npm - csprefabricate - Versions diffs - 0.2.3 → 0.4.0 - Mend

csprefabricate 0.2.3 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/README.md +116 -10
package/dist/baseline.d.ts +8 -0
package/dist/baseline.js +245 -0
package/dist/helpers.d.ts +9 -0
package/dist/helpers.js +66 -0
package/dist/index.d.ts +5 -2
package/dist/index.js +2 -0
package/dist/types.d.ts +1 -1
package/dist/utils.d.ts +10 -3
package/dist/utils.js +32 -11
package/package.json +2 -3
package/dist/test/helpers.test.d.ts +0 -1
package/dist/test/helpers.test.js +0 -23
package/dist/test/utils.test.d.ts +0 -1
package/dist/test/utils.test.js +0 -69

package/README.md CHANGED Viewed

@@ -14,20 +14,126 @@ Currently `csprefabricate`:
 - Validates directive names
 - Supports providing a list of TLDs for a given domain name
+- Provides warnings for insecure or incomplete CSP configurations, with options to disable specific warnings
+## Common CSP Issues
+By default, `csprefabricate` will warn you about common CSP issues, such as:
+- Overly permissive sources (e.g. using `*`)
+- Missing recommended directives (i.e. `object-src`, `base-uri`, `form-action`)
+- Use of `'unsafe-inline'` in `script-src`, even if nonces or hashes are present
+- Missing nonces or hashes when using `'unsafe-inline'` in `script-src`
+- Allowing `data:` in `img-src` or `media-src`
+You can control which warnings are shown by passing an optional `WarningOptions` object to the `create` function:
 ```typescript
-import {create} from "csprefabricate";
+import {
+    create,
+    Directive,
+    ContentSecurityPolicy,
+    WarningOptions,
+} from "csprefabricate";
+const csp: ContentSecurityPolicy = {
+    [Directive.SCRIPT_SRC]: ["*"],
+    [Directive.IMG_SRC]: ["data:"],
+};
-const input = {
-    [Directive.DEFAULT_SRC]: ["self"],
-    [Directive.IMG_SRC]: ["self", {"*.google": [".com", ".com.au"]}],
-} satisfies ContentSecurityPolicy;
+// Disable all warnings
+const warningOptions: WarningOptions = {
+    overlyPermissive: false,
+    missingDirectives: false,
+    unsafeInline: false,
+    missingNonceOrHash: false,
+    dataUri: false,
+};
-const output = create(csp);
-// > "default-src 'self'; img-src 'self' *.google.com *.google.com.au;",
+create(csp, warningOptions);
 ```
-## Future
+You can selectively enable or disable specific warnings as needed.
+## Real World Examples
+### Example 1: Basic Strict Policy
+```typescript
+import {create, Directive, ContentSecurityPolicy} from "csprefabricate";
-- Generate baseline recommended CSPs (for example, Google Analytics)
-- Warnings for insecure configurations
+const csp: ContentSecurityPolicy = {
+    [Directive.DEFAULT_SRC]: ["'self'"],
+    [Directive.SCRIPT_SRC]: ["'self'"],
+    [Directive.STYLE_SRC]: ["'self'"],
+    [Directive.IMG_SRC]: ["'self'"],
+    [Directive.OBJECT_SRC]: ["'none'"],
+    [Directive.BASE_URI]: ["'self'"],
+    [Directive.FORM_ACTION]: ["'self'"],
+};
+const cspString = create(csp);
+// "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self';"
+```
+### Example 2: Allowing Google Analytics
+```typescript
+import {create, Directive, ContentSecurityPolicy} from "csprefabricate";
+const csp: ContentSecurityPolicy = {
+    [Directive.DEFAULT_SRC]: ["'self'"],
+    [Directive.SCRIPT_SRC]: ["'self'", "*.googletagmanager.com"],
+    [Directive.STYLE_SRC]: ["'self'"],
+    [Directive.IMG_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.googletagmanager.com",
+    ],
+    [Directive.OBJECT_SRC]: ["'none'"],
+    [Directive.BASE_URI]: ["'self'"],
+    [Directive.FORM_ACTION]: ["'self'"],
+    [Directive.CONNECT_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.analytics.google.com",
+        "https://*.googletagmanager.com",
+    ],
+};
+const cspString = create(csp);
+// "default-src 'self'; script-src 'self' *.googletagmanager.com; style-src 'self'; img-src 'self' https://*.google-analytics.com https://*.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; connect-src 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com;"
+```
+### Example 3: Using TLD Expansion for Multiple Domains
+```typescript
+import {create, Directive, ContentSecurityPolicy} from "csprefabricate";
+const csp: ContentSecurityPolicy = {
+    [Directive.IMG_SRC]: ["self", {"*.example": [".com", ".co.uk", ".net"]}],
+};
+const cspString = create(csp);
+// "img-src 'self' *.example.com *.example.co.uk *.example.net;"
+```
+## Baseline Recommended CSPs
+You can quickly generate a recommended Content Security Policy for common use cases using built-in baselines.
+Available Baselines:
+- BASELINE_STRICT_CSP
+- GOOGLE_ANALYTICS_CSP
+- GOOGLE_ANALYTICS_WITH_SIGNALS_CSP
+### Google Analytics Baseline CSP
+Allow Google Analytics and Tag Manager:
+```typescript
+import {create, Baseline} from "csprefabricate";
+const cspString = create(Baseline.GOOGLE_ANALYTICS_CSP);
+```

