@lwrjs/security 0.10.0-alpha.16

package/LICENSE

@@ -0,0 +1,10 @@
+MIT LICENSE
+
+Copyright (c) 2020, Salesforce.com, Inc.
+All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/build/cjs/headers/content-security-policy.cjs

@@ -0,0 +1,82 @@
+var __defProp = Object.defineProperty;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {get: all[name], enumerable: true});
+};
+
+// packages/@lwrjs/security/src/headers/content-security-policy.ts
+__markAsModule(exports);
+__export(exports, {
+  default: () => contentSecurityPolicy
+});
+var DEFAULT_DIRECTIVES = {
+  "default-src": ["'self'"],
+  "base-uri": ["'self'"],
+  "font-src": ["'self'", "https:", "data:"],
+  "form-action": ["'self'"],
+  "frame-ancestors": ["'self'"],
+  "img-src": ["'self'", "data:"],
+  "object-src": ["'none'"],
+  "script-src": ["'self'"],
+  "script-src-attr": ["'none'"],
+  "style-src": ["'self'", "https:", "'unsafe-inline'"],
+  "upgrade-insecure-requests": []
+};
+function parseDirectives(str) {
+  const directives = {};
+  for (const directive of str.split(";")) {
+    const [key, ...value] = directive.trim().split(" ");
+    directives[key] = value;
+  }
+  return directives;
+}
+function stringifyDirectives(directives) {
+  const output = [];
+  for (const directive of directives.keys()) {
+    const values = directives.get(directive);
+    if (!values) {
+      continue;
+    }
+    output.push(`${directive} ${Array.from(values).join(" ")}`);
+  }
+  return output.join(";");
+}
+function normalizeDirectives(input) {
+  const output = new Map();
+  for (const directives of input) {
+    for (const [directive, values] of Object.entries(directives)) {
+      let set = output.get(directive);
+      if (!set) {
+        set = new Set();
+        output.set(directive, set);
+      }
+      for (const value of values) {
+        set.add(value);
+      }
+    }
+  }
+  return output;
+}
+function contentSecurityPolicy(header, options, hashes) {
+  const input = [];
+  if (options?.useDefault === void 0 || options?.useDefault === true) {
+    input.push(DEFAULT_DIRECTIVES);
+  }
+  if (options?.directives && typeof options.directives === "object") {
+    input.push(options.directives);
+  }
+  if (options?.directives && typeof options.directives === "string") {
+    input.push(parseDirectives(options.directives));
+  }
+  if (header?.length) {
+    input.push(parseDirectives(header));
+  }
+  if (hashes?.length) {
+    input.push({
+      "script-src": hashes
+    });
+  }
+  const normalizedDirectives = normalizeDirectives(input);
+  return stringifyDirectives(normalizedDirectives);
+}

package/build/cjs/headers/referrer-policy.cjs

@@ -0,0 +1,21 @@
+var __defProp = Object.defineProperty;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {get: all[name], enumerable: true});
+};
+
+// packages/@lwrjs/security/src/headers/referrer-policy.ts
+__markAsModule(exports);
+__export(exports, {
+  default: () => referrerPolicy
+});
+var DEFAULT_DIRECTIVE = "no-referrer";
+function referrerPolicy(header, option) {
+  const value = header || option;
+  if (!value) {
+    return DEFAULT_DIRECTIVE;
+  }
+  const directives = typeof value === "string" ? [value] : value;
+  return directives.join(",");
+}

