f

.eslintignore

@@ -1,2 +1,3 @@
 test/fixtures
 coverage
+__snapshots__

__snapshots__/context.test.ts.js

@@ -0,0 +1,74 @@
+exports['test/context.test.ts context.isSafeDomain should return false when domains are not safe 1'] = {
+  "domainWhiteList": [
+    ".domain.com",
+    "http://www.baidu.com",
+    "192.*.0.*",
+    "*.alibaba.com"
+  ],
+  "protocolWhiteList": [],
+  "defaultMiddleware": "xframe",
+  "csrf": {
+    "enable": true,
+    "type": "ctoken",
+    "ignoreJSON": false,
+    "cookieName": "csrfToken",
+    "sessionName": "csrfToken",
+    "headerName": "x-csrf-token",
+    "bodyName": "_csrf",
+    "queryName": "_csrf",
+    "rotateWhenInvalid": false,
+    "useSession": false,
+    "supportedRequests": [
+      {
+        "path": {},
+        "methods": [
+          "POST",
+          "PATCH",
+          "DELETE",
+          "PUT",
+          "CONNECT"
+        ]
+      }
+    ],
+    "refererWhiteList": [],
+    "cookieOptions": {
+      "signed": false,
+      "httpOnly": false,
+      "overwrite": true
+    }
+  },
+  "xframe": {
+    "enable": true,
+    "value": "SAMEORIGIN"
+  },
+  "hsts": {
+    "enable": false,
+    "maxAge": 31536000,
+    "includeSubdomains": false
+  },
+  "methodnoallow": {
+    "enable": true
+  },
+  "noopen": {
+    "enable": true
+  },
+  "nosniff": {
+    "enable": true
+  },
+  "xssProtection": {
+    "enable": true,
+    "value": "1; mode=block"
+  },
+  "csp": {
+    "enable": false,
+    "policy": {}
+  },
+  "referrerPolicy": {
+    "enable": false,
+    "value": "no-referrer-when-downgrade"
+  },
+  "dta": {
+    "enable": true
+  },
+  "ssrf": {}
+}

__snapshots__/csp.test.ts.js

@@ -55,7 +55,10 @@ exports['test/csp.test.ts should ignore path 1'] = {
     "value": "1; mode=block"
   },
   "csp": {
-    "ignore": "/api/",
+    "ignore": [
+      "/api/",
+      {}
+    ],
     "enable": true,
     "policy": {
       "script-src": [

package.json

@@ -78,6 +78,7 @@
     "lint": "eslint --cache src test --ext .ts",
     "pretest": "npm run clean && npm run lint -- --fix",
     "test": "egg-bin test",
+    "test:snapshot:update": "SNAPSHOT_UPDATE=1 egg-bin test",
     "preci": "npm run clean &&  npm run lint",
     "ci": "egg-bin cov",
     "postci": "npm run prepublishOnly && npm run clean",

test/context.test.ts

@@ -1,5 +1,6 @@
 import { strict as assert } from 'node:assert';
 import { mm, MockApplication } from '@eggjs/mock';
+import snapshot from 'snap-shot-it';
 
 describe('test/context.test.ts', () => {
   afterEach(mm.restore);
@@ -16,6 +17,7 @@ describe('test/context.test.ts', () => {
     after(() => app.close());
 
     it('should return false when domains are not safe', async () => {
+      snapshot(app.config.security);
       const res = await app.httpRequest()
         .get('/unsafe')
         .set('accept', 'text/html')

test/csp.test.ts

@@ -109,6 +109,12 @@ describe('test/csp.test.ts', () => {
     assert.equal(res.headers['x-csp-nonce'], undefined);
   });
 
+  it('should ignore path by regex rule', async () => {
+    const res = await app2.httpRequest()
+      .get('/ignore/update')
+      .expect(200);
+    assert.equal(res.headers['x-csp-nonce'], undefined);
+  });
 
   it('should not ignore path when do not match', async () => {
     const res = await app2.httpRequest()

test/fixtures/apps/csp-ignore/app/router.js

@@ -5,4 +5,7 @@ module.exports = function(app) {
   app.get('/api/update', async function() {
     this.body = 456;
   });
+  app.get('/ignore/update', async function() {
+    this.body = 456;
+  });
 };

test/fixtures/apps/csp-ignore/config/config.js

@@ -1,12 +1,10 @@
-'use strict';
-
 exports.keys = 'test key';
 
 exports.security = {
   defaultMiddleware: 'csp',
   csp:{
     enable: true,
-    ignore: '/api/',
+    ignore: [ '/api/', /^\/ignore\// ],
     policy:{
         'script-src': [
           '\'self\'',