From 568c6207825a9564fea6736a6e97a3ab892bd9ee Mon Sep 17 00:00:00 2001 From: Jonatan Nilsson Date: Thu, 16 Jun 2022 09:58:11 +0000 Subject: [PATCH] Flaska: Add support for appendHeaders to compliment default headers instead of completely replacing them --- flaska.mjs | 7 +++++++ test/flaska.api.test.mjs | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/flaska.mjs b/flaska.mjs index 49707ea..0044556 100644 --- a/flaska.mjs +++ b/flaska.mjs @@ -644,6 +644,13 @@ export class Flaska { nonceCacheLength: opts.nonceCacheLength || 25 } + if (opts.appendHeaders) { + let appendKeys = Object.keys(opts.appendHeaders) + for (let key of appendKeys) { + options.defaultHeaders[key] = opts.appendHeaders[key] + } + } + if (!options.defaultHeaders && options.nonce.length) { // throw error } diff --git a/test/flaska.api.test.mjs b/test/flaska.api.test.mjs index af49f9a..e379069 100644 --- a/test/flaska.api.test.mjs +++ b/test/flaska.api.test.mjs @@ -90,6 +90,38 @@ t.describe('#constructor', function() { assert.strictEqual(flaska._after.length, 0) }) + + t.test('should have before ready setting headers on context if appendHeaders is specified', function() { + const appendHeaders = { + 'Server': 'nginx/1.16.1', + 'Herp': 'Derp', + } + let flaska = new Flaska({ + appendHeaders: appendHeaders, + }, faker) + assert.strictEqual(flaska._before.length, 1) + + let ctx = {} + + flaska._before[0](ctx) + + assert.deepEqual( + Object.keys(ctx.headers).sort(), + ['Server', 'Herp', 'X-Content-Type-Options','Content-Security-Policy','Cross-Origin-Opener-Policy','Cross-Origin-Resource-Policy','Cross-Origin-Embedder-Policy','Date'].sort() + ) + + assert.notStrictEqual(ctx.headers['Server'], 'Flaska') + assert.strictEqual(ctx.headers['Server'], appendHeaders.Server) + assert.strictEqual(ctx.headers['Herp'], 'Derp') + assert.strictEqual(ctx.headers['X-Content-Type-Options'], 'nosniff') + assert.strictEqual(ctx.headers['Content-Security-Policy'], `default-src 'self'; style-src 'self' 'unsafe-inline'; img-src * data: blob:; font-src 'self' data:; object-src 'none'; frame-ancestors 'none'`) + assert.strictEqual(ctx.headers['Cross-Origin-Opener-Policy'], 'same-origin') + assert.strictEqual(ctx.headers['Cross-Origin-Resource-Policy'], 'same-origin') + assert.strictEqual(ctx.headers['Cross-Origin-Embedder-Policy'], 'require-corp') + assert.ok(new Date(ctx.headers['Date']).getDate()) + + assert.strictEqual(flaska._after.length, 0) + }) }) t.describe('#_nonce', function() {