refactor setting the csp headers

StigNygaard · Oct 22, 2024 · 1fc2d68 · 1fc2d68
1 parent 6acbe2a
commit 1fc2d68
Showing 1 changed file with 24 additions and 31 deletions.
diff --git a/main.ts b/main.ts
@@ -7,73 +7,66 @@ import {log} from './services/log.ts';
  * @run --allow-net --allow-env --allow-read=./demo,./widgets,./.env main.ts
  */
 
-// TODO Make header-setup smarter...
-// const myHeaders = new Headers();
-// myHeaders.set('Content-Security-Policy',
-//     `default-src 'none' ; script-src 'self' ; connect-src https: ; img-src https: blob: data: ; style-src 'self' ; frame-ancestors 'none' ; form-action 'self'`);
-// myHeaders.set('Referrer-Policy',
-//     'strict-origin-when-cross-origin');
-// myHeaders.set('X-Content-Type-Options',
-//     'nosniff');
+const myHeaders = {
+    'Content-Security-Policy': `default-src 'none' ; script-src 'self' ; connect-src https: ; img-src https: blob: data: ; style-src 'self' ; frame-ancestors 'none' ; form-action 'self' ; base-uri 'none'`,
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'X-Content-Type-Options': 'nosniff'
+}
+
+function responseWithHeaders(response: Response): Response {
+    for (const [key, value] of Object.entries(myHeaders)) {
+        response.headers.set(key, value);
+    }
+    return response;
+}
 
 Deno.serve(async (req: Request, info: Deno.ServeHandlerInfo) => {
 
     const url = new URL(req.url);
     const pathname = url.pathname;
 
-    // TODO...
-    // if (url.origin.startsWith('http://localhost:')) {
-    //     myHeaders.set('Content-Security-Policy',
-    //         `default-src 'none' ; script-src 'self' ; connect-src https: ${url.origin} ; img-src https: blob: data: ${url.origin} ; style-src 'self' ; frame-ancestors 'none' ; form-action 'self'`);
-    // }
-
     // The "Router"...
     let response: Response;
     if (/^\/proxy-api\/?$/.test(pathname)) {
         // The "proxy API" - https://lastfm-widgets.deno.dev/proxy-api
         const result = await proxyApi(url.searchParams, req.headers, info);
-        response =  new Response(result.body, result.options); // TODO with headers added to result.options ?
+        response =  new Response(result.body, {headers: myHeaders, ...result.options});
     } else if (/^\/log\/?$/.test(pathname)) {
         // Simple "post object" log-endpoint - https://lastfm-widgets.deno.dev/log
         log(url.searchParams, req, info);
-        response = new Response(null, {status: 200, statusText: 'OK'}); // TODO {status: 200, statusText: 'OK', headers: myHeaders}
+        response = new Response(null, {status: 200, statusText: 'OK', headers: myHeaders});
     } else if (pathname.startsWith('/widgets/')) {
         // The statically served widgets code - https://lastfm-widgets.deno.dev/widgets/*
-        response = await serveDir(req, {
+        response = responseWithHeaders(await serveDir(req, {
             urlRoot: 'widgets',
             fsRoot: 'widgets',
             showDirListing: false,
             showDotfiles: false,
             showIndex: false, // index.html
             enableCors: false, // CORS not allowed/enabled (no CORS headers)
             quiet: true, // logging of errors
-            headers: [] // TODO ['key: valuestring', 'key: valuestring'] ???
-        });
+            headers: []
+            // TODO Why doesn't this work?:  headers: Object.entries(myHeaders).map(([k, v]) => `${k}: ${v}`)
+        }));
     } else {
         // The statically served demo-page - https://lastfm-widgets.deno.dev/*
-        response = await serveDir(req, {
+        response = responseWithHeaders(await serveDir(req, {
             urlRoot: '',
             fsRoot: 'demo',
             showDirListing: false,
             showDotfiles: false,
             showIndex: true, // index.html
             enableCors: false, // CORS not allowed/enabled (no CORS headers)
             quiet: true, // logging of errors
-            headers: [] // TODO ['key: valuestring', 'key: valuestring'] ???
-        });
+            headers: []
+            // TODO Why doesn't this work?:  headers: Object.entries(myHeaders).map(([k, v]) => `${k}: ${v}`)
+        }));
     }
 
-    if (url.origin.startsWith('http://localhost:')) {
-        response.headers.set('Content-Security-Policy',
-            `default-src 'none' ; script-src 'self' ; connect-src https: ${url.origin} ; img-src https: blob: data: ${url.origin} ; style-src 'self' ; frame-ancestors 'none' ; form-action 'self'`);
-    } else {
+    if (url.origin.startsWith('http://localhost:')) { // if http://localhost development, modify slightly
         response.headers.set('Content-Security-Policy',
-            `default-src 'none' ; script-src 'self' ; connect-src https: ; img-src https: blob: data: ; style-src 'self' ; frame-ancestors 'none' ; form-action 'self'`);
+            `default-src 'none' ; script-src 'self' ; connect-src https: ${url.origin} ; img-src https: blob: data: ${url.origin} ; style-src 'self' ; frame-ancestors 'none' ; form-action 'self' ; base-uri 'none'`);
     }
-    response.headers.set('Referrer-Policy',
-        'strict-origin-when-cross-origin');
-    response.headers.set('X-Content-Type-Options',
-        'nosniff');
 
     return response;