feat: enable middleware csp headers

Signed-off-by: Andres Correa Casablanca <[email protected]>
kindspells · Mar 26, 2024 · 7a1bc63 · 7a1bc63
1 parent b99b5bf
commit 7a1bc63
Show file tree

Hide file tree

Showing 18 changed files with 4,818 additions and 32 deletions.
diff --git a/e2e/e2e.test.mts b/e2e/e2e.test.mts
@@ -319,6 +319,11 @@ describe('middleware', () => {
 	it('patches inline resources for dynamically generated pages', async () => {
 		await checkHtmlIsPatched('/')
 	})
+
+	it('does not send csp headers when the feature is disabled', async () => {
+		const response = await fetch(`${baseUrl}/`)
+		expect(response.headers.has('content-security-policy')).toBe(false)
+	})
 })
 
 describe('middleware (hybrid)', () => {
@@ -384,6 +389,11 @@ describe('middleware (hybrid)', () => {
 			'/code.js': 'sha256-X7QGGDHgf6XMoabXvV9pW7gl3ALyZhZlgKq1s3pwmME=',
 		})
 	})
+
+	it('does not send csp headers when the feature is disabled', async () => {
+		const response = await fetch(`${baseUrl}/`)
+		expect(response.headers.has('content-security-policy')).toBe(false)
+	})
 })
 
 describe('middleware (hybrid 2)', () => {
@@ -453,4 +463,71 @@ describe('middleware (hybrid 2)', () => {
 			'/code.js': 'sha256-X7QGGDHgf6XMoabXvV9pW7gl3ALyZhZlgKq1s3pwmME=',
 		})
 	})
+
+	it('does not send csp headers when the feature is disabled', async () => {
+		const response = await fetch(`${baseUrl}/`)
+		expect(response.headers.has('content-security-policy')).toBe(false)
+	})
+})
+
+describe('middleware (hybrid 3)', () => {
+	const hybridDir = resolve(fixturesDir, 'hybrid3')
+	const execOpts = { cwd: hybridDir }
+
+	let baseUrl: string
+	let server: PreviewServer | undefined
+	let port: number
+
+	beforeAll(async () => {
+		await execFile('pnpm', ['install'], execOpts)
+		await execFile('pnpm', ['run', 'clean'], execOpts)
+		const { stdout: buildStdout } = await execFile(
+			'pnpm',
+			['run', 'build'],
+			execOpts,
+		)
+		expect(buildStdout).toMatch(/run the build step again/)
+		const { stdout: buildStdout2 } = await execFile(
+			'pnpm',
+			['run', 'build'],
+			execOpts,
+		)
+		expect(buildStdout2).not.toMatch(/run the build step again/)
+	})
+
+	beforeEach(async () => {
+		port = 9999 + Math.floor(Math.random() * 55536)
+		baseUrl = `http://localhost:${port}`
+
+		await cleanServer()
+		server = await preview({
+			root: hybridDir,
+			server: { port },
+			logLevel: 'debug',
+		})
+	})
+
+	const cleanServer = async () => {
+		if (server) {
+			if (!server.closed()) {
+				await server.stop()
+			}
+			server = undefined
+		}
+	}
+
+	afterEach(cleanServer)
+	afterAll(cleanServer) // Just in case
+
+	it('sends csp headers when the feature is enabled', async () => {
+		const response = await fetch(`${baseUrl}/`)
+		const cspHeader = response.headers.get('content-security-policy')
+
+		assert(cspHeader !== null)
+		assert(cspHeader)
+
+		expect(cspHeader).toBe(
+			"default-src 'none'; frame-ancestors 'none'; script-src 'self' 'sha256-X7QGGDHgf6XMoabXvV9pW7gl3ALyZhZlgKq1s3pwmME='; style-src 'self' 'sha256-9U7mv8FibD/D9IbGpXc86pz37l6/w4PCLpFIZuPrzh8=' 'sha256-ZlgyI5Bx/aeAyk/wSIypqeIM5PBhz9IiAek9HIiAjaI='",
+		)
+	})
 })
diff --git a/e2e/fixtures/hybrid3/astro.config.mjs b/e2e/fixtures/hybrid3/astro.config.mjs
@@ -0,0 +1,43 @@
+/*
+ * SPDX-FileCopyrightText: 2024 KindSpells Labs S.L.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+import { resolve } from 'node:path'
+import { shield } from '@kindspells/astro-shield'
+import node from '@astrojs/node'
+import { defineConfig } from 'astro/config'
+
+/**
+ * @typedef {{ -readonly [key in keyof T]: T[key] }} Mutable<T>
+ * @template {any} T
+ */
+
+const rootDir = new URL('.', import.meta.url).pathname
+const sriHashesModule = resolve(rootDir, 'src', 'generated', 'sri.mjs')
+
+// https://astro.build/config
+export default defineConfig({
+	output: 'hybrid',
+	trailingSlash: 'always',
+	adapter: node({ mode: 'standalone' }),
+	integrations: [
+		shield({
+			enableStatic_SRI: true,
+			enableMiddleware_SRI: true,
+			sriHashesModule,
+			securityHeaders: {
+				contentSecurityPolicy: {
+					cspDirectives: {
+						'default-src': "'none'",
+						'frame-ancestors': "'none'",
+					},
+				},
+			},
+		}),
+	],
+	vite: {
+		build: { assetsInlineLimit: 1024 },
+	},
+})
diff --git a/e2e/fixtures/hybrid3/package.json b/e2e/fixtures/hybrid3/package.json
@@ -0,0 +1,17 @@
+{
+	"name": "hybrid3",
+	"version": "1.0.0",
+	"type": "module",
+	"scripts": {
+		"build": "astro build",
+		"clean": "rm -rf ./dist; rm -rf ./src/generated/*"
+	},
+	"license": "MIT",
+	"dependencies": {
+		"@astrojs/node": "^8.2.5",
+		"astro": "^4.5.9"
+	},
+	"devDependencies": {
+		"@kindspells/astro-shield": "link:../../.."
+	}
+}