gina 0.3.15-alpha.2 → 0.3.15-alpha.4

package/ROADMAP.md

@@ -158,7 +158,7 @@ Cross-site request forgery protection. Three-phase defense-in-depth plan aligned
 
 ## Web Security Headers
 
-HTTP security response headers as opt-in `gina.plugins.*` middlewares, mirroring the `Session` (#CSRF1) and `Csrf` (#CSRF2/#CSRF3) plugin shape. Each plugin is single-concern, opt-in by default-off, and reads its config from a flat top-level `settings.json` key. Native implementation — no `helmet` dependency. **Phase 1** covers the five modern critical headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, HSTS, Origin-Agent-Cluster) — all shipped in `0.3.15-alpha`. **Phase 1.5** covers helmet-parity gap-fill (HidePoweredBy, X-DNS-Prefetch-Control, X-XSS-Protection, X-Download-Options, X-Permitted-Cross-Domain-Policies) — defense-in-depth + parity-with-helmet narrative; modest practical value. **Phase 2** covers CSP + COEP/COOP/CORP (dynamic / higher-break-risk, deferred to `0.4.0`). CORS handling is separate and already lives in `core/server.js` (request-side).
+HTTP security response headers as opt-in `gina.plugins.*` middlewares, mirroring the `Session` (#CSRF1) and `Csrf` (#CSRF2/#CSRF3) plugin shape. Each plugin is single-concern, opt-in by default-off, and reads its config from a flat top-level `settings.json` key. Native implementation — no `helmet` dependency. **Phase 1** covers the five modern critical headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, HSTS, Origin-Agent-Cluster) — all shipped in `0.3.15-alpha`. **Phase 1.5** covers helmet-parity gap-fill (HidePoweredBy, X-DNS-Prefetch-Control, X-XSS-Protection, X-Download-Options, X-Permitted-Cross-Domain-Policies) — defense-in-depth + parity-with-helmet narrative; modest practical value. **Phase 2** (targeted at `0.4.0-alpha`) covers CSP + COEP/COOP/CORP + combined wrapper — CSP (#HDR5), COEP (#HDR6), COOP (#HDR13), CORP (#HDR14) and the `SecurityHeaders` combined wrapper (#HDR15) all shipped 2026-05-17 — **Phase 2 closed**. CORS handling is separate and already lives in `core/server.js` (request-side).
 
