACV,8BAA8B;YAC9B,oBAAoB;YACpB,gCAAgC;YAChC,gCAAgC;YAChC,gCAAgC;YAChC,aAAa;YACb,6BAA6B;YAC7B,+CAA+C;YAC/C,gDAAgD;YAChD,oDAAoD;YACpD,gDAAgD;YAChD,gDAAgD;YAChD,2CAA2C;YAC3C,4CAA4C;YAC5C,6BAA6B;SAChC;QACD,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,OAAO,EAAE,CAAC,QAAQ,EAAE,2BAA2B,EAAE,OAAO,CAAC;QACzD,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,cAAc,EAAE,CAAC,QAAQ,CAAC;QAC1B,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,MAAM,EAAE;YACJ,QAAQ;YACR,OAAO;YACP,gCAAgC;YAChC,gCAAgC;YAChC,0CAA0C;YAC1C,kCAAkC;YAClC,0BAA0B;YAC1B,0BAA0B;YAC1B,2BAA2B;SAC9B;QACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,SAAS,EAAE;YACP,QAAQ;YACR,~~iBAAiB;YACjB,~~eAAe;YACf,gCAAgC;YAChC,gCAAgC;YAChC,wBAAwB;SAC3B;QACD,QAAQ,EAAE;YACN,QAAQ;YACR,~~iBAAiB;YACjB,~~8BAA8B;YAC9B,2BAA2B;YAC3B,kCAAkC;SACrC;KACJ;CACJ,CAAA;AAEM,MAAM,wBAAwB,GAAG,CAAC,MAAW,EAAE,EAAE;IACpD,OAAO,MAAM,CAAC,qBAAqB,CAAC,uBAAe,CAAC,CAAA;AACxD,CAAC,CAAA;AAFY,QAAA,wBAAwB,4BAEpC"}
1	+ {"version":3,"file":"contentSecurityPolicy.js","sourceRoot":"","sources":["../../../src/common/util/contentSecurityPolicy.ts"],"names":[],"mappings":";;;AAAa,QAAA,eAAe,GAAG;IAC3B,UAAU,EAAE;QACR,UAAU,EAAE;YACR,oBAAoB;YACpB,UAAU;YACV,8BAA8B;YAC9B,oBAAoB;YACpB,gCAAgC;YAChC,gCAAgC;YAChC,gCAAgC;YAChC,aAAa;YACb,6BAA6B;YAC7B,+CAA+C;YAC/C,gDAAgD;YAChD,oDAAoD;YACpD,gDAAgD;YAChD,gDAAgD;YAChD,2CAA2C;YAC3C,4CAA4C;YAC5C,6BAA6B;SAChC;QACD,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,OAAO,EAAE,CAAC,QAAQ,EAAE,2BAA2B,EAAE,OAAO,CAAC;QACzD,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,cAAc,EAAE,CAAC,QAAQ,CAAC;QAC1B,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,MAAM,EAAE;YACJ,QAAQ;YACR,OAAO;YACP,gCAAgC;YAChC,gCAAgC;YAChC,0CAA0C;YAC1C,kCAAkC;YAClC,0BAA0B;YAC1B,0BAA0B;YAC1B,2BAA2B;SAC9B;QACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,SAAS,EAAE;YACP,QAAQ;YACR,eAAe;YACf,gCAAgC;YAChC,gCAAgC;YAChC,wBAAwB;SAC3B;QACD,QAAQ,EAAE;YACN,QAAQ;YACR,8BAA8B;YAC9B,2BAA2B;YAC3B,kCAAkC;SACrC;KACJ;CACJ,CAAA;AAEM,MAAM,wBAAwB,GAAG,CAAC,MAAW,EAAE,EAAE;IACpD,OAAO,MAAM,CAAC,qBAAqB,CAAC,uBAAe,CAAC,CAAA;AACxD,CAAC,CAAA;AAFY,QAAA,wBAAwB,4BAEpC"}

package/dist/common/util/csp.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import { Request, Response, NextFunction } from 'express';
+export declare function csp({ extraScript, extraStyle, extraConnect, extraFont, extraImg }?: {
+    extraScript?: string[] | undefined;
+    extraStyle?: string[] | undefined;
+    extraConnect?: string[] | undefined;
+    extraFont?: string[] | undefined;
+    extraImg?: string[] | undefined;
+}): (req: Request, res: Response, next: NextFunction) => void;
+//# sourceMappingURL=csp.d.ts.map

package/dist/common/util/csp.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../../../src/common/util/csp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAI1D,wBAAgB,GAAG,CAAC,EAClB,WAA+E,EAC/E,UAA+E,EAC/E,YAA+E,EAC/E,SAA+E,EAC/E,QAA+E,EAChF;;;;;;CAAK,IAEF,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,YAAY,UAsBrB"}

