fix: do not autoquote csp directives

Signed-off-by: Andres Correa Casablanca <[email protected]>
kindspells · Apr 29, 2024 · 2efc44e · 2efc44e
1 parent 2e3af4e
commit 2efc44e
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 23 deletions.
diff --git a/@kindspells/astro-shield/package.json b/@kindspells/astro-shield/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "@kindspells/astro-shield",
-	"version": "1.3.5",
+	"version": "1.3.6",
 	"description": "Astro integration to enhance your website's security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques.",
 	"private": false,
 	"type": "module",

diff --git a/@kindspells/astro-shield/src/headers.mjs b/@kindspells/astro-shield/src/headers.mjs
@@ -20,10 +20,9 @@ export const serialiseHashes = hashes =>
  * @param {Set<string>} hashes
  * @returns {string}
  */
-export const safeSerialiseHashes = hashes =>
+export const serializeCspDirectiveSources = hashes =>
 	Array.from(hashes)
 		.sort()
-		.map(h => (h.match(/^'[^']+'$/i) ? h : `'${h}'`))
 		.join(' ')
 
 /**
@@ -46,12 +45,12 @@ export const setSrcDirective = (directives, srcType, hashes) => {
 	const baseSrcDirective = directives[srcType]
 	if (baseSrcDirective) {
 		const srcDirective = new Set(
-			baseSrcDirective.split(/\s+/).filter(v => v !== "'self'"),
+			baseSrcDirective.split(/\s+/),
 		)
 		for (const hash of hashes) {
 			srcDirective.add(`'${hash}'`)
 		}
-		directives[srcType] = `'self' ${safeSerialiseHashes(srcDirective)}`
+		directives[srcType] = serializeCspDirectiveSources(srcDirective)
 	} else {
 		directives[srcType] = `'self' ${serialiseHashes(hashes)}`
 	}

diff --git a/@kindspells/astro-shield/tests/headers.test.mts b/@kindspells/astro-shield/tests/headers.test.mts
@@ -9,7 +9,6 @@ import { describe, expect, it } from 'vitest'
 import {
 	parseCspDirectives,
 	patchHeaders,
-	safeSerialiseHashes,
 	serialiseCspDirectives,
 	serialiseHashes,
 	setSrcDirective,
@@ -35,22 +34,6 @@ describe('serialiseHashes', () => {
 	})
 })
 
-describe('safeSerialiseHashes', () => {
-	it('returns an empty string for an empty set', () => {
-		expect(safeSerialiseHashes(new Set())).toBe('')
-	})
-
-	it('returns a string with sorted hashes', () => {
-		const hashes = new Set(['d', 'c', 'a', 'b'])
-		expect(safeSerialiseHashes(hashes)).toBe("'a' 'b' 'c' 'd'")
-	})
-
-	it('avoids duplicated single quotes', () => {
-		const hashes = new Set(["'a'", "'b'", "'c'", "'d'"])
-		expect(safeSerialiseHashes(hashes)).toBe("'a' 'b' 'c' 'd'")
-	})
-})
-
 describe('serialiseCspDirectives', () => {
 	it('returns an empty string for an empty object', () => {
 		expect(serialiseCspDirectives({})).toBe('')
@@ -92,7 +75,7 @@ describe('setSrcDirective', () => {
 		)
 
 		expect(directives['script-src']).toBe(
-			"'self' 'abc1' 'abc2' 'dbc1' 'xyz2' 'xyz3'",
+			"'abc1' 'abc2' 'dbc1' 'self' 'xyz2' 'xyz3'",
 		)
 	})
 })