npm - qa360 - Versions diffs - 2.2.20 → 2.3.1 - Mend

qa360 2.2.20 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (507) hide show

package/dist/core/crawler/coop-coep-handler.js ADDED Viewed

@@ -0,0 +1,338 @@
+/**
+ * COOP/COEP Handler
+ *
+ * P1 - Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy management
+ *
+ * Supports:
+ * - COOP header parsing and validation
+ * - COEP header parsing and validation
+ * - Cross-origin isolation detection
+ * - SharedArrayBuffer availability check
+ * - High-resolution timers availability check
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin-Opener-Policy
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin-Embedder-Policy
+ */
+/**
+ * COOP/COEP Handler class
+ */
+export class COOPCOEPHandler {
+    page;
+    constructor(page) {
+        this.page = page;
+    }
+    /**
+     * Get COOP header from response
+     */
+    async getCOOPHeader() {
+        const coopHeader = await this.page.evaluate(async () => {
+            // Check via fetch
+            try {
+                const response = await fetch(window.location.href, {
+                    method: 'HEAD',
+                });
+                return response.headers.get('Cross-Origin-Opener-Policy');
+            }
+            catch {
+                return null;
+            }
+        });
+        if (coopHeader && this.isValidCOOP(coopHeader)) {
+            return coopHeader;
+        }
+        return null;
+    }
+    /**
+     * Get COEP header from response
+     */
+    async getCOEPHeader() {
+        const coepHeader = await this.page.evaluate(async () => {
+            // Check via fetch
+            try {
+                const response = await fetch(window.location.href, {
+                    method: 'HEAD',
+                });
+                return response.headers.get('Cross-Origin-Embedder-Policy');
+            }
+            catch {
+                return null;
+            }
+        });
+        if (coepHeader && this.isValidCOEP(coepHeader)) {
+            return coepHeader;
+        }
+        return null;
+    }
+    /**
+     * Check if value is valid COOP
+     */
+    isValidCOOP(value) {
+        return ['unsafe-none', 'same-origin', 'same-origin-allow-popups'].includes(value);
+    }
+    /**
+     * Check if value is valid COEP
+     */
+    isValidCOEP(value) {
+        return ['unsafe-none', 'require-corp', 'credentialless'].includes(value);
+    }
+    /**
+     * Check cross-origin isolation status
+     */
+    async getCrossOriginIsolationStatus() {
+        const [coopValue, coepValue, isIsolated] = await this.page.evaluate(async () => {
+            // Get headers via fetch
+            let coop = null;
+            let coep = null;
+            try {
+                const response = await fetch(window.location.href, { method: 'HEAD' });
+                coop = response.headers.get('Cross-Origin-Opener-Policy');
+                coep = response.headers.get('Cross-Origin-Embedder-Policy');
+            }
+            catch {
+                // Ignore
+            }
+            // Check cross-origin isolation
+            const isolated = crossOriginIsolated;
+            return { coop, coep, isolated };
+        });
+        // Check SharedArrayBuffer availability
+        const sharedArrayBufferAvailable = await this.page.evaluate(() => {
+            try {
+                return typeof SharedArrayBuffer !== 'undefined';
+            }
+            catch {
+                return false;
+            }
+        });
+        // Check high-resolution timers
+        const highResTimersAvailable = await this.page.evaluate(() => {
+            // Check if performance.now() has microsecond precision
+            const start = performance.now();
+            const end = performance.now();
+            return (end - start) < 0.01; // Should be very small
+        });
+        // Check memory measurement availability
+        const memoryMeasurementAvailable = await this.page.evaluate(() => {
+            try {
+                return typeof performance.measureUserAgentSpecificMemory === 'function';
+            }
+            catch {
+                return false;
+            }
+        });
+        // Calculate security score and recommendations
+        let score = 0;
+        const recommendations = [];
+        if (isIsolated) {
+            score += 50;
+        }
+        if (coopValue === 'same-origin' || coopValue === 'same-origin-allow-popups') {
+            score += 25;
+        }
+        else if (coopValue === 'unsafe-none') {
+            recommendations.push('Consider using Cross-Origin-Opener-Policy: same-origin for better isolation');
+        }
+        if (coepValue === 'require-corp' || coepValue === 'credentialless') {
+            score += 25;
+        }
+        else if (coepValue === 'unsafe-none') {
+            recommendations.push('Consider using Cross-Origin-Embedder-Policy: require-corp for cross-origin isolation');
+        }
+        if (!isIsolated && (coopValue === 'same-origin' || coepValue === 'require-corp' || coepValue === 'credentialless')) {
+            recommendations.push('Both COOP and COEP must be set to achieve cross-origin isolation');
+        }
+        if (!sharedArrayBufferAvailable && isIsolated) {
+            recommendations.push('SharedArrayBuffer should be available in cross-origin isolation');
+        }
+        if (!recommendations.length && score === 100) {
+            recommendations.push('COOP/COEP properly configured for cross-origin isolation');
+        }
+        return {
+            isIsolated,
+            hasCOOP: coopValue !== null,
+            coopValue,
+            hasCOEP: coepValue !== null,
+            coepValue,
+            sharedArrayBufferAvailable,
+            highResTimersAvailable,
+            memoryMeasurementAvailable,
+            securityScore: score,
+            recommendations,
+        };
+    }
+    /**
+     * Check if SharedArrayBuffer is usable
