frux / csp Goto Github PK

Hi!

Can you specify license for code in repo and npm packages?

It seems that report-uri is deprecated, and it is good to send both report-uri and report-to directives to be on the safe side.

Can you please add it? Or will you merge the PR if I'll add it?

For example we needed 'wasm-unsafe-eval' and it was sad we couldn't just include it from the lib.

If we create a preset from policies, a directive might get both the 'none' and other source values.

console.log(
  getCSP({
    presets: {
      default: {
        'connect-src': [NONE],
      },
      api: {
        'connect-src': ['https://api.example.net'],
      },
    },
  })
);

This example yields the following CSP:

connect-src 'none' https://api.example.net;

If we include this in a web page, Google Chrome will give the following error:

The Content-Security-Policy directive ‘connect-src’ contains the keyword ‘none’ alongside with other source expressions. The keyword ‘none’ must be the only source expression in the directive value, otherwise it is ignored.

While this works as expected, we can connect to the API successfully, it could be nice if this plugin filters out the 'none' value if other values are present.

The "expected" output (at least according to Google Chrome) for this CSP would be:

connect-src https://api.example.net;