package/build/cjs/headers/strict-transport-security.cjs

@@ -0,0 +1,41 @@
+var __defProp = Object.defineProperty;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {get: all[name], enumerable: true});
+};
+
+// packages/@lwrjs/security/src/headers/strict-transport-security.ts
+__markAsModule(exports);
+__export(exports, {
+  default: () => strictTransportSecurity
+});
+var DEFAULT_MAX_AGE = 180 * 24 * 60 * 60;
+function parseDirectives(str) {
+  const policy = {};
+  for (const segment of str.split(";")) {
+    const directive = segment.trim();
+    if (directive.startsWith("maxage")) {
+      policy.maxAge = parseInt(directive.substring(directive.indexOf("=") + 1));
+    }
+    if (directive === "includeSubDomains") {
+      policy.includeSubDomains = true;
+    }
+    if (directive === "preload") {
+      policy.preload = true;
+    }
+  }
+  return policy;
+}
+function strictTransportSecurity(header, option) {
+  const policy = header !== void 0 ? parseDirectives(header) : option;
+  const maxAge = policy?.maxAge !== void 0 ? policy.maxAge : DEFAULT_MAX_AGE;
+  const directives = [`max-age=${maxAge}`];
+  if (policy?.includeSubDomains === void 0 || policy?.includeSubDomains) {
+    directives.push("includeSubDomains");
+  }
+  if (policy?.preload) {
+    directives.push("preload");
+  }
+  return directives.join("; ");
+}

package/build/cjs/headers.cjs

@@ -0,0 +1,127 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {get: all[name], enumerable: true});
+};
+var __exportStar = (target, module2, desc) => {
+  if (module2 && typeof module2 === "object" || typeof module2 === "function") {
+    for (let key of __getOwnPropNames(module2))
+      if (!__hasOwnProp.call(target, key) && key !== "default")
+        __defProp(target, key, {get: () => module2[key], enumerable: !(desc = __getOwnPropDesc(module2, key)) || desc.enumerable});
+  }
+  return target;
+};
+var __toModule = (module2) => {
+  return __exportStar(__markAsModule(__defProp(module2 != null ? __create(__getProtoOf(module2)) : {}, "default", module2 && module2.__esModule && "default" in module2 ? {get: () => module2.default, enumerable: true} : {value: module2, enumerable: true})), module2);
+};
+
+// packages/@lwrjs/security/src/headers.ts
+__markAsModule(exports);
+__export(exports, {
+  resolveHeaders: () => resolveHeaders
+});
+var import_crypto = __toModule(require("crypto"));
+var import_shared_utils = __toModule(require("@lwrjs/shared-utils"));
+var import_content_security_policy = __toModule(require("./headers/content-security-policy.cjs"));
+var import_referrer_policy = __toModule(require("./headers/referrer-policy.cjs"));
+var import_strict_transport_security = __toModule(require("./headers/strict-transport-security.cjs"));
+function getResources(viewDefinition) {
+  const {viewRecord} = viewDefinition;
+  const resources = [];
+  if (viewRecord.resources) {
+    resources.push(...viewRecord.resources);
+  }
+  if (viewRecord.bootstrapModule?.resources) {
+    resources.push(...viewRecord.bootstrapModule.resources);
+  }
+  return resources;
+}
+function hash(source) {
+  return `'sha256-${(0, import_crypto.createHash)("sha256").update(source).digest("base64")}'`;
+}
+async function hashResources(resources) {
+  const hashes = [];
+  for (const resource of resources) {
+    if (!resource.inline || resource.type !== "application/javascript")
+      continue;
+    if (resource.content) {
+      hashes.push(hash(resource.content));
+    }
+    if (resource.stream) {
+      const content = await (0, import_shared_utils.streamToString)(resource.stream());
+      hashes.push(hash(content));
+    }
+  }
+  return hashes;
+}
+async function getResourceHashes(viewResponse) {
+  if (!viewResponse.metadata?.viewDefinition) {
+    return [];
+  }
+  const {viewDefinition} = viewResponse.metadata;
+  const resources = getResources(viewDefinition);
+  const hashes = await hashResources(resources);
+  return hashes;
+}
+function normalizeHeaders(headers = {}) {
+  return Object.fromEntries(Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value]));
+}
+function normalizeOptions(options = {}) {
+  for (const [option, value] of Object.entries(options)) {
+    if (value === true) {
+      delete options[option];
+    }
+  }
+  return options;
+}
+async function resolveHeaders(viewResponse, options) {
+  options = normalizeOptions(options);
+  const headers = normalizeHeaders(viewResponse.headers);
+  if (options.contentSecurityPolicy === void 0 || typeof options.contentSecurityPolicy === "object") {
+    const headerName = options.contentSecurityPolicy?.reportOnly ? "content-security-policy-report-only" : "content-security-policy";
+    let hashes;
+    if (options.contentSecurityPolicy?.resourceHashing === void 0) {
+      hashes = await getResourceHashes(viewResponse);
+    }
+    headers[headerName] = (0, import_content_security_policy.default)(headers[headerName], options.contentSecurityPolicy, hashes);
+  }
+  if (options.referrerPolicy === void 0 || typeof options.referrerPolicy === "object") {
+    const headerName = "referrer-policy";
+    headers[headerName] = (0, import_referrer_policy.default)(headers[headerName], options.referrerPolicy);
+  }
+  if (options.strictTransportSecurity === void 0 || typeof options.strictTransportSecurity === "object") {
+    const headerName = "strict-transport-security";
+    headers[headerName] = (0, import_strict_transport_security.default)(headers[headerName], options.strictTransportSecurity);
+  }
+  if (options.crossOriginEmbedderPolicy === void 0 || typeof options.crossOriginEmbedderPolicy === "string") {
+    const headerName = "cross-origin-embedder-policy";
+    headers[headerName] = headers[headerName] || options?.crossOriginEmbedderPolicy || "require-corp";
+  }
+  if (options.crossOriginOpenerPolicy === void 0 || typeof options.crossOriginOpenerPolicy === "string") {
+    const headerName = "cross-origin-opener-policy";
+    headers[headerName] = headers[headerName] || options?.crossOriginOpenerPolicy || "same-origin";
+  }
+  if (options.crossOriginResourcePolicy === void 0 || typeof options.crossOriginResourcePolicy === "string") {
+    const headerName = "cross-origin-resource-policy";
+    headers[headerName] = headers[headerName] || options?.crossOriginResourcePolicy || "same-origin";
+  }
+  if (options.xContentTypeOptions === void 0) {
+    headers["x-content-type-options"] = "nosniff";
+  }
+  if (options.xFrameOptions === void 0) {
+    headers["x-frame-options"] = "sameorigin";
+  }
+  if (options.xPermittedCrossDomainPolicies === void 0) {
+    headers["x-permitted-cross-domain-policies"] = "none";
+  }
+  if (options.xXSSProtection === void 0) {
+    headers["x-xss-protection"] = "0";
+  }
+  return headers;
+}