+     */
+    async canUseSharedArrayBuffer() {
+        return await this.page.evaluate(() => {
+            try {
+                // Check if cross-origin isolated
+                if (!crossOriginIsolated) {
+                    return false;
+                }
+                // Check if SharedArrayBuffer is available
+                const sab = new SharedArrayBuffer(1024);
+                return sab.byteLength === 1024;
+            }
+            catch {
+                return false;
+            }
+        });
+    }
+    /**
+     * Check if high-resolution timers are available
+     */
+    async hasHighResolutionTimers() {
+        return await this.page.evaluate(() => {
+            // In cross-origin isolation, performance.now() should have better precision
+            const start = performance.now();
+            const end = performance.now();
+            return (end - start) < 0.01;
+        });
+    }
+    /**
+     * Check if memory measurement is available
+     */
+    async canMeasureMemory() {
+        return await this.page.evaluate(() => {
+            try {
+                return typeof performance.measureUserAgentSpecificMemory === 'function';
+            }
+            catch {
+                return false;
+            }
+        });
+    }
+    /**
+     * Measure memory usage (if available)
+     */
+    async measureMemory() {
+        if (!(await this.canMeasureMemory())) {
+            return null;
+        }
+        try {
+            return await this.page.evaluate(async () => {
+                const perf = performance;
+                if (typeof perf.measureUserAgentSpecificMemory === 'function') {
+                    return await perf.measureUserAgentSpecificMemory();
+                }
+                return null;
+            });
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Test COOP behavior with window.open()
+     */
+    async testCOOPBehavior() {
+        return await this.page.evaluate(async () => {
+            // Open a new window
+            const opened = window.open('about:blank');
+            if (!opened) {
+                return { canAccessOpener: false, openerAccessible: false };
+            }
+            // Check if we can access the opened window
+            const canAccess = (() => {
+                try {
+                    return !!opened.closed;
+                }
+                catch {
+                    return false;
+                }
+            })();
+            // Check if opener can access us (would need to check from opened window)
+            const openerAccessible = (() => {
+                try {
+                    return window.opener !== null;
+                }
+                catch {
+                    return false;
+                }
+            })();
+            // Close the opened window
+            if (canAccess) {
+                opened.close();
+            }
+            return { canAccessOpener: canAccess, openerAccessible };
+        });
+    }
+    /**
+     * Get COOP/COEP recommendations based on use case
+     */
+    getRecommendations(useCase) {
+        switch (useCase) {
+            case 'sharedarraybuffer':
+                return {
+                    coop: 'same-origin',
+                    coep: 'require-corp',
+                    reason: 'Required for SharedArrayBuffer and high-resolution timers',
+                };
+            case 'high-performance':
+                return {
+                    coop: 'same-origin',
+                    coep: 'credentialless',
+                    reason: 'Enables cross-origin isolation with less restrictive COEP for better performance',
+                };
+            case 'security':
+                return {
+                    coop: 'same-origin',
+                    coep: 'require-corp',
+                    reason: 'Maximum security isolation, prevents cross-origin access',
+                };
+            default:
+                return {
+                    coop: 'unsafe-none',
+                    coep: 'unsafe-none',
+                    reason: 'Default browser behavior, no special isolation',
+                };
+        }
+    }
+    /**
+     * Validate COOP/COEP configuration
+     */
+    async validateConfiguration() {
+        const status = await this.getCrossOriginIsolationStatus();
+        const errors = [];
+        const warnings = [];
+        // Check for mismatched COOP/COEP
+        if (status.hasCOOP && !status.hasCOEP) {
+            warnings.push('COOP header present without COEP - partial isolation');
+        }
+        if (status.hasCOEP && !status.hasCOOP) {
+            warnings.push('COEP header present without COOP - partial isolation');
+        }
+        // Check if isolation was intended but not achieved
+        if (status.coopValue === 'same-origin' && !status.isIsolated) {
+            errors.push('COOP set to same-origin but cross-origin isolation not achieved');
+        }
+        if (status.coepValue === 'require-corp' && !status.isIsolated) {
+            errors.push('COEP set to require-corp but cross-origin isolation not achieved');
+        }
+        // Check SharedArrayBuffer availability
+        if (status.coopValue === 'same-origin' &&
+            (status.coepValue === 'require-corp' || status.coepValue === 'credentialless') &&
+            !status.sharedArrayBufferAvailable) {
+            errors.push('SharedArrayBuffer not available despite COOP/COEP configuration');
+        }
+        return {
+            valid: errors.length === 0,
+            errors,
+            warnings,
+        };
+    }
+    /**
+     * Get COOP/COEP documentation link
+     */
+    getDocumentation() {
+        return 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy';
+    }
+}
+/**
+ * Factory function to create COOP/COEP Handler
+ */
+export function createCOOPCOEPHandler(page) {
+    return new COOPCOEPHandler(page);
+}
+export default COOPCOEPHandler;

