Skip to content

Commit 47a6c69

Browse files
venablesvenables
authored
Merge pull request #86 from gpinto67/gpinto/Cross-Origin-Headers
feat(issue#85): add support for cross-origin headers
2 parents eebe047 + 05b4a96 commit 47a6c69

File tree

2 files changed

+25
-1
lines changed

2 files changed

+25
-1
lines changed

koa-helmet.d.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
import helmet from 'helmet';
99
import { Middleware, Context } from 'koa';
1010

11-
type HelmetOptions = Required<Parameters<typeof helmet>>[0];
11+
type HelmetOptions = helmet.HelmetOptions;
1212

1313
declare namespace koaHelmet {
1414
type KoaHelmetContentSecurityPolicyDirectiveFunction = (req?: Context["req"], res?: Context["res"]) => string;
@@ -50,6 +50,9 @@ declare namespace koaHelmet {
5050
interface KoaHelmet {
5151
(options?: HelmetOptions): Middleware;
5252
contentSecurityPolicy(options?: KoaHelmetContentSecurityPolicyConfiguration): Middleware;
53+
crossOriginEmbedderPolicy(options?: HelmetOptions['crossOriginEmbedderPolicy']): Middleware;
54+
crossOriginOpenerPolicy(options?: HelmetOptions['crossOriginOpenerPolicy']): Middleware;
55+
crossOriginResourcePolicy(options?: HelmetOptions['crossOriginResourcePolicy']): Middleware;
5356
dnsPrefetchControl(options?: HelmetOptions['dnsPrefetchControl']): Middleware;
5457
expectCt(options?: HelmetOptions['expectCt']): Middleware;
5558
frameguard(options?: HelmetOptions['frameguard']): Middleware;

test/koa-helmet.spec.js

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,15 @@ test('it works with the default helmet call', t => {
1919
// contentSecurityPolicy
2020
.expect('Content-Security-Policy', 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests')
2121

22+
// crossOriginEmbedderPolicy
23+
.expect('Cross-Origin-Embedder-Policy', 'require-corp')
24+
25+
// crossOriginOpenerPolicy
26+
.expect('Cross-Origin-Opener-Policy', 'same-origin')
27+
28+
// crossOriginResourcePolicy
29+
.expect('Cross-Origin-Resource-Policy', 'same-origin')
30+
2231
// dnsPrefetchControl
2332
.expect('X-DNS-Prefetch-Control', 'off')
2433

@@ -59,6 +68,9 @@ test('it sets individual headers properly', t => {
5968
})
6069
);
6170
app.use(helmet.contentSecurityPolicy());
71+
app.use(helmet.crossOriginEmbedderPolicy());
72+
app.use(helmet.crossOriginOpenerPolicy());
73+
app.use(helmet.crossOriginResourcePolicy());
6274
app.use(
6375
helmet.dnsPrefetchControl({
6476
allow: false,
@@ -82,6 +94,15 @@ test('it sets individual headers properly', t => {
8294
// contentSecurityPolicy
8395
.expect('Content-Security-Policy', 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests')
8496

97+
// crossOriginEmbedderPolicy
98+
.expect('Cross-Origin-Embedder-Policy', 'require-corp')
99+
100+
// crossOriginOpenerPolicy
101+
.expect('Cross-Origin-Opener-Policy', 'same-origin')
102+
103+
// crossOriginResourcePolicy
104+
.expect('Cross-Origin-Resource-Policy', 'same-origin')
105+
85106
// dnsPrefetchControl
86107
.expect('X-DNS-Prefetch-Control', 'off')
87108

0 commit comments

Comments
 (0)