package/build/cjs/index.cjs

@@ -0,0 +1,32 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {get: all[name], enumerable: true});
+};
+var __exportStar = (target, module2, desc) => {
+  if (module2 && typeof module2 === "object" || typeof module2 === "function") {
+    for (let key of __getOwnPropNames(module2))
+      if (!__hasOwnProp.call(target, key) && key !== "default")
+        __defProp(target, key, {get: () => module2[key], enumerable: !(desc = __getOwnPropDesc(module2, key)) || desc.enumerable});
+  }
+  return target;
+};
+var __toModule = (module2) => {
+  return __exportStar(__markAsModule(__defProp(module2 != null ? __create(__getProtoOf(module2)) : {}, "default", module2 && module2.__esModule && "default" in module2 ? {get: () => module2.default, enumerable: true} : {value: module2, enumerable: true})), module2);
+};
+
+// packages/@lwrjs/security/src/index.ts
+__markAsModule(exports);
+__export(exports, {
+  default: () => import_route_handler.default,
+  secure: () => import_wrapper.secure
+});
+var import_route_handler = __toModule(require("./route-handler.cjs"));
+var import_wrapper = __toModule(require("./wrapper.cjs"));
+__exportStar(exports, __toModule(require("./options.cjs")));

package/build/cjs/options.cjs

@@ -0,0 +1,5 @@
+var __defProp = Object.defineProperty;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+
+// packages/@lwrjs/security/src/options.ts
+__markAsModule(exports);

