refactor: smiplify csp

2025-03-09 03:03:18 +00:00 · 2018-07-01 13:39:30 +01:00 · 2018-07-01 13:39:30 +01:00 · d98c98360a
commit d98c98360a
parent 749da85b90
5 changed files with 19 additions and 26 deletions
--- a/lib/common/nuxt.config.js
+++ b/lib/common/nuxt.config.js
@ -184,12 +184,7 @@ export default {
    etag: {
      weak: false
    },
-    csp: {
-      enabled: false,
-      hashAlgorithm: 'sha256',
-      allowedSources: undefined,
-      policies: undefined
-    }
+    csp: false
  },
  watchers: {
    webpack: {},
--- a/lib/common/options.js
+++ b/lib/common/options.js
@ -126,11 +126,14 @@ Options.from = function (_options) {
  }

  // Apply default hash to CSP option
-  if (options.render.csp === true) {
-    options.render.csp = {
-      enabled: true,
-      hashAlgorithm: 'sha256'
-    }
+  const csp = options.render.csp
+  const cspDefaults = {
+    hashAlgorithm: 'sha256',
+    allowedSources: undefined,
+    policies: undefined
+  }
+  if (csp) {
+    options.render.csp = _.defaults(_.isObject(csp) ? csp : {}, cspDefaults)
  }

  // cssSourceMap
--- a/lib/core/middleware/nuxt.js
+++ b/lib/core/middleware/nuxt.js
@ -68,9 +68,8 @@ export default async function nuxtMiddleware(req, res, next) {
      res.setHeader('Link', pushAssets.join(','))
    }

-    if (this.options.render.csp && this.options.render.csp.enabled) {
-      const allowedSources = this.options.render.csp.allowedSources
-      const policies = this.options.render.csp.policies
+    if (this.options.render.csp) {
+      const { allowedSources, policies } = this.options.render.csp
      let cspStr = `script-src 'self'${this.options.dev ? " 'unsafe-eval'" : ''} ${(cspScriptSrcHashes).join(' ')}`
      if (Array.isArray(allowedSources)) {
        // For compatible section
--- a/lib/core/renderer.js
+++ b/lib/core/renderer.js
@ -370,11 +370,12 @@ export default class Renderer {
    })};`

    const cspScriptSrcHashes = []
-    if (this.options.render.csp && this.options.render.csp.enabled) {
-      let hash = crypto.createHash(this.options.render.csp.hashAlgorithm)
+    if (this.options.render.csp) {
+      const { hashAlgorithm } = this.options.render.csp
+      let hash = crypto.createHash(hashAlgorithm)
      hash.update(serializedSession)
      cspScriptSrcHashes.push(
-        `'${this.options.render.csp.hashAlgorithm}-${hash.digest('base64')}'`
+        `'${hashAlgorithm}-${hash.digest('base64')}'`
      )
    }

--- a/test/unit/basic.ssr.csp.test.js
+++ b/test/unit/basic.ssr.csp.test.js
@ -13,9 +13,9 @@ const startCSPTestServer = async (csp) => {

 describe('basic ssr csp', () => {
  test(
-    'Not contain Content-Security-Policy header, when csp.enabled is not set',
+    'Not contain Content-Security-Policy header, when csp is false',
    async () => {
-      const nuxt = await startCSPTestServer({})
+      const nuxt = await startCSPTestServer(false)
      const { headers } = await rp(url('/stateless'), {
        resolveWithFullResponse: true
      })
@ -27,13 +27,9 @@ describe('basic ssr csp', () => {
  )

  test(
-    'Contain Content-Security-Policy header, when csp.enabled is only set',
+    'Contain Content-Security-Policy header, when csp is set',
    async () => {
-      const cspOption = {
-        enabled: true
-      }
-
-      const nuxt = await startCSPTestServer(cspOption)
+      const nuxt = await startCSPTestServer(true)
      const { headers } = await rp(url('/stateless'), {
        resolveWithFullResponse: true
      })
@ -48,7 +44,6 @@ describe('basic ssr csp', () => {
    'Contain Content-Security-Policy header, when csp.allowedSources set',
    async () => {
      const cspOption = {
-        enabled: true,
        allowedSources: ['https://example.com', 'https://example.io']
      }