package/dist/baseline.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { ContentSecurityPolicy } from "./types";
+export declare const BASELINE_STRICT_CSP: ContentSecurityPolicy;
+/**
+ * Google Analytics Content Security Policy based on the official guidelines.
+ * https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
+ */
+export declare const GOOGLE_ANALYTICS_CSP: ContentSecurityPolicy;
+export declare const GOOGLE_ANALYTICS_WITH_SIGNALS_CSP: ContentSecurityPolicy;

package/dist/baseline.js ADDED Viewed

@@ -0,0 +1,245 @@
+import { Directive } from "./types";
+// List of supported domains for Google Signals from https://www.google.com/supported_domains
+const googleSupportedTLDs = [
+    ".com",
+    ".ad",
+    ".ae",
+    ".com.af",
+    ".com.ag",
+    ".al",
+    ".am",
+    ".co.ao",
+    ".com.ar",
+    ".as",
+    ".at",
+    ".com.au",
+    ".az",
+    ".ba",
+    ".com.bd",
+    ".be",
+    ".bf",
+    ".bg",
+    ".com.bh",
+    ".bi",
+    ".bj",
+    ".com.bn",
+    ".com.bo",
+    ".com.br",
+    ".bs",
+    ".bt",
+    ".co.bw",
+    ".by",
+    ".com.bz",
+    ".ca",
+    ".cd",
+    ".cf",
+    ".cg",
+    ".ch",
+    ".ci",
+    ".co.ck",
+    ".cl",
+    ".cm",
+    ".cn",
+    ".com.co",
+    ".co.cr",
+    ".com.cu",
+    ".cv",
+    ".com.cy",
+    ".cz",
+    ".de",
+    ".dj",
+    ".dk",
+    ".dm",
+    ".com.do",
+    ".dz",
+    ".com.ec",
+    ".ee",
+    ".com.eg",
+    ".es",
+    ".com.et",
+    ".fi",
+    ".com.fj",
+    ".fm",
+    ".fr",
+    ".ga",
+    ".ge",
+    ".gg",
+    ".com.gh",
+    ".com.gi",
+    ".gl",
+    ".gm",
+    ".gr",
+    ".com.gt",
+    ".gy",
+    ".com.hk",
+    ".hn",
+    ".hr",
+    ".ht",
+    ".hu",
+    ".co.id",
+    ".ie",
+    ".co.il",
+    ".im",
+    ".co.in",
+    ".iq",
+    ".is",
+    ".it",
+    ".je",
+    ".com.jm",
+    ".jo",
+    ".co.jp",
+    ".co.ke",
+    ".com.kh",
+    ".ki",
+    ".kg",
+    ".co.kr",
+    ".com.kw",
+    ".kz",
+    ".la",
+    ".com.lb",
+    ".li",
+    ".lk",
+    ".co.ls",
+    ".lt",
+    ".lu",
+    ".lv",
+    ".com.ly",
+    ".co.ma",
+    ".md",
+    ".me",
+    ".mg",
+    ".mk",
+    ".ml",
+    ".com.mm",
+    ".mn",
+    ".com.mt",
+    ".mu",
+    ".mv",
+    ".mw",
+    ".com.mx",
+    ".com.my",
+    ".co.mz",
+    ".com.na",
+    ".com.ng",
+    ".com.ni",
+    ".ne",
+    ".nl",
+    ".no",
+    ".com.np",
+    ".nr",
+    ".nu",
+    ".co.nz",
+    ".com.om",
+    ".com.pa",
+    ".com.pe",
+    ".com.pg",
+    ".com.ph",
+    ".com.pk",
+    ".pl",
+    ".pn",
+    ".com.pr",
+    ".ps",
+    ".pt",
+    ".com.py",
+    ".com.qa",
+    ".ro",
+    ".ru",
+    ".rw",
+    ".com.sa",
+    ".com.sb",
+    ".sc",
+    ".se",
+    ".com.sg",