package/build/cjs/route-handler.cjs

@@ -0,0 +1,34 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {get: all[name], enumerable: true});
+};
+var __exportStar = (target, module2, desc) => {
+  if (module2 && typeof module2 === "object" || typeof module2 === "function") {
+    for (let key of __getOwnPropNames(module2))
+      if (!__hasOwnProp.call(target, key) && key !== "default")
+        __defProp(target, key, {get: () => module2[key], enumerable: !(desc = __getOwnPropDesc(module2, key)) || desc.enumerable});
+  }
+  return target;
+};
+var __toModule = (module2) => {
+  return __exportStar(__markAsModule(__defProp(module2 != null ? __create(__getProtoOf(module2)) : {}, "default", module2 && module2.__esModule && "default" in module2 ? {get: () => module2.default, enumerable: true} : {value: module2, enumerable: true})), module2);
+};
+
+// packages/@lwrjs/security/src/route-handler.ts
+__markAsModule(exports);
+__export(exports, {
+  default: () => securityRouteHandler
+});
+var import_headers = __toModule(require("./headers.cjs"));
+async function securityRouteHandler(request, context, options) {
+  const viewResponse = await context.viewApi.getViewResponse(context.route);
+  viewResponse.headers = await (0, import_headers.resolveHeaders)(viewResponse, options);
+  return viewResponse;
+}

package/build/cjs/wrapper.cjs

@@ -0,0 +1,57 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {get: all[name], enumerable: true});
+};
+var __exportStar = (target, module2, desc) => {
+  if (module2 && typeof module2 === "object" || typeof module2 === "function") {
+    for (let key of __getOwnPropNames(module2))
+      if (!__hasOwnProp.call(target, key) && key !== "default")
+        __defProp(target, key, {get: () => module2[key], enumerable: !(desc = __getOwnPropDesc(module2, key)) || desc.enumerable});
+  }
+  return target;
+};
+var __toModule = (module2) => {
+  return __exportStar(__markAsModule(__defProp(module2 != null ? __create(__getProtoOf(module2)) : {}, "default", module2 && module2.__esModule && "default" in module2 ? {get: () => module2.default, enumerable: true} : {value: module2, enumerable: true})), module2);
+};
+
+// packages/@lwrjs/security/src/wrapper.ts
+__markAsModule(exports);
+__export(exports, {
+  secure: () => secure
+});
+var import_headers = __toModule(require("./headers.cjs"));
+function isViewResponse(response) {
+  return response.body !== void 0;
+}
+function isViewDefinitionResponse(response) {
+  return response.view !== void 0;
+}
+function secure(routeHandler, options) {
+  return async (request, context) => {
+    const routeHandlerResponse = await routeHandler(request, context);
+    if (isViewResponse(routeHandlerResponse)) {
+      if (!routeHandlerResponse.headers || !routeHandlerResponse.headers["content-type"].startsWith("text/html")) {
+        return routeHandlerResponse;
+      }
+      routeHandlerResponse.headers = await (0, import_headers.resolveHeaders)(routeHandlerResponse, options);
+      return routeHandlerResponse;
+    }
+    if (isViewDefinitionResponse(routeHandlerResponse)) {
+      const viewResponse = await context.viewApi.getViewResponse(routeHandlerResponse.view, routeHandlerResponse.viewParams, routeHandlerResponse.renderOptions);
+      viewResponse.headers = {
+        ...viewResponse.headers,
+        ...routeHandlerResponse.headers
+      };
+      viewResponse.headers = await (0, import_headers.resolveHeaders)(viewResponse, options);
+      return viewResponse;
+    }
+    throw new Error("Unexpected route handler response");
+  };
+}

package/build/es/headers/content-security-policy.d.ts

@@ -0,0 +1,11 @@
+export declare type Directives = {
+    [key: string]: string[];
+};
+export interface ContentSecurityPolicy {
+    useDefault?: boolean;
+    resourceHashing?: boolean;
+    reportOnly?: boolean;
+    directives?: Directives | string;
+}
+export default function contentSecurityPolicy(header?: string, options?: ContentSecurityPolicy, hashes?: string[]): string;
+//# sourceMappingURL=content-security-policy.d.ts.map