 | Status | Feature | Version | Target |
 | --- | --- | --- | --- |
@@ -167,13 +167,16 @@ HTTP security response headers as opt-in `gina.plugins.*` middlewares, mirroring
 | ✅ | **`Referrer-Policy` middleware** — Opt-in plugin `gina.plugins.ReferrerPolicy({ value })`. Settings: `referrerPolicy.value` is one of the eight W3C tokens (`"no-referrer"`, `"no-referrer-when-downgrade"`, `"origin"`, `"origin-when-cross-origin"`, `"same-origin"`, `"strict-origin"`, `"strict-origin-when-cross-origin"`, `"unsafe-url"`). Default `"strict-origin-when-cross-origin"` matches the browser default since ~2021. Caller options always win over settings; values are normalised to lowercase per the W3C spec's case-insensitive matching. Invalid tokens throw at factory call time with the full eight-token list + W3C spec URL in the message. Idempotent — first-writer-wins. 56 unit tests. | `0.3.15-alpha` | 2026-05-17 |
 | ✅ | **`Strict-Transport-Security` (HSTS) middleware** — Opt-in plugin `gina.plugins.Hsts({ maxAge, includeSubDomains, preload })`. Defaults: `maxAge: 15552000` (180 days), `includeSubDomains: false`, `preload: false`. Caller options always win over settings. Browser-parity invariant: `preload: true` requires `includeSubDomains: true` AND `maxAge >= 31536000` (1 year) per the HSTS preload-list submission requirements; factory throws at call time on invariant violations with a pointer at https://hstspreload.org/. Also throws on non-integer / negative / NaN / Infinity `maxAge`. Header value built per RFC 6797 §6.1 directive order (`max-age=<n>; includeSubDomains; preload`). Spec deviation documented: emits on every response (helmet-aligned) rather than gating HTTPS-only — receiver enforces correctly anyway per RFC 6797 §8.1. Idempotent — first-writer-wins. 69 unit tests. | `0.3.15-alpha` | 2026-05-17 |
 | ✅ | **`Origin-Agent-Cluster: ?1` middleware** — Opt-in plugin `gina.plugins.OriginAgentCluster()` requests origin-keyed agent clustering — same-site cross-origin pages get isolated agents (can no longer reach in via `document.domain`), mitigating one class of Spectre side-channel attack. Per the HTML spec, `?1` (Structured Header boolean true) is the only useful value; no tunable options. Browser support: Chrome 88+, Edge 88+, Firefox 109+, Safari 15+. Mirrors the #HDR1 shape exactly. Idempotent — first-writer-wins. 33 unit tests. **Closes Phase 1 (modern critical coverage).** | `0.3.15-alpha` | 2026-05-17 |
-| 📋 | **Phase 1.5 — `HidePoweredBy` (#HDR8)** — `gina.plugins.HidePoweredBy()` removes the `X-Powered-By` response header (Express's `X-Powered-By: Express` leaks framework identity). REMOVE shape (`res.removeHeader`), unlike the SET shape of every other plugin in the track. Modest practical value; helmet covers it. | `0.3.16-alpha` | Q2 2026 |
-| 📋 | **Phase 1.5 — `X-DNS-Prefetch-Control` (#HDR9)** — `gina.plugins.XDnsPrefetchControl({ value })`. Default `"off"` (matches helmet). Marginal value — modern browsers mostly ignore the header. | `0.3.16-alpha` | Q3 2026 |
-| 📋 | **Phase 1.5 — `X-XSS-Protection: 0` (#HDR10)** — `gina.plugins.XXssProtection()` emits `0` to DISABLE Chrome's legacy XSS auditor (deprecated; auditor had its own vulnerabilities). Near-zero practical value in 2026 (Chrome dropped the auditor in 78; Firefox / Safari never implemented). | `0.3.16-alpha` | Q3 2026 |
-| 📋 | **Phase 1.5 — `X-Download-Options: noopen` (#HDR11)** — `gina.plugins.XDownloadOptions()` IE8+ legacy header. Modern browsers ignore. Defense-in-depth for IE11 holdouts only. | `0.3.16-alpha` | Q3 2026 |
-| 📋 | **Phase 1.5 — `X-Permitted-Cross-Domain-Policies` (#HDR12)** — `gina.plugins.XPermittedCrossDomainPolicies({ value })`. Restricts Adobe Flash / PDF cross-domain. Flash EOL since 2020; PDF readers mostly ignore. Helmet still ships it. | `0.3.16-alpha` | Q3 2026 |
-| 📋 | **`Content-Security-Policy` (Phase 2 — static directives)** — Opt-in plugin `gina.plugins.Csp({ directives, reportOnly })`. v0 ships static directives only; per-response nonce wiring requires template-render integration and defers to a separate CSP-aware view-layer plugin. `reportOnly: true` emits `Content-Security-Policy-Report-Only` for non-enforcing migration testing. | `0.4.0` | Q1 2027 |