package/dist/common/util/csp.js ADDED Viewed

@@ -0,0 +1,33 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.csp = csp;
+const helmet_1 = __importDefault(require("helmet"));
+const node_crypto_1 = __importDefault(require("node:crypto"));
+function csp(_a) {
+    var _b, _c, _d, _e, _f;
+    var { extraScript = ((_b = process.env.CSP_SCRIPT_EXTRA) !== null && _b !== void 0 ? _b : '').split(',').filter(Boolean), extraStyle = ((_c = process.env.CSP_STYLE_EXTRA) !== null && _c !== void 0 ? _c : '').split(',').filter(Boolean), extraConnect = ((_d = process.env.CSP_CONNECT_EXTRA) !== null && _d !== void 0 ? _d : '').split(',').filter(Boolean), extraFont = ((_e = process.env.CSP_FONT_EXTRA) !== null && _e !== void 0 ? _e : '').split(',').filter(Boolean), extraImg = ((_f = process.env.CSP_IMG_EXTRA) !== null && _f !== void 0 ? _f : '').split(',').filter(Boolean) } = _a === void 0 ? {} : _a;
+    return (req, res, next) => {
+        const nonce = node_crypto_1.default.randomBytes(16).toString('base64');
+        res.locals.cspNonce = nonce;
+        helmet_1.default.contentSecurityPolicy({
+            useDefaults: true,
+            directives: {
+                "default-src": ["'self'"],
+                "script-src": ["'self'", `'nonce-${nonce}'`, ...extraScript],
+                "style-src": ["'self'", `'nonce-${nonce}'`, ...extraStyle],
+                "connect-src": ["'self'", "blob:", "data:", ...extraConnect],
+                "img-src": ["'self'", "data:", ...extraImg],
+                "font-src": ["'self'", "data:", "https://fonts.gstatic.com", ...extraFont],
+                "object-src": ["'none'"],
+                "frame-src": ["'self'"],
+                "frame-ancestors": ["'self'"],
+                "form-action": ["'none'"]
+            },
+            reportOnly: process.env.CSP_REPORT_ONLY === 'true'
+        })(req, res, next);
+    };
+}
+//# sourceMappingURL=csp.js.map

package/dist/common/util/csp.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"csp.js","sourceRoot":"","sources":["../../../src/common/util/csp.ts"],"names":[],"mappings":";;;;;AAIA,kBAgCC;AAnCD,oDAA4B;AAC5B,8DAAiC;AAEjC,SAAgB,GAAG,CAAC,EAMd;;QANc,EAClB,WAAW,GAAI,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,gBAAgB,mCAAK,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAC/E,UAAU,GAAK,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,eAAe,mCAAM,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAC/E,YAAY,GAAG,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,iBAAiB,mCAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAC/E,SAAS,GAAM,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,cAAc,mCAAO,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAC/E,QAAQ,GAAO,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,aAAa,mCAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAChF,mBAAG,EAAE;IACJ,OAAO,CACL,GAAY,EACZ,GAAa,EACb,IAAkB,EAClB,EAAE;QACF,MAAM,KAAK,GAAW,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAChE,GAAG,CAAC,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;QAE5B,gBAAM,CAAC,qBAAqB,CAAC;YAC3B,WAAW,EAAE,IAAI;YACjB,UAAU,EAAE;gBACV,aAAa,EAAE,CAAC,QAAQ,CAAC;gBACzB,YAAY,EAAG,CAAC,QAAQ,EAAE,UAAU,KAAK,GAAG,EAAE,GAAG,WAAW,CAAC;gBAC7D,WAAW,EAAI,CAAC,QAAQ,EAAE,UAAU,KAAK,GAAG,EAAE,GAAG,UAAU,CAAC;gBAC5D,aAAa,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;gBAC5D,SAAS,EAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,QAAQ,CAAC;gBAC/C,UAAU,EAAK,CAAC,QAAQ,EAAE,OAAO,EAAE,2BAA2B,EAAE,GAAG,SAAS,CAAC;gBAC7E,YAAY,EAAG,CAAC,QAAQ,CAAC;gBACzB,WAAW,EAAI,CAAC,QAAQ,CAAC;gBACzB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;gBAC7B,aAAa,EAAE,CAAC,QAAQ,CAAC;aAC1B;YACD,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,MAAM;SACnD,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IACrB,CAAC,CAAC;AACJ,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@hmcts/rpx-xui-node-lib",
-  "version": "2.30.7-2541-v2",
+  "version": "2.30.7-new-csp",
   "description": "Common nodejs library components for XUI",
   "main": "dist/index",
   "types": "dist/index.d.ts",
@@ -40,6 +40,9 @@
   "files": [
     "dist/**/*"
   ],
+  "peerDependencies": {
+    "helmet": "^7.0.0"
+  },
   "devDependencies": {
     "@commitlint/cli": "^17.8.1",
     "@commitlint/config-conventional": "^8.2.0",
@@ -64,6 +67,7 @@
     "commitlint-config-cz": "^0.13.1",
     "cz-conventional-changelog": "^3.3.0",
     "eslint": "^9.25.1",
+    "helmet": "^7.0.0",
     "husky": "^8.0.0",
     "jest": "^29.7.0",
     "jest-config": "29.5.0",