WIP: rewrite using classes

Signed-off-by: GitHub <[email protected]>

Author: mcansh

packages/http-helmet/package.json

@@ -39,6 +39,10 @@
       "import": "./dist/react.js",
       "require": "./dist/react.cjs"
     },
+    "./v2": {
+      "import": "./dist/v2.js",
+      "require": "./dist/v2.cjs"
+    },
     "./package.json": "./package.json"
   },
   "files": [
@@ -47,7 +51,9 @@
     "package.json"
   ],
   "dependencies": {
+    "content-security-policy-parser": "^0.6.0",
     "change-case": "^5.4.4",
+    "ts-extras": "^0.14.0",
     "type-fest": "^4.41.0"
   },
   "peerDependencies": {
@@ -72,7 +78,6 @@
     "@types/react": "^19.1.8",
     "@types/react-dom": "^19.1.6",
     "@vitest/coverage-v8": "catalog:",
-    "content-security-policy-parser": "^0.6.0",
     "happy-dom": "^18.0.1",
     "react": "^19.1.0",
     "react-dom": "^19.1.0",

packages/http-helmet/src/index.spec.ts

@@ -2,7 +2,6 @@ import {
   createContentSecurityPolicy,
   createSecureHeaders,
   HASH,
-  mergeHeaders,
   NONCE,
   NONE,
   REPORT_SAMPLE,
@@ -164,66 +163,6 @@ it("throws an error if the value is reserved", () => {
   );
 });
 
-describe("mergeHeaders", () => {
-  it("merges headers", () => {
-    let secureHeaders = createSecureHeaders({
-      "Content-Security-Policy": { "default-src": ["'self'"] },
-    });
-
-    let responseHeaders = new Headers({
-      "Content-Type": "text/html",
-      "x-foo": "bar",
-    });
-
-    let merged = mergeHeaders(responseHeaders, secureHeaders);
-
-    expect(merged.get("Content-Type")).toBe("text/html");
-    expect(merged.get("x-foo")).toBe("bar");
-    expect(merged.get("Content-Security-Policy")).toBe("default-src 'self'");
-  });
-
-  it("throws if the argument is not an object", () => {
-    // @ts-expect-error
-    expect(() => mergeHeaders("foo")).toThrowErrorMatchingInlineSnapshot(
-      `[TypeError: All arguments must be of type object]`,
-    );
-  });
-
-  it("overrides existing headers", () => {
-    let secureHeaders = createSecureHeaders({
-      "Content-Security-Policy": { "default-src": ["'self'"] },
-    });
-
-    let responseHeaders = new Headers({
-      "Content-Security-Policy": "default-src 'none'",
-    });
-
-    let merged1 = mergeHeaders(responseHeaders, secureHeaders);
-    let merged2 = mergeHeaders(secureHeaders, responseHeaders);
-
-    expect(merged1.get("Content-Security-Policy")).toBe("default-src 'self'");
-    expect(merged2.get("Content-Security-Policy")).toBe("default-src 'none'");
-  });
-
-  it('keeps all "Set-Cookie" headers', () => {
-    let headers1 = new Headers({ "Set-Cookie": "foo=bar" });
-    let headers2 = new Headers({ "Set-Cookie": "baz=qux" });
-
-    let merged = mergeHeaders(headers1, headers2);
-
-    expect(merged.getSetCookie()).toStrictEqual(["foo=bar", "baz=qux"]);
-  });
-
-  it('merged different cased "Set-Cookie" headers"', () => {
-    let headers1 = new Headers({ "set-cookie": "foo=bar" });
-    let headers2 = new Headers({ "Set-Cookie": "baz=qux" });
-
-    let merged = mergeHeaders(headers1, headers2);
-
-    expect(merged.getSetCookie()).toStrictEqual(["foo=bar", "baz=qux"]);
-  });
-});
-
 it("allows mixing camel and kebab case for CSP keys", () => {
   let secureHeaders = createSecureHeaders({
     "Content-Security-Policy": {

packages/http-helmet/src/index.ts

@@ -13,6 +13,13 @@ export {
   mergeHeaders,
 } from "./utils";
 
+export type {
+  Algorithm,
+  HashSource,
+  NonceSource,
+  QuotedSource,
+} from "./utils.ts";
+
 export {
   createContentSecurityPolicy,
   createPermissionsPolicy,

packages/http-helmet/src/rules/content-security-policy.ts

@@ -3,9 +3,9 @@ import type { KebabCasedProperties, LiteralUnion } from "type-fest";
 import type { QuotedSource } from "../utils.js";
 import { isQuoted } from "../utils.js";
 