-| 📋 | **`Cross-Origin-{Embedder,Opener,Resource}-Policy` (Phase 2)** — Opt-in plugin `gina.plugins.CrossOriginPolicies({ embedder, opener, resource })` — COEP/COOP/CORP browsing-context isolation. Distinct from CORS (request-side, handled in `core/server.js:1362-1520`). Can break legitimate cross-origin resource loading; opt-in even more conservatively than Phase 1. | `0.4.0` | Q1 2027 |
+| ✅ | **Phase 1.5 — `HidePoweredBy` (#HDR8)** — Opt-in plugin `gina.plugins.HidePoweredBy()` removes the `X-Powered-By` response header that gina emits by default at `server.js:2425` (plus `env.json > response.header`). Reduces the attacker's reconnaissance surface — they no longer learn the server stack identity from the response header. **Different SHAPE from the other HDR plugins**: REMOVE (`res.removeHeader`) not SET. No tunable options today (mirrors helmet's no-opts shape). **Two-engine pairing**: Phase 1 covers the Express engine (`server.js:2425` setHeader fires in early framework middleware before user `app.use()` mounts, so `removeHeader` succeeds). Isaac's 15 direct `response.writeHead({ 'X-Powered-By': ... })` call sites bypass the setHeader/removeHeader interface, so the middleware can't reach them on Isaac. **Phase 2 (shipped 2026-05-17) closed the Isaac gap** via the framework-level `server.hidePoweredBy: true` settings flag (default `false`) that the Isaac engine reads at boot — `_setPoweredByHeader(headers)` closure inside `onPath` wraps 14 object-literal sites + 1 inline `if (!options.hidePoweredBy)` guard at the routing.json setHeader site. Bundles pick the right shape: Express → middleware; Isaac → flag; belt-and-suspenders → both (each no-op on the other engine). Idempotent — `removeHeader` is a no-op when the header is absent. 37 unit tests. **Opens Phase 1.5 (helmet-parity gap-fill).** | `0.3.16-alpha` | 2026-05-17 |
+| ✅ | **Phase 1.5 — `X-DNS-Prefetch-Control` (#HDR9)** — Opt-in plugin `gina.plugins.XDnsPrefetchControl({ value })`. Settings: `xDnsPrefetchControl.value` is one of two tokens (`"on"`, `"off"`); default `"off"` matches helmet (privacy-respecting choice — browser does not pre-resolve DNS for unclicked links, so the resolver only sees hostnames the user actually navigates to). **API-shape divergence from helmet**: helmet uses `{ allow: boolean }`; gina uses `{ value: 'on' \| 'off' }` matching the existing single-token-enum convention (HDR2 / HDR3 / HDR6 / HDR13 / HDR14). README documents the helmet-to-gina mapping for migrators. Caller options always win over settings; values are normalised to lowercase. Mirrors the #HDR14 Corp single-enum plugin shape exactly (`resolveSettingsDefaults` + `mergeOptions` + `resolveValue` throw-on-invalid + idempotent first-writer-wins middleware via `res.getHeader`). Marginal practical value in 2026 — modern Chrome / Firefox have their own DNS-prefetch heuristics that mostly ignore the header; defense-in-depth + helmet-parity narrative. 57 unit tests including a negative-invariant lock on the helmet-shape `{ allow: true }` silent-fallback (it does NOT enable DNS prefetching in gina — emits default `off`). | `0.3.16-alpha` | 2026-05-17 |
+| ✅ | **Phase 1.5 — `X-XSS-Protection: 0` (#HDR10)** — Opt-in plugin `gina.plugins.XXssProtection()` emits the literal header `X-XSS-Protection: 0` to DISABLE Chrome's legacy XSS auditor (the auditor itself had its own vulnerabilities; disabling is the modern recommendation per MDN). **The value `0` is deliberate — not a typo**: HEADER_VALUE is the literal string `"0"`, with a negative-invariant test pinning that the value is NOT any `"1"` enable variant. No tunable options (mirrors helmet's no-opts shape + the #HDR1 XContentTypeOptions plugin shape). Use #HDR5 Csp with a strong policy for the actual XSS defense; this header is defense-in-depth + helmet-parity narrative only. Browser status in 2026: Chrome dropped the auditor in v78 (2019); Edge follows Chrome; Firefox / Safari never implemented; IE11 honoured but is EOL. Idempotent — first-writer-wins via `res.getHeader`; if an upstream middleware accidentally emits the unsafe `"1; mode=block"`, this plugin does NOT override it (mount BEFORE the upstream to win). Mirrors the #HDR1 XContentTypeOptions plugin shape (no opts, single fixed value, same `resolveSettingsDefaults` + `mergeOptions` helpers). 37 unit tests including the negative-invariant lock on no-"1"-variant + the string-not-number "0" emission lock. | `0.3.16-alpha` | 2026-05-17 |
