diff --git a/@kindspells/astro-shield/package.json b/@kindspells/astro-shield/package.json index fe6c5dd..2994c35 100644 --- a/@kindspells/astro-shield/package.json +++ b/@kindspells/astro-shield/package.json @@ -1,6 +1,6 @@ { "name": "@kindspells/astro-shield", - "version": "1.3.5", + "version": "1.3.6", "description": "Astro integration to enhance your website's security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques.", "private": false, "type": "module", diff --git a/@kindspells/astro-shield/src/headers.mjs b/@kindspells/astro-shield/src/headers.mjs index edf1467..46c65c5 100644 --- a/@kindspells/astro-shield/src/headers.mjs +++ b/@kindspells/astro-shield/src/headers.mjs @@ -20,10 +20,9 @@ export const serialiseHashes = hashes => * @param {Set} hashes * @returns {string} */ -export const safeSerialiseHashes = hashes => +export const serializeCspDirectiveSources = hashes => Array.from(hashes) .sort() - .map(h => (h.match(/^'[^']+'$/i) ? h : `'${h}'`)) .join(' ') /** @@ -46,12 +45,12 @@ export const setSrcDirective = (directives, srcType, hashes) => { const baseSrcDirective = directives[srcType] if (baseSrcDirective) { const srcDirective = new Set( - baseSrcDirective.split(/\s+/).filter(v => v !== "'self'"), + baseSrcDirective.split(/\s+/), ) for (const hash of hashes) { srcDirective.add(`'${hash}'`) } - directives[srcType] = `'self' ${safeSerialiseHashes(srcDirective)}` + directives[srcType] = serializeCspDirectiveSources(srcDirective) } else { directives[srcType] = `'self' ${serialiseHashes(hashes)}` } diff --git a/@kindspells/astro-shield/tests/headers.test.mts b/@kindspells/astro-shield/tests/headers.test.mts index 3fed2cf..dbec0b4 100644 --- a/@kindspells/astro-shield/tests/headers.test.mts +++ b/@kindspells/astro-shield/tests/headers.test.mts @@ -9,7 +9,6 @@ import { describe, expect, it } from 'vitest' import { parseCspDirectives, patchHeaders, - safeSerialiseHashes, serialiseCspDirectives, serialiseHashes, setSrcDirective, @@ -35,22 +34,6 @@ describe('serialiseHashes', () => { }) }) -describe('safeSerialiseHashes', () => { - it('returns an empty string for an empty set', () => { - expect(safeSerialiseHashes(new Set())).toBe('') - }) - - it('returns a string with sorted hashes', () => { - const hashes = new Set(['d', 'c', 'a', 'b']) - expect(safeSerialiseHashes(hashes)).toBe("'a' 'b' 'c' 'd'") - }) - - it('avoids duplicated single quotes', () => { - const hashes = new Set(["'a'", "'b'", "'c'", "'d'"]) - expect(safeSerialiseHashes(hashes)).toBe("'a' 'b' 'c' 'd'") - }) -}) - describe('serialiseCspDirectives', () => { it('returns an empty string for an empty object', () => { expect(serialiseCspDirectives({})).toBe('') @@ -92,7 +75,7 @@ describe('setSrcDirective', () => { ) expect(directives['script-src']).toBe( - "'self' 'abc1' 'abc2' 'dbc1' 'xyz2' 'xyz3'", + "'abc1' 'abc2' 'dbc1' 'self' 'xyz2' 'xyz3'", ) }) })