+    ".sh",
+    ".si",
+    ".sk",
+    ".com.sl",
+    ".sn",
+    ".so",
+    ".sm",
+    ".sr",
+    ".st",
+    ".com.sv",
+    ".td",
+    ".tg",
+    ".co.th",
+    ".com.tj",
+    ".tl",
+    ".tm",
+    ".tn",
+    ".to",
+    ".com.tr",
+    ".tt",
+    ".com.tw",
+    ".co.tz",
+    ".com.ua",
+    ".co.ug",
+    ".co.uk",
+    ".com.uy",
+    ".co.uz",
+    ".com.vc",
+    ".co.ve",
+    ".co.vi",
+    ".com.vn",
+    ".vu",
+    ".ws",
+    ".rs",
+    ".co.za",
+    ".co.zm",
+    ".co.zw",
+    ".cat",
+];
+export const BASELINE_STRICT_CSP = {
+    [Directive.DEFAULT_SRC]: ["'self'"],
+    [Directive.SCRIPT_SRC]: ["'self'"],
+    [Directive.STYLE_SRC]: ["'self'"],
+    [Directive.IMG_SRC]: ["'self'"],
+    [Directive.OBJECT_SRC]: ["'none'"],
+    [Directive.BASE_URI]: ["'self'"],
+    [Directive.FORM_ACTION]: ["'self'"],
+};
+/**
+ * Google Analytics Content Security Policy based on the official guidelines.
+ * https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
+ */
+export const GOOGLE_ANALYTICS_CSP = {
+    ...BASELINE_STRICT_CSP,
+    [Directive.DEFAULT_SRC]: ["'self'"],
+    [Directive.SCRIPT_SRC]: ["'self'", "*.googletagmanager.com"],
+    [Directive.IMG_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.googletagmanager.com",
+    ],
+    [Directive.CONNECT_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.analytics.google.com",
+        "https://*.googletagmanager.com",
+    ],
+};
+export const GOOGLE_ANALYTICS_WITH_SIGNALS_CSP = {
+    ...BASELINE_STRICT_CSP,
+    ...GOOGLE_ANALYTICS_CSP,
+    [Directive.IMG_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.googletagmanager.com",
+        "https://*.g.doubleclick.net",
+        "https://*.google.com",
+        { "https://*.google.": googleSupportedTLDs },
+    ],
+    [Directive.CONNECT_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.googletagmanager.com",
+        "https://*.g.doubleclick.net",
+        "https://pagead2.googlesyndication.com",
+        { "https://*.google": googleSupportedTLDs },
+    ],
+    [Directive.FRAME_SRC]: [
+        "'self'",
+        "https://td.doubleclick.net",
+        "https://www.googletagmanager.com",
+    ],
+};

package/dist/helpers.d.ts CHANGED Viewed

@@ -1,2 +1,11 @@
+import { ContentSecurityPolicy } from "./types";
+export interface WarningOptions {
+    overlyPermissive?: boolean;
+    missingDirectives?: boolean;
+    unsafeInline?: boolean;
+    missingNonceOrHash?: boolean;
+    dataUri?: boolean;
+}
+export declare function warnOnCspIssues(csp: ContentSecurityPolicy, overrides?: WarningOptions): void;
 export declare const isValidDirective: (directive: string) => boolean;
 export declare const formatRule: (rule: string) => string;