+| ✅ | **Phase 1.5 — `X-Download-Options: noopen` (#HDR11)** — Opt-in plugin `gina.plugins.XDownloadOptions()` emits the literal header `X-Download-Options: noopen` on every response. IE-legacy: prevents IE8+ from opening downloads in the site's security context (an old IE vulnerability shape where the "Open" button on a download dialog opened the file in the SITE's origin, allowing XSS-equivalent via downloaded HTML from a trusted site). `noopen` is the only valid value per MSDN. No tunable options (mirrors helmet's no-opts shape + the #HDR1 / #HDR10 plugin shape). Modern browsers (Chrome / Firefox / Safari / Edge) ignore the header silently; only IE10 / IE11 honour it (both EOL since June 2022). Effectively no-op in modern browsers; defense-in-depth + helmet-parity narrative. Idempotent — first-writer-wins via `res.getHeader`. Mirrors the #HDR1 XContentTypeOptions plugin shape exactly. 35 unit tests. | `0.3.16-alpha` | 2026-05-17 |
+| ✅ | **Phase 1.5 — `X-Permitted-Cross-Domain-Policies` (#HDR12)** — Opt-in plugin `gina.plugins.XPermittedCrossDomainPolicies({ value })` emits the `X-Permitted-Cross-Domain-Policies` response header on every response. Settings: `xPermittedCrossDomainPolicies.value` is one of four Adobe spec tokens (`"none"`, `"master-only"`, `"by-content-type"`, `"all"`); default `"none"` matches helmet (most restrictive — no Flash/PDF cross-domain policy files honoured). **API-shape divergence from helmet**: helmet uses `{ permittedPolicies: <enum> }`; gina uses `{ value: <enum> }` matching the existing single-token-enum convention (HDR2 / HDR3 / HDR6 / HDR9 / HDR13 / HDR14). README documents the helmet-to-gina mapping. Mirrors the #HDR14 Corp single-enum plugin shape exactly (`resolveSettingsDefaults` + `mergeOptions` + `resolveValue` throw-on-invalid + idempotent first-writer-wins via `res.getHeader`). Flash EOL since December 2020; Adobe Reader historically honoured the header but most modern PDF readers ignore it; defense-in-depth + helmet-parity narrative. 60 unit tests including a negative-invariant lock on the helmet-shape `{ permittedPolicies }` silent-fallback (it does NOT switch the gina default — emits default `"none"`). **Closes Phase 1.5.** | `0.3.16-alpha` | 2026-05-17 |
+| ✅ | **`Content-Security-Policy` middleware (Phase 2 — static directives)** — Opt-in plugin `gina.plugins.Csp({ directives, reportOnly })`. **Opens Phase 2** of the security-headers track. v0 ships static directives only; per-response nonce wiring requires template-render integration and defers to a future CSP-aware view-layer plugin. Strict whitelist of 27 CSP Level 3 standard directives — unknown directive names throw at factory call time (CSP typos are silent at the browser; fail-fast catches them). Value parsing accepts arrays of source-list tokens (joined with space), pre-formatted strings, `true` (boolean-only directives + `sandbox`), or `false` (omit). `reportOnly: true` emits `Content-Security-Policy-Report-Only` for non-enforcing migration testing. `directives` is required — no sensible cross-bundle default. Mirrors the HDR1-7 shape (idempotent first-writer-wins via `res.getHeader`). 92 unit tests; full suite 5768/5768. HDR6 Coep/Coop/Corp three-plugin split (per wrapper-consistency design) + HDR15 `SecurityHeaders` combined wrapper composing HDR1-7 + HDR5 + HDR6/13/14 to follow. | `0.4.0-alpha` | 2026-05-17 |
+| ✅ | **`Cross-Origin-Embedder-Policy` (COEP) middleware (Phase 2)** — Opt-in plugin `gina.plugins.Coep({ value })`. Settings: `coep.value` is one of three W3C HTML spec tokens (`"require-corp"`, `"credentialless"`, `"unsafe-none"`); default `"require-corp"` matches helmet. Required (paired with `Coop: same-origin` / #HDR13) to enable SharedArrayBuffer and high-resolution `performance.now()` in the page. Caller options always win over settings; values are normalised to lowercase. Mirrors the #HDR3 ReferrerPolicy single-enum shape with throw-on-invalid validation. The `require-corp` default BREAKS embeds without matching CORP/CORS headers — README walks users through the three escape hatches (set CORP via #HDR14, downgrade to `credentialless`, downgrade to `unsafe-none`). Idempotent — first-writer-wins. 56 unit tests. **First of the three Phase 2 cross-origin policies**; HDR13 Coop and HDR14 Corp to follow, then HDR15 SecurityHeaders combined wrapper closes Phase 2. | `0.4.0-alpha` | 2026-05-17 |