package/dist/core/crawler/csp-handler.d.ts ADDED Viewed

@@ -0,0 +1,151 @@
+/**
+ * CSP Handler
+ *
+ * P1 - Content Security Policy management
+ *
+ * Supports:
+ * - CSP header parsing and validation
+ * - CSP directive analysis
+ * - CSP violation detection
+ * - CSP report-only mode
+ * - CSP nonce and hash validation
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+ */
+export interface CSPDirective {
+    /** Directive name (e.g., 'script-src', 'img-src') */
+    name: string;
+    /** Directive values (sources) */
+    values: string[];
+    /** Whether 'unsafe-inline' is allowed */
+    allowsUnsafeInline: boolean;
+    /** Whether 'unsafe-eval' is allowed */
+    allowsUnsafeEval: boolean;
+    /** Whether 'self' is in sources */
+    allowsSelf: boolean;
+    /** Whether '*' is in sources (wildcard) */
+    allowsWildcard: boolean;
+    /** Nonce value if present */
+    nonce?: string;
+    /** Hash values if present */
+    hashes: string[];
+}
+export interface CPSPolicy {
+    /** Full CSP header value */
+    raw: string;
+    /** Parsed directives */
+    directives: Map<string, CSPDirective>;
+    /** Whether report-only mode */
+    reportOnly: boolean;
+    /** Report-to endpoint */
+    reportEndpoint?: string;
+    /** Report URI endpoint */
+    reportUri?: string;
+}
+export interface CSPValidationResult {
+    /** CSP policy is present */
+    hasCSP: boolean;
+    /** Policy object */
+    policy?: CPSPolicy;
+    /** Security score (0-100) */
+    securityScore: number;
+    /** Security issues found */
+    issues: string[];
+    /** Warnings (not critical but suboptimal) */
+    warnings: string[];
+    /** Recommendations */
+    recommendations: string[];
+}
+export interface CSPViolation {
+    /** Violated directive */
+    directive: string;
+    /** Blocked resource */
+    blockedURI?: string;
+    /** Original policy */
+    policy?: string;
+    /** Source of violation */
+    sourceFile?: string;
+    /** Line number */
+    lineNumber?: number;
+    /** Column number */
+    columnNumber?: number;
+    /** Violation timestamp */
+    timestamp: number;
+}
+/**
+ * CSP Handler class
+ */
+export declare class CSPHandler {
+    private page;
+    private violations;
+    constructor(page: any);
+    /**
+     * Get CSP header from response
+     */
+    getCSPHeader(): Promise<string | null>;
+    /**
+     * Parse CSP header value
+     */
+    parseCSP(cspValue: string, reportOnly?: boolean): CPSPolicy;
+    /**
+     * Get CSP policy from page
+     */
+    getCSPPolicy(): Promise<CPSPolicy | null>;
+    /**
+     * Validate CSP policy
+     */
+    validateCSP(): Promise<CSPValidationResult>;
+    /**
+     * Get directive by name
+     */
+    getDirective(directiveName: string): Promise<CSPDirective | null>;
+    /**
+     * Check if a resource would be allowed by CSP
+     */
+    checkResourceAllowed(resourceType: string, url: string): Promise<boolean>;
+    /**
+     * Setup CSP violation monitoring
+     */
+    setupViolationMonitoring(): Promise<void>;
+    /**
+     * Get collected violations
+     */
+    getViolations(): CSPViolation[];
+    /**
+     * Clear violations
+     */
+    clearViolations(): void;
+    /**
+     * Generate a nonce value for inline scripts
+     */
+    generateNonce(): string;
+    /**
+     * Inject nonce into inline scripts
+     */
+    injectNonces(): Promise<Map<string, string>>;
+    /**
+     * Get all CSP-related meta tags
+     */
+    getMetaTags(): Promise<Array<{
+        httpEquiv: string;
+        content: string;
+    }>>;
+    /**
+     * Check for common CSP bypass patterns
+     */
+    checkBypassPatterns(): Promise<string[]>;
+    /**
+     * Compare two CSP policies
+     */
+    comparePolicies(policy1: CPSPolicy, policy2: CPSPolicy): {
+        stricter: string[];
+        looser: string[];
+        onlyIn1: string[];
+        onlyIn2: string[];
+    };
+}
+/**
+ * Factory function to create CSP Handler
+ */
+export declare function createCSPHandler(page: any): CSPHandler;
+export default CSPHandler;