package/dist/helpers.js CHANGED Viewed

@@ -1,3 +1,11 @@
+import { Directive } from "./types";
+const DEFAULT_WARNINGS = {
+    overlyPermissive: true,
+    missingDirectives: true,
+    unsafeInline: true,
+    missingNonceOrHash: true,
+    dataUri: true,
+};
 const validDirectives = [
     "default-src",
     "script-src",
@@ -33,5 +41,63 @@ const specialRules = [
     "strict-dynamic",
     "unsafe-hashes",
 ];
+export function warnOnCspIssues(csp, overrides = {}) {
+    const options = { ...DEFAULT_WARNINGS, ...overrides };
+    // 1. Overly permissive: * in script-src, style-src, etc.
+    if (options.overlyPermissive) {
+        [
+            Directive.SCRIPT_SRC,
+            Directive.STYLE_SRC,
+            Directive.IMG_SRC,
+            Directive.CONNECT_SRC,
+        ].forEach((directive) => {
+            const rules = csp[directive];
+            if (Array.isArray(rules) && rules.includes("*")) {
+                console.warn(`[CSPrefabricate] Overly permissive: '*' found in ${directive}`);
+            }
+        });
+    }
+    // 2. Missing important directives
+    if (options.missingDirectives) {
+        [
+            Directive.OBJECT_SRC,
+            Directive.BASE_URI,
+            Directive.FORM_ACTION,
+        ].forEach((directive) => {
+            if (!(directive in csp)) {
+                console.warn(`[CSPrefabricate] Missing recommended directive: ${directive}`);
+            }
+        });
+    }
+    // 3. Unsafe inline
+    if (options.unsafeInline) {
+        [Directive.SCRIPT_SRC, Directive.STYLE_SRC].forEach((directive) => {
+            const rules = csp[directive];
+            if (Array.isArray(rules) && rules.includes("'unsafe-inline'")) {
+                console.warn(`[CSPrefabricate] 'unsafe-inline' found in ${directive}`);
+            }
+        });
+    }
+    // 4. Missing nonce or hash in script-src if 'unsafe-inline' is present
+    if (options.missingNonceOrHash) {
+        const rules = csp[Directive.SCRIPT_SRC];
+        if (Array.isArray(rules) && rules.includes("'unsafe-inline'")) {
+            const hasNonceOrHash = rules.some((r) => typeof r === "string" &&
+                (r.startsWith("'nonce-") || r.startsWith("'sha")));
+            if (!hasNonceOrHash) {
+                console.warn(`[CSPrefabricate] 'unsafe-inline' in script-src without nonce or hash`);
+            }
+        }
+    }
+    // 5. Permitting data: in img-src or media-src
+    if (options.dataUri) {
+        [Directive.IMG_SRC, Directive.MEDIA_SRC].forEach((directive) => {
+            const rules = csp[directive];
+            if (Array.isArray(rules) && rules.includes("data:")) {
+                console.warn(`[CSPrefabricate] 'data:' allowed in ${directive}`);
+            }
+        });
+    }
+}
 export const isValidDirective = (directive) => validDirectives.includes(directive);
 export const formatRule = (rule) => specialRules.includes(rule) ? `'${rule}'` : rule;

package/dist/index.d.ts CHANGED Viewed

@@ -1,3 +1,6 @@
-import { ContentSecurityPolicy, Directive } from "./types";
+import { Directive } from "./types";
 import { create } from "./utils";
-export { create, Directive, ContentSecurityPolicy };
+import * as Baseline from "./baseline";
+export { Baseline };
+export { create, Directive };
+export type { ContentSecurityPolicy } from "./types";

package/dist/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
 import { Directive } from "./types";
 import { create } from "./utils";
+import * as Baseline from "./baseline";
+export { Baseline };
 export { create, Directive };

package/dist/types.d.ts CHANGED Viewed

@@ -55,4 +55,4 @@ interface ContentSecurityPolicy {
     [Directive.UPGRADE_INSECURE_REQUESTS]?: BlankDirectiveRule;
     [Directive.BLOCK_ALL_MIXED_CONTENT]?: BlankDirectiveRule;
 }
-export { ContentSecurityPolicy, Rules, Directive };
+export { ContentSecurityPolicy, Rules, Directive, BasicDirectiveRule };

package/dist/utils.d.ts CHANGED Viewed

@@ -1,3 +1,10 @@
-import { ContentSecurityPolicy } from "./types";
-export declare const processRules: (rules: Array<string> | Array<string | Record<string, Array<string>>>) => string;
-export declare const create: (obj: ContentSecurityPolicy) => string;
+import { WarningOptions } from "./helpers";
+import { ContentSecurityPolicy, BasicDirectiveRule } from "./types";
+export declare const processRules: (rules: BasicDirectiveRule) => string;
+/**
+ * Creates a CSP string from a ContentSecurityPolicy object.
+ * Filters out invalid directives and formats the CSP string.
+ * @param obj - The ContentSecurityPolicy object.
+ * @returns The formatted CSP string.
+ */
+export declare const create: (obj: ContentSecurityPolicy, warningOptions?: WarningOptions) => string;