+| ✅ | **`Cross-Origin-Opener-Policy` (COOP) middleware (Phase 2)** — Opt-in plugin `gina.plugins.Coop({ value })`. Settings: `coop.value` is one of four W3C HTML spec tokens (`"same-origin"`, `"same-origin-allow-popups"`, `"noopener-allow-popups"`, `"unsafe-none"`); default `"same-origin"` matches helmet. Required (paired with `Coep: require-corp` / #HDR6) to enable cross-origin isolation. Same-origin isolates `window.opener` references on top-level navigation; same-origin-allow-popups is more compat-friendly for OAuth popup flows. The fourth token `noopener-allow-popups` (W3C spec addition, Chrome 119+/Firefox 131+) severs `window.opener` for popups even at same-origin while keeping the popup window open. Caller options always win over settings; values are normalised to lowercase. Mirrors the #HDR6 Coep single-enum shape. The `same-origin` default BREAKS OAuth popup flows where the popup needs to call back into the opener — README walks users through the three escape hatches. Idempotent — first-writer-wins. 61 unit tests. **Second of the three Phase 2 cross-origin policies**; HDR14 Corp follows, then HDR15 SecurityHeaders combined wrapper closes Phase 2. | `0.4.0-alpha` | 2026-05-17 |
+| ✅ | **`Cross-Origin-Resource-Policy` (CORP) middleware (Phase 2)** — Opt-in plugin `gina.plugins.Corp({ value })`. Settings: `corp.value` is one of three W3C HTML spec tokens (`"same-origin"`, `"same-site"`, `"cross-origin"`); default `"same-origin"` matches helmet's per-middleware default. Resource-side complement to #HDR6 Coep's `require-corp` enforcement — cross-origin embeds under `Coep: require-corp` require the embed-target bundle to set `Corp: cross-origin` (or wider) to load. Most restrictive practical default; defends against side-channel attacks that load a resource cross-origin to measure size/timing for fingerprinting. Caller options always win over settings; values are normalised to lowercase. Mirrors the #HDR6 Coep + #HDR13 Coop single-enum shape. The `same-origin` default BREAKS cross-origin embeds when the resource serves at a separate origin from the embedding page — README walks users through the three escape hatches (pick `same-site` for first-party multi-subdomain setups, pick `cross-origin` for publicly-embeddable CDN assets, per-bundle scoping where the page bundle keeps strict + the CDN bundle adopts `cross-origin`). Idempotent — first-writer-wins. 60 unit tests. **Third and final of the three Phase 2 cross-origin policies**; HDR15 SecurityHeaders combined wrapper follows as the closing slice. | `0.4.0-alpha` | 2026-05-17 |
+| ✅ | **`SecurityHeaders` combined wrapper (Phase 2 — closes #HDR + Phase 1.5 extension)** — Opt-in plugin `gina.plugins.SecurityHeaders({...})` composes the full HDR1-14 set in a single mount with one `settings.json` block (`securityHeaders.*`). **Batteries-included safe set**: calling `SecurityHeaders()` with no opts mounts the **12 non-footgun plugins** (xContentTypeOptions, xFrameOptions, referrerPolicy, hsts, originAgentCluster, hidePoweredBy, xDnsPrefetchControl, xXssProtection, xDownloadOptions, xPermittedCrossDomainPolicies, coop, corp) with per-plugin defaults. CSP (#HDR5) and COEP (#HDR6) are opt-in only (CSP throws on missing directives; COEP `require-corp` breaks embeds without CORP). Per-sub-config explicit opt-out via `<key>: false` or `null` (e.g. `SecurityHeaders({ hsts: false })` for HTTP-only bundles). Individual plugins remain mountable independently as power-user escape hatches — the idempotent first-writer-wins pattern means no double-emit when stacking. Mirrors helmet's `helmet()` orchestrator. **Originally shipped 2026-05-17 with 9 sub-plugins** (HDR1-7 + HDR5 + HDR6/13/14) closing Phase 2; **extended 2026-05-17 to 14 sub-plugins** when Phase 1.5 (HDR8-12) closed — wrapper safe-set grew from 7 to 12 plugins. 92 unit tests (was 83 + 9 for the HDR8-12 sub-config opt-out + override coverage). **Closes Phase 2 + Phase 1.5 extension.** | `0.4.0-alpha` | 2026-05-17 |
 
