Merge pull request google#50 from google/maybe-fix

Fix missing comma and add more tests
GoSecure · Aug 12, 2022 · 33a3f63 · 33a3f63
2 parents 9a4b315 + b1f9599
commit 33a3f63
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 14 deletions.
diff --git a/csp.ts b/csp.ts
@@ -213,17 +213,17 @@ export enum Keyword {
   STRICT_DYNAMIC = '\'strict-dynamic\'',
   UNSAFE_HASHED_ATTRIBUTES = '\'unsafe-hashed-attributes\'',
   UNSAFE_HASHES = '\'unsafe-hashes\'',
-  REPORT_SAMPLE = '\'report-sample\''
-  BLOCK = '\'block\''
-  ALLOW = '\'allow\''
+  REPORT_SAMPLE = '\'report-sample\'',
+  BLOCK = '\'block\'',
+  ALLOW = '\'allow\'',
 }
 
 
 /**
  * CSP directive source keywords.
  */
 export enum TrustedTypesSink {
-  SCRIPT = '\'script\''
+  SCRIPT = '\'script\'',
 }
 
 
@@ -278,7 +278,7 @@ export enum Directive {
   REQUIRE_SRI_FOR = 'require-sri-for',
   TRUSTED_TYPES = 'trusted-types',
   // https://github.com/WICG/trusted-types
-  REQUIRE_TRUSTED_TYPES_FOR = 'require-trusted-types-for'
+  REQUIRE_TRUSTED_TYPES_FOR = 'require-trusted-types-for',
   WEBRTC = 'webrtc',
 }
 

diff --git a/csp_test.ts b/csp_test.ts
@@ -221,4 +221,20 @@ describe('Test Csp', () => {
     expect(isHash('\'asdfASDF=\'', true)).toBeFalse();
     expect(isHash('example.com', true)).toBeFalse();
   });
+
+  it('ParseNavigateTo', () => {
+    const testCsp = 'navigate-to \'self\'; script-src \'nonce-foo\'';
+    const parsed = (new CspParser(testCsp)).csp;
+
+    expect(parsed.policyHasStrictDynamic()).toBeFalse();
+    expect(parsed.policyHasScriptNonces()).toBeTrue();
+  });
+
+  it('ParseWebRtc', () => {
+    const testCsp = 'web-rtc \'allow\'; script-src \'nonce-foo\'';
+    const parsed = (new CspParser(testCsp)).csp;
+
+    expect(parsed.policyHasStrictDynamic()).toBeFalse();
+    expect(parsed.policyHasScriptNonces()).toBeTrue();
+  });
 });
diff --git a/utils.ts b/utils.ts
@@ -39,13 +39,12 @@ export function getSchemeFreeUrl(url: string): string {
  * URLs and wildcards (aka `*`) in hostnames
  */
 export function getHostname(url: string): string {
-  const hostname =
-      new URL(
-          'https://' +
-      getSchemeFreeUrl(url)
-        .replace(':*', '')  // Remove wildcard port
-        .replace('*', 'wildcard_placeholder'))
-          .hostname.replace('wildcard_placeholder', '*');
+  const hostname = new URL(
+                       'https://' +
+                       getSchemeFreeUrl(url)
+                           .replace(':*', '')  // Remove wildcard port
+                           .replace('*', 'wildcard_placeholder'))
+                       .hostname.replace('wildcard_placeholder', '*');
 
   // Some browsers strip the brackets from IPv6 addresses when you access the
   // hostname. If the scheme free url starts with something that vaguely looks
@@ -81,8 +80,8 @@ export function matchWildcardUrls(
   // have to worry about this detail.
   const cspUrl =
       new URL(setScheme(cspUrlString
-        .replace(':*', '')  // Remove wildcard port
-        .replace('*', 'wildcard_placeholder')));
+                            .replace(':*', '')  // Remove wildcard port
+                            .replace('*', 'wildcard_placeholder')));
   const listOfUrls = listOfUrlStrings.map(u => new URL(setScheme(u)));
   const host = cspUrl.hostname.toLowerCase();
   const hostHasWildcard = host.startsWith('wildcard_placeholder.');