package/dist/utils.js CHANGED Viewed

@@ -1,26 +1,47 @@
-import { formatRule, isValidDirective } from "./helpers";
+import { formatRule, isValidDirective, warnOnCspIssues, } from "./helpers";
 export const processRules = (rules) => {
-    return rules
-        .map((rule) => {
+    // Flatten and deduplicate rules
+    const seen = new Set();
+    for (const rule of rules) {
         if (typeof rule === "object") {
-            return Object.entries(rule).map(([domain, tlds]) => tlds.map((tld) => `${domain}${tld}`).join(" "));
+            for (const [domain, tlds] of Object.entries(rule)) {
+                for (const tld of tlds) {
+                    seen.add(`${domain}${tld}`);
+                }
+            }
         }
         else {
-            return formatRule(rule);
+            seen.add(formatRule(rule));
         }
-    })
-        .join(" ");
+    }
+    return Array.from(seen).join(" ");
 };
-export const create = (obj) => {
+/**
+ * Creates a CSP string from a ContentSecurityPolicy object.
+ * Filters out invalid directives and formats the CSP string.
+ * @param obj - The ContentSecurityPolicy object.
+ * @returns The formatted CSP string.
+ */
+export const create = (obj, warningOptions) => {
+    warnOnCspIssues(obj, warningOptions);
     const entries = Object.entries(obj);
     const cspString = entries
         .filter(([directive, _rules]) => {
         const isValid = isValidDirective(directive);
         if (!isValid) {
-            console.warn(`"${directive}" is not a valid CSP directive and has been ignored.`);
+            console.warn(`[CSPrefabricate] "${directive}" is not a valid CSP directive and has been ignored.`);
         }
         return isValid;
     })
-        .map(([directive, rules]) => `${directive}${rules && rules.length > 0 ? " " + processRules(rules) : ""}`);
-    return `${cspString.join("; ")};`;
+        .map(([directive, rules]) => {
+        if (Array.isArray(rules)) {
+            // Filter out non-string/object values at runtime
+            const filtered = rules.filter((r) => typeof r === "string" ||
+                (typeof r === "object" && r !== null));
+            const processed = processRules(filtered);
+            return processed ? `${directive} ${processed}` : `${directive}`;
+        }
+        return `${directive}`;
+    });
+    return cspString.length > 0 ? `${cspString.join("; ")};` : "";
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "csprefabricate",
-    "version": "0.2.3",
+    "version": "0.4.0",
     "packageManager": "yarn@4.5.3",
     "type": "module",
     "devDependencies": {
@@ -20,11 +20,10 @@
     ],
     "scripts": {
         "build": "tsc --project tsconfig.build.json",
+        "functional-test": "yarn build && tsx --test src/test/functional/functional.test.js",
         "pack": "npm pack",
         "prepack": "yarn typecheck && yarn test && yarn build",
-        "prettier": "prettier . --write",
         "prepublish": "yarn version check",
-        "publish": "npm publish",
         "test": "tsx --test src/test/**/*test.ts",
         "typecheck": "tsc --noEmit",
         "lint": "eslint ."

package/dist/test/helpers.test.d.ts DELETED Viewed

	@@ -1 +0,0 @@
1	- export {};

package/dist/test/helpers.test.js DELETED Viewed

@@ -1,23 +0,0 @@
-import { describe, it } from "node:test";
-import assert from "node:assert";
-import { formatRule, isValidDirective } from "../helpers";
-import { Directive } from "../types";
-describe("Helpers tests", () => {
-    describe("isValidDirective", () => {
-        it("Returns true if directive is valid", () => {
-            assert.strictEqual(isValidDirective(Directive.BASE_URI), true);
-            assert.strictEqual(isValidDirective("default-src"), true);
-        });
-        it("Returns false if directive is invalid", () => {
-            assert.strictEqual(isValidDirective("some-src"), false);
-        });
-    });
-    describe("formatRule", () => {
-        it("Formats special rules with single quotes", () => {
-            assert.strictEqual(formatRule("self"), `'self'`);
-        });
-        it("Returns non-special rules", () => {
-            assert.strictEqual(formatRule("google.com"), `google.com`);
-        });
-    });
-});