 ---
 

package/framework/v0.3.15-alpha.4/VERSION

@@ -0,0 +1 @@
+0.3.15-alpha.4

package/framework/{v0.3.15-alpha.2 → v0.3.15-alpha.4}/core/asset/plugin/dist/vendor/gina/js/gina.js

@@ -2982,7 +2982,8 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
         'isStringMaxLength': 'Should not be more than %s characters',
         'isJsonWebToken': 'Must be a valid JSON Web Token',
         'query': 'Must be a valid response',
-        'isApiError': 'Condition not satisfied'
+        'isApiError': 'Condition not satisfied',
+        'isInList': 'Must be one of: %s'
     };
     var self  = null;
     if (!data) {
@@ -4607,6 +4608,62 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
             return date
         }
 
+        /**
+         * Check if value is one of the allowed values (strict equality).
+         *
+         * The routing dispatcher spreads array-valued rule configs via
+         * `apply()`, so `isInList: ["a", "b"]` lands here as positional
+         * args; collected via `arguments`. Empty allowed-list rejects
+         * every value (no value can satisfy an empty membership
+         * constraint). Non-primitive args indicate the non-array dispatch
+         * path (`isInList: "draft"`) — throw a config error.
+         *
+         * @param {...(string|number|boolean)} allowedValues - values that pass
+         * @returns {object} field object (chainable)
+         *
+         * @example
+         *     // routing.json rule
+         *     "field[status]": {
+         *         "isString": true,
+         *         "isInList": ["draft", "pending", "sent", "paid"]
+         *     }
+         * */
+        self[el]['isInList'] = function() {
+            var errors = self[this['name']]['errors'] || {};
+
+            var allowedValues = [];
+            for (var i = 0, len = arguments.length; i < len; ++i) {
+                var t = typeof(arguments[i]);
+                if (t !== 'string' && t !== 'number' && t !== 'boolean') {
+                    throw new Error('`isInList` requires an array of allowed primitive values; got ' + t + ' at position ' + i + '. Use `isInList: ["a", "b", "c"]` form.');
+                }
+                allowedValues.push(arguments[i]);
+            }
+
+            var val     = local.data[this.name] = this.value;
+            var isValid = false;
+
+            if ( !errors['isRequired'] && (val === '' || val == null) ) {
+                isValid = true;
+            } else if ( allowedValues.indexOf(val) > -1 ) {
+                isValid = true;
+            }
+
+            if (!isValid) {
+                this['size'] = allowedValues.join(', ');
+                errors['isInList'] = replace(this.error || local.errorLabels['isInList'], this);
+            } else if ( typeof(errors['isInList']) != 'undefined' ) {
+                delete errors['isInList'];
+            }
+
+            this.valid = isValid;
+            if ( errors.count() > 0 ) {
+                this['errors'] = errors;
+            }
+
+            return self[this.name]
+        }
+
         /**
          * Formating date using DateFormatHelper
          * Check out documentation in the helper source: `lib/helpers/dateFormat.js`