Refactor and enhance CSP configuration

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.0.4] - 2025-12-09
+
+### Added
+- Add more CSP directives
+- Add CSP value constants (eg `'self'`)
+
 ## [v1.0.3] - 2025-12-09
 
 ### Added

csp.js

@@ -1,22 +1,40 @@
-import { Importmap } from '@shgysk8zer0/importmap';
+import { Importmap, imports, scopes } from '@shgysk8zer0/importmap';
 
-export const importmap = new Importmap();
+export const importmap = new Importmap({ imports, scopes });
 await importmap.importLocalPackage();
 export const integrity = await importmap.getIntegrity();
 
-const DEFAULT_SRC = ['\'self\''];
-const SCRIPT_SRC = ['\'self\'', 'https://unpkg.com/@shgysk8zer0/', 'https://unpkg.com/@kernvalley/', 'https://unpkg.com/@aegisjsproject/', `'${integrity}'`];
-const STYLE_SRC = ['\'self\'', 'https://unpkg.com/@agisjsproject/', 'blob:'];
-const IMAGE_SRC = ['\'self\'', 'https://i.imgur.com/', 'https://secure.gravatar.com/avatar/', 'blob:', 'data:'];
-const MEDIA_SRC = ['\'self\'', 'blob:'];
-const CONNECT_SRC = ['\'self\''];
-const FONT_SRC = ['\'self\''];
-const FRAME_SRC = ['\'self\'', 'https://www.youtube-nocookie.com'];
-const MANIFEST_SRC = ['\'self\''];
-const PREFETCH_SRC = ['\'self\''];
-const WORKER_SRC = ['\'selfs\''];
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
+export const SELF = '\'self\'';
+export const NONE = '\'none\'';
+export const UNSAFE_EVAL = '\'unsafe-eval\'';
+export const UNSAFE_INLINE = '\'unsafe-inline\'';
+export const TRUSTED_TYPES_EVAL = '\'trusted-types-eval\'';
+export const UNSAFE_HASHES = '\'unsafe-hashes\'';
+export const WASM_UNSAFE_EVAL = '\'wasm-unsafe-eval\'';
+export const INLINE_SPECULATION_RULES = '\'inline-speculation-rules\'';
+export const STRICT_DYNAMIC = '\'strict-dynamic\'';
+export const REPORT_SAMPLE = '\'report-sample\'';
+export const SCRIPT = '\'script\'';
+
+let TRUSTED_TYPES_ENABLED = true;
+
+const BASE_URIS = [SELF];
+const FORM_ACTIONS = [SELF];
+const FRAME_ANCESTORS = [];
+const DEFAULT_SRC = [];
+const SCRIPT_SRC = [SELF, `'${integrity}'`];
+const STYLE_SRC = [SELF];
+const IMAGE_SRC = [SELF];
+const MEDIA_SRC = [SELF];
+const CONNECT_SRC = [SELF];
+const FONT_SRC = [SELF];
+const FRAME_SRC = [SELF];
+const MANIFEST_SRC = [SELF];
+const PREFETCH_SRC = [SELF];
+const WORKER_SRC = [SELF];
 const OBJECT_SRC = [];
-const TRUSTED_TYPES = ['aegis-sanitizer#html'];
+const TRUSTED_TYPES = [];
 
 export const lockCSP = () => {
 	Object.freeze(DEFAULT_SRC);
@@ -32,6 +50,9 @@ export const lockCSP = () => {
 	Object.freeze(WORKER_SRC);
 	Object.freeze(OBJECT_SRC);
 	Object.freeze(TRUSTED_TYPES);
+	Object.freeze(BASE_URIS);
+	Object.freeze(FORM_ACTIONS);
+	Object.freeze(FRAME_ANCESTORS);
 };
 
 export const addDefaultSrc = (...srcs) => DEFAULT_SRC.push(...srcs);
@@ -47,10 +68,16 @@ export const addObjectSrc = (...srcs) => OBJECT_SRC.push(...srcs);
 export const addPrefetchSrc = (...srcs) => PREFETCH_SRC.push(...srcs);
 export const addWorkerSrc = (...srcs) => WORKER_SRC.push(...srcs);
 export const addTrustedTypePolicy = (...policies) => TRUSTED_TYPES.push(...policies);
+export const addBaseURI = (...bases) => BASE_URIS.push(...bases);
+export const addFormAction = (...actions) => FORM_ACTIONS.push(...actions);
+export const disabledTrustedTypes = () => TRUSTED_TYPES_ENABLED = false;
+export const enableTrustedTypes = () => TRUSTED_TYPES_ENABLED = true;
 
-export function useCSP(policy = { 'default-src': ['\'self\''] }) {
+export function useCSP(policy = { 'default-src': [SELF] }) {
 	const policyStr = Object.entries(policy).map(([name, values]) => {
-		return `${name} ${Array.isArray(values) ? values.length === 0 ? '\'none\'' : values.join(' ') : values}`;
+		return `${name} ${Array.isArray(values)
+			? values.length === 0 ? NONE : values.join(' ')
+			: values ?? NONE}`;
 	}).join('; ');
 
 	/**
@@ -79,11 +106,14 @@ export const useDefaultCSP = ({ ...rest } = {}) => useCSP({
 	'frame-src': FRAME_SRC,
 	'connect-src': CONNECT_SRC,
 	'manifest-src': MANIFEST_SRC,
-	'obejct-src': OBJECT_SRC,
+	'object-src': OBJECT_SRC,
 	'prefetch-src': PREFETCH_SRC,
 	'worker-src': WORKER_SRC,
 	'trusted-types': TRUSTED_TYPES,
-	'require-trusted-types-for': '\'script\'',
+	'base-uri': BASE_URIS,
+	'form-action': FORM_ACTIONS,
+	'frame-ancestors': FRAME_ANCESTORS,
+	'require-trusted-types-for': TRUSTED_TYPES_ENABLED ? SCRIPT : NONE,
 	...rest
 });
 

http.config.js

@@ -1,6 +1,10 @@
 import { useRateLimit } from './rate-limit.js';
 import { checkCacheItem, setCacheItem } from './cache.js';
 import { imports } from '@shgysk8zer0/importmap';
+import { addTrustedTypePolicy, addScriptSrc, useDefaultCSP } from './csp.js';
+
+addScriptSrc(imports['@shgysk8zer0/polyfills']);
+addTrustedTypePolicy('aegis-sanitizer#html');
 
 const visits = new Map();
 
@@ -24,7 +28,7 @@ export default {
 	responsePostprocessors: [
 		'@aegisjsproject/http-utils/compression.js',
 		'@aegisjsproject/http-utils/cors.js',
-		'@aegisjsproject/http-utils/csp.js',
+		useDefaultCSP(),
 		(response, { request }) => {
 			if (request.destination === 'document') {
 				response.headers.append('Link', `<${imports['@shgysk8zer0/polyfills']}>; rel="preload"; as="script"; fetchpriority="high"; crossorigin="anonymous"; referrerpolicy="no-referrer"`);

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aegisjsproject/http-utils",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "HTTP Utilities for @shgysk8zer0/http-server ",
   "keywords": [],
   "type": "module",