package/build/es/headers/content-security-policy.js

@@ -0,0 +1,71 @@
+const DEFAULT_DIRECTIVES = {
+    'default-src': ["'self'"],
+    'base-uri': ["'self'"],
+    'font-src': ["'self'", 'https:', 'data:'],
+    'form-action': ["'self'"],
+    'frame-ancestors': ["'self'"],
+    'img-src': ["'self'", 'data:'],
+    'object-src': ["'none'"],
+    'script-src': ["'self'"],
+    'script-src-attr': ["'none'"],
+    'style-src': ["'self'", 'https:', "'unsafe-inline'"],
+    'upgrade-insecure-requests': [],
+};
+function parseDirectives(str) {
+    const directives = {};
+    for (const directive of str.split(';')) {
+        const [key, ...value] = directive.trim().split(' ');
+        directives[key] = value;
+    }
+    return directives;
+}
+function stringifyDirectives(directives) {
+    const output = [];
+    for (const directive of directives.keys()) {
+        const values = directives.get(directive);
+        if (!values) {
+            continue;
+        }
+        output.push(`${directive} ${Array.from(values).join(' ')}`);
+    }
+    return output.join(';');
+}
+function normalizeDirectives(input) {
+    const output = new Map();
+    for (const directives of input) {
+        for (const [directive, values] of Object.entries(directives)) {
+            let set = output.get(directive);
+            if (!set) {
+                set = new Set();
+                output.set(directive, set);
+            }
+            for (const value of values) {
+                set.add(value);
+            }
+        }
+    }
+    return output;
+}
+export default function contentSecurityPolicy(header, options, hashes) {
+    const input = [];
+    if (options?.useDefault === undefined || options?.useDefault === true) {
+        input.push(DEFAULT_DIRECTIVES);
+    }
+    if (options?.directives && typeof options.directives === 'object') {
+        input.push(options.directives);
+    }
+    if (options?.directives && typeof options.directives === 'string') {
+        input.push(parseDirectives(options.directives));
+    }
+    if (header?.length) {
+        input.push(parseDirectives(header));
+    }
+    if (hashes?.length) {
+        input.push({
+            'script-src': hashes,
+        });
+    }
+    const normalizedDirectives = normalizeDirectives(input);
+    return stringifyDirectives(normalizedDirectives);
+}
+//# sourceMappingURL=content-security-policy.js.map

package/build/es/headers/referrer-policy.d.ts

@@ -0,0 +1,3 @@
+export declare type ReferrerPolicy = string | string[];
+export default function referrerPolicy(header?: string, option?: ReferrerPolicy): string;
+//# sourceMappingURL=referrer-policy.d.ts.map

package/build/es/headers/referrer-policy.js

@@ -0,0 +1,10 @@
+const DEFAULT_DIRECTIVE = 'no-referrer';
+export default function referrerPolicy(header, option) {
+    const value = header || option;
+    if (!value) {
+        return DEFAULT_DIRECTIVE;
+    }
+    const directives = typeof value === 'string' ? [value] : value;
+    return directives.join(',');
+}
+//# sourceMappingURL=referrer-policy.js.map

package/build/es/headers/strict-transport-security.d.ts

@@ -0,0 +1,7 @@
+export interface StrictTransportSecurity {
+    maxAge?: number;
+    includeSubDomains?: boolean;
+    preload?: boolean;
+}
+export default function strictTransportSecurity(header?: string, option?: StrictTransportSecurity): string;
+//# sourceMappingURL=strict-transport-security.d.ts.map

package/build/es/headers/strict-transport-security.js

@@ -0,0 +1,30 @@
+const DEFAULT_MAX_AGE = 180 * 24 * 60 * 60;
+function parseDirectives(str) {
+    const policy = {};
+    for (const segment of str.split(';')) {
+        const directive = segment.trim();
+        if (directive.startsWith('maxage')) {
+            policy.maxAge = parseInt(directive.substring(directive.indexOf('=') + 1));
+        }
+        if (directive === 'includeSubDomains') {
+            policy.includeSubDomains = true;
+        }
+        if (directive === 'preload') {
+            policy.preload = true;
+        }
+    }
+    return policy;
+}
+export default function strictTransportSecurity(header, option) {
+    const policy = header !== undefined ? parseDirectives(header) : option;
+    const maxAge = policy?.maxAge !== undefined ? policy.maxAge : DEFAULT_MAX_AGE;
+    const directives = [`max-age=${maxAge}`];
+    if (policy?.includeSubDomains === undefined || policy?.includeSubDomains) {
+        directives.push('includeSubDomains');
+    }
+    if (policy?.preload) {
+        directives.push('preload');
+    }
+    return directives.join('; ');
+}
+//# sourceMappingURL=strict-transport-security.js.map