package/dist/test/utils.test.d.ts DELETED Viewed

	@@ -1 +0,0 @@
1	- export {};

package/dist/test/utils.test.js DELETED Viewed

@@ -1,69 +0,0 @@
-import { describe, it } from "node:test";
-import assert from "node:assert";
-import { create, processRules } from "../utils";
-import { Directive } from "../types";
-describe("Utils tests", () => {
-    describe("processRules", () => {
-        it("Processes rules provided as an array of strings (simple)", () => {
-            const rules = ["self", "*.google.com", "*.google.com.au"];
-            assert.strictEqual(processRules(rules), `'self' *.google.com *.google.com.au`);
-        });
-        it("Processes rules provided a complex list of tlds", () => {
-            const rules = ["self", { "*.google": [".com", ".com.au"] }];
-            assert.strictEqual(processRules(rules), `'self' *.google.com *.google.com.au`);
-        });
-    });
-    describe("create", () => {
-        it("Formats a CSP string with all rules", () => {
-            const csp = {
-                [Directive.DEFAULT_SRC]: ["self"],
-                [Directive.SCRIPT_SRC]: ["self", "js.example.com"],
-                [Directive.STYLE_SRC]: ["self", "css.example.com"],
-                [Directive.IMG_SRC]: [
-                    "self",
-                    { "*.google": [".com", ".com.au"] },
-                ],
-                [Directive.CONNECT_SRC]: ["self"],
-                [Directive.FONT_SRC]: ["self", "font.example.com"],
-                [Directive.OBJECT_SRC]: ["none"],
-                [Directive.MEDIA_SRC]: ["self", "media.example.com"],
-                [Directive.FRAME_SRC]: ["self"],
-                [Directive.SANDBOX]: ["allow-scripts"],
-                [Directive.REPORT_URI]: ["/my-report-uri"],
-                [Directive.CHILD_SRC]: ["self"],
-                [Directive.FORM_ACTION]: ["self"],
-                [Directive.FRAME_ANCESTORS]: ["none"],
-                [Directive.PLUGIN_TYPES]: ["application/pdf"],
-                [Directive.BASE_URI]: ["self"],
-                [Directive.REPORT_TO]: ["myGroupName"],
-                [Directive.WORKER_SRC]: ["none"],
-                [Directive.MANIFEST_SRC]: ["none"],
-                [Directive.PREFETCH_SRC]: ["none"],
-                [Directive.NAVIGATE_TO]: ["example.com"],
-                [Directive.REQUIRE_TRUSTED_TYPES_FOR]: ["script"],
-                [Directive.TRUSTED_TYPES]: ["none"],
-                [Directive.UPGRADE_INSECURE_REQUESTS]: null,
-                [Directive.BLOCK_ALL_MIXED_CONTENT]: null,
-            };
-            const cspString = create(csp);
-            assert.strictEqual(cspString, "default-src 'self'; script-src 'self' js.example.com; style-src 'self' css.example.com; img-src 'self' *.google.com *.google.com.au; connect-src 'self'; font-src 'self' font.example.com; object-src 'none'; media-src 'self' media.example.com; frame-src 'self'; sandbox allow-scripts; report-uri /my-report-uri; child-src 'self'; form-action 'self'; frame-ancestors 'none'; plugin-types application/pdf; base-uri 'self'; report-to myGroupName; worker-src 'none'; manifest-src 'none'; prefetch-src 'none'; navigate-to example.com; require-trusted-types-for script; trusted-types 'none'; upgrade-insecure-requests; block-all-mixed-content;");
-        });
-        it("Handles blank directives", () => {
-            const csp = {
-                [Directive.SANDBOX]: [],
-            };
-            const cspString = create(csp);
-            assert.strictEqual(cspString, "sandbox;");
-        });
-        it("Ignores invalid directives", () => {
-            const csp = {
-                [Directive.DEFAULT_SRC]: ["self"],
-                // @ts-expect-error deliberate testing of invalid directive
-                ["invalid-directive"]: ["self"],
-                [Directive.IMG_SRC]: ["my.domain.com"]
-            };
-            const cspString = create(csp);
-            assert.strictEqual(cspString, "default-src 'self'; img-src my.domain.com;");
-        });
-    });
-});