-type CspSetting = Array<LiteralUnion<QuotedSource, string> | undefined>;
+export type CspSetting = Array<LiteralUnion<QuotedSource, string> | undefined>;
 
-type ContentSecurityPolicyCamel = {
+export type ContentSecurityPolicyCamel = {
   childSrc?: CspSetting;
   connectSrc?: CspSetting;
   defaultSrc?: CspSetting;
@@ -36,18 +36,18 @@ type ContentSecurityPolicyCamel = {
   upgradeInsecureRequests?: boolean;
 };
 
-type ContentSecurityPolicyKebab =
+export type ContentSecurityPolicyKebab =
   KebabCasedProperties<ContentSecurityPolicyCamel>;
 
-type ContentSecurityPolicy =
+export type ContentSecurityPolicy =
   | ContentSecurityPolicyCamel
   | ContentSecurityPolicyKebab;
 
 export type PublicContentSecurityPolicy = Parameters<
   typeof createContentSecurityPolicy
 >[0];
 
-let reservedCSPKeywords = new Set([
+export let reservedCSPKeywords = new Set([
   "self",
   "none",
   "unsafe-inline",

packages/http-helmet/src/rules/permissions.ts

@@ -42,7 +42,7 @@ export type PermissionsPolicy = {
   [key in KnownPermissions]?: Array<string>;
 };
 
-const reservedPermissionKeywords = new Set(["self", "*"]);
+export const reservedPermissionKeywords = new Set(["self", "*"]);
 
 export function createPermissionsPolicy(features: PermissionsPolicy): string {
   return Object.entries(features)

packages/http-helmet/src/utils.spec.ts

@@ -0,0 +1,80 @@
+import { describe, expect, it } from "vitest";
+import { createSecureHeaders } from "./helmet";
+import { mergeHeaders } from "./utils";
+import { SecurityHeaders } from "./v2";
+
+describe("mergeHeaders", () => {
+  it("merges headers", () => {
+    let secureHeaders = createSecureHeaders({
+      "Content-Security-Policy": { "default-src": ["'self'"] },
+    });
+
+    let responseHeaders = new Headers({
+      "Content-Type": "text/html",
+      "x-foo": "bar",
+    });
+
+    let merged = mergeHeaders(responseHeaders, secureHeaders);
+
+    expect(merged.get("Content-Type")).toBe("text/html");
+    expect(merged.get("x-foo")).toBe("bar");
+    expect(merged.get("Content-Security-Policy")).toBe("default-src 'self'");
+  });
+
+  it("throws if the argument is not an object", () => {
+    // @ts-expect-error
+    expect(() => mergeHeaders("foo")).toThrowErrorMatchingInlineSnapshot(
+      `[TypeError: All arguments must be of type object]`,
+    );
+  });
+
+  it("overrides existing headers", () => {
+    let secureHeaders = createSecureHeaders({
+      "Content-Security-Policy": { "default-src": ["'self'"] },
+    });
+
+    let responseHeaders = new Headers({
+      "Content-Security-Policy": "default-src 'none'",
+    });
+
+    let merged1 = mergeHeaders(responseHeaders, secureHeaders);
+    let merged2 = mergeHeaders(secureHeaders, responseHeaders);
+
+    expect(merged1.get("Content-Security-Policy")).toBe("default-src 'self'");
+    expect(merged2.get("Content-Security-Policy")).toBe("default-src 'none'");
+  });
+
+  it('keeps all "Set-Cookie" headers', () => {
+    let headers1 = new Headers({ "Set-Cookie": "foo=bar" });
+    let headers2 = new Headers({ "Set-Cookie": "baz=qux" });
+
+    let merged = mergeHeaders(headers1, headers2);
+
+    expect(merged.getSetCookie()).toStrictEqual(["foo=bar", "baz=qux"]);
+  });
+
+  it("allows using just one argument", () => {
+    let headers = new Headers({ "Content-Type": "text/plain" });
+
+    let merged = mergeHeaders(headers);
+
+    expect(merged.get("Content-Type")).toBe("text/plain");
+  });
+
+  it("merges headers when using SecurityHeaders class", () => {
+    let secureHeaders = new SecurityHeaders({
+      "Content-Security-Policy": { "default-src": ["'self'"] },
+    });
+
+    let responseHeaders = new Headers({
+      "Content-Type": "text/html",
+      "x-foo": "bar",
+    });
+
+    let merged = mergeHeaders(responseHeaders, secureHeaders.toHeaders