package/build/es/headers.d.ts

@@ -0,0 +1,4 @@
+import type { ViewResponse } from '@lwrjs/types';
+import type { SecurityOptions } from './options.js';
+export declare function resolveHeaders(viewResponse: ViewResponse, options?: SecurityOptions): Promise<Record<string, string>>;
+//# sourceMappingURL=headers.d.ts.map

package/build/es/headers.js

@@ -0,0 +1,111 @@
+import { createHash } from 'crypto';
+import { streamToString } from '@lwrjs/shared-utils';
+import contentSecurityPolicy from './headers/content-security-policy.js';
+import referrerPolicy from './headers/referrer-policy.js';
+import strictTransportSecurity from './headers/strict-transport-security.js';
+function getResources(viewDefinition) {
+    const { viewRecord } = viewDefinition;
+    const resources = [];
+    if (viewRecord.resources) {
+        resources.push(...viewRecord.resources);
+    }
+    if (viewRecord.bootstrapModule?.resources) {
+        resources.push(...viewRecord.bootstrapModule.resources);
+    }
+    return resources;
+}
+function hash(source) {
+    return `'sha256-${createHash('sha256').update(source).digest('base64')}'`;
+}
+async function hashResources(resources) {
+    const hashes = [];
+    for (const resource of resources) {
+        // TODO: support other inlined resource types
+        if (!resource.inline || resource.type !== 'application/javascript')
+            continue;
+        if (resource.content) {
+            hashes.push(hash(resource.content));
+        }
+        if (resource.stream) {
+            // eslint-disable-next-line no-await-in-loop
+            const content = await streamToString(resource.stream());
+            hashes.push(hash(content));
+        }
+    }
+    return hashes;
+}
+async function getResourceHashes(viewResponse) {
+    if (!viewResponse.metadata?.viewDefinition) {
+        return [];
+    }
+    const { viewDefinition } = viewResponse.metadata;
+    const resources = getResources(viewDefinition);
+    const hashes = await hashResources(resources);
+    return hashes;
+}
+function normalizeHeaders(headers = {}) {
+    return Object.fromEntries(Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value]));
+}
+function normalizeOptions(options = {}) {
+    for (const [option, value] of Object.entries(options)) {
+        // true values are the same as undefined
+        if (value === true) {
+            delete options[option];
+        }
+    }
+    return options;
+}
+export async function resolveHeaders(viewResponse, options) {
+    options = normalizeOptions(options);
+    const headers = normalizeHeaders(viewResponse.headers);
+    if (options.contentSecurityPolicy === undefined || typeof options.contentSecurityPolicy === 'object') {
+        const headerName = options.contentSecurityPolicy?.reportOnly
+            ? 'content-security-policy-report-only'
+            : 'content-security-policy';
+        let hashes;
+        if (options.contentSecurityPolicy?.resourceHashing === undefined) {
+            hashes = await getResourceHashes(viewResponse);
+        }
+        headers[headerName] = contentSecurityPolicy(headers[headerName], options.contentSecurityPolicy, hashes);
+    }
+    if (options.referrerPolicy === undefined || typeof options.referrerPolicy === 'object') {
+        const headerName = 'referrer-policy';
+        headers[headerName] = referrerPolicy(headers[headerName], options.referrerPolicy);
+    }
+    if (options.strictTransportSecurity === undefined ||
+        typeof options.strictTransportSecurity === 'object') {
+        const headerName = 'strict-transport-security';
+        headers[headerName] = strictTransportSecurity(headers[headerName], options.strictTransportSecurity);
+    }
+    if (options.crossOriginEmbedderPolicy === undefined ||
+        typeof options.crossOriginEmbedderPolicy === 'string') {
+        const headerName = 'cross-origin-embedder-policy';
+        headers[headerName] = headers[headerName] || options?.crossOriginEmbedderPolicy || 'require-corp';
+    }
+    if (options.crossOriginOpenerPolicy === undefined ||
+        typeof options.crossOriginOpenerPolicy === 'string') {
+        const headerName = 'cross-origin-opener-policy';
+        headers[headerName] = headers[headerName] || options?.crossOriginOpenerPolicy || 'same-origin';
+    }
+    if (options.crossOriginResourcePolicy === undefined ||
+        typeof options.crossOriginResourcePolicy === 'string') {
+        const headerName = 'cross-origin-resource-policy';
+        headers[headerName] = headers[headerName] || options?.crossOriginResourcePolicy || 'same-origin';
+    }
+    if (options.xContentTypeOptions === undefined) {
+        headers['x-content-type-options'] = 'nosniff';
+    }
+    if (options.xFrameOptions === undefined) {
+        headers['x-frame-options'] = 'sameorigin';
+    }
+    if (options.xPermittedCrossDomainPolicies === undefined) {
+        headers['x-permitted-cross-domain-policies'] = 'none';
+    }
+    if (options.xXSSProtection === undefined) {
+        // this header is deprecated, and the recommendation is to disable it
+        // https://owasp.org/www-project-secure-headers/#x-xss-protection
+        headers['x-xss-protection'] = '0';
+    }
+    return headers;
+}
+//# sourceMappingURL=headers.js.map

