SAP / ui5-server / 813 / 1

94%

main: 93%

push

travis-ci

[FEATURE] Add Server Option to Send SAP's Target CSPs by default (#179)

When option sendSAPTargetCSP:true is given, the server now sends two policies
for *.html files, both in report-only mode:
- sap-target-level-1, which forbids inline scripts and only allows
  sources from self
- sap-target-level-2, which additionally forbids 'eval'

Each policy is sent with its own 'Content-Security-Policy-Report-Only'
header. This might look uncommon, but simplifies automated validation of
the violation reports that are sent by the browser. Browsers don't
consistently report blocked-uri or source-file, but the original-policy
is reported consistently.

middleware/csp.js:
- allow to define and send a 2nd default policy
- skip execution for file types other than *.html and for HTTP methods
  other than POST and GET
- use native capabilities of the express request object instead of
  parsing URLs with NodeJS means
- when using the URL parameter, the shorter suffix ":ro" can now be
  used to activate the report-only mode

server.js
- add boolean server option 'sendSAPTargetCSP' (default false)
- enrich csp middleware configuration accordingly when option is set

test/
- enhance for the new features

167 of 182 branches covered (91.76%)

Branch coverage included in aggregate %.

323 of 344 relevant lines covered (93.9%)

7.52 hits per line