package/build/es/index.d.ts

@@ -0,0 +1,4 @@
+export { default } from './route-handler.js';
+export { secure } from './wrapper.js';
+export * from './options.js';
+//# sourceMappingURL=index.d.ts.map

package/build/es/index.js

@@ -0,0 +1,4 @@
+export { default } from './route-handler.js';
+export { secure } from './wrapper.js';
+export * from './options.js';
+//# sourceMappingURL=index.js.map

package/build/es/options.d.ts

@@ -0,0 +1,16 @@
+import type { ContentSecurityPolicy } from './headers/content-security-policy.js';
+import type { ReferrerPolicy } from './headers/referrer-policy.js';
+import type { StrictTransportSecurity } from './headers/strict-transport-security.js';
+export interface SecurityOptions extends Record<string, any> {
+    contentSecurityPolicy?: ContentSecurityPolicy | boolean;
+    referrerPolicy?: ReferrerPolicy | boolean;
+    strictTransportSecurity?: StrictTransportSecurity | boolean;
+    crossOriginEmbedderPolicy?: string | boolean;
+    crossOriginOpenerPolicy?: string | boolean;
+    crossOriginResourcePolicy?: string | boolean;
+    xContentTypeOptions?: boolean;
+    xFrameOptions?: boolean;
+    xPermittedCrossDomainPolicies?: boolean;
+    xXSSProtection?: boolean;
+}
+//# sourceMappingURL=options.d.ts.map

package/build/es/options.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=options.js.map

package/build/es/route-handler.d.ts

@@ -0,0 +1,11 @@
+import type { HandlerContext, ViewRequest, ViewResponse } from '@lwrjs/types';
+import type { SecurityOptions } from './options.js';
+/**
+ * Resolve and secure the view
+ *
+ * @param request - inbound view request
+ * @param context - route handler context
+ * @returns a route handler
+ */
+export default function securityRouteHandler(request: ViewRequest, context: HandlerContext, options?: SecurityOptions): Promise<ViewResponse>;
+//# sourceMappingURL=route-handler.d.ts.map

package/build/es/route-handler.js

@@ -0,0 +1,14 @@
+import { resolveHeaders } from './headers.js';
+/**
+ * Resolve and secure the view
+ *
+ * @param request - inbound view request
+ * @param context - route handler context
+ * @returns a route handler
+ */
+export default async function securityRouteHandler(request, context, options) {
+    const viewResponse = await context.viewApi.getViewResponse(context.route);
+    viewResponse.headers = await resolveHeaders(viewResponse, options);
+    return viewResponse;
+}
+//# sourceMappingURL=route-handler.js.map

package/build/es/wrapper.d.ts

@@ -0,0 +1,15 @@
+import type { RouteHandlerFunction } from '@lwrjs/types';
+import type { SecurityOptions } from './options.js';
+/**
+ * Wrap existing route handlers to apply security headers and conditionally inline script hashing
+ *
+ * @remarks
+ * Script hashing is only applied when the provided route handler returns a `ViewDefinitionResponse`
+ *
+ * Security headers are not applied when the route handler returns a `ViewResponse` that is not HTML
+ *
+ * @param routeHandler - existing route handler
+ * @returns a route handler
+ */
+export declare function secure(routeHandler: RouteHandlerFunction, options?: SecurityOptions): RouteHandlerFunction;
+//# sourceMappingURL=wrapper.d.ts.map

package/build/es/wrapper.js

@@ -0,0 +1,47 @@
+import { resolveHeaders } from './headers.js';
+function isViewResponse(response) {
+    return response.body !== undefined;
+}
+function isViewDefinitionResponse(response) {
+    return response.view !== undefined;
+}
+/**
+ * Wrap existing route handlers to apply security headers and conditionally inline script hashing
+ *
+ * @remarks
+ * Script hashing is only applied when the provided route handler returns a `ViewDefinitionResponse`
+ *
+ * Security headers are not applied when the route handler returns a `ViewResponse` that is not HTML
+ *
+ * @param routeHandler - existing route handler
+ * @returns a route handler
+ */
+export function secure(routeHandler, options) {
+    return async (request, context) => {
+        // TODO: handle sync response
+        const routeHandlerResponse = await routeHandler(request, context);
+        if (isViewResponse(routeHandlerResponse)) {
+            // only apply headers when the view response is html
+            if (!routeHandlerResponse.headers ||
+                !routeHandlerResponse.headers['content-type'].startsWith('text/html')) {
+                return routeHandlerResponse;
+            }
+            // merge custom security headers with defaults
+            routeHandlerResponse.headers = await resolveHeaders(routeHandlerResponse, options);
+            return routeHandlerResponse;
+        }
+        if (isViewDefinitionResponse(routeHandlerResponse)) {
+            // resolve the view based on the route handler response
+            const viewResponse = await context.viewApi.getViewResponse(routeHandlerResponse.view, routeHandlerResponse.viewParams, routeHandlerResponse.renderOptions);
+            viewResponse.headers = {
+                ...viewResponse.headers,
+                ...routeHandlerResponse.headers,
+            };
+            // set headers according to options
+            viewResponse.headers = await resolveHeaders(viewResponse, options);
+            return viewResponse;
+        }
+        throw new Error('Unexpected route handler response');
+    };
+}
+//# sourceMappingURL=wrapper.js.map

package/package.json

@@ -0,0 +1,41 @@
+{
+    "name": "@lwrjs/security",
+    "version": "0.10.0-alpha.16",
+    "license": "MIT",
+    "type": "module",
+    "types": "build/es/index.d.ts",
+    "module": "build/es/index.js",
+    "homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/salesforce-experience-platform-emu/lwr.git",
+        "directory": "packages/@lwrjs/security"
+    },
+    "bugs": {
+        "url": "https://github.com/salesforce-experience-platform-emu/lwr/issues"
+    },
+    "publishConfig": {
+        "access": "public"
+    },
+    "exports": {
+        ".": {
+            "import": "./build/es/index.js",
+            "require": "./build/cjs/index.cjs"
+        }
+    },
+    "files": [
+        "build/**/*.js",
+        "build/**/*.cjs",
+        "build/**/*.d.ts"
+    ],
+    "dependencies": {
+        "@lwrjs/shared-utils": "0.10.0-alpha.16"
+    },
+    "devDependencies": {
+        "@lwrjs/types": "0.10.0-alpha.16"
+    },
+    "engines": {
+        "node": ">=16.0.0 <20"
+    },
+    "gitHead": "c5a13d471330c0f738d0c783fd1b69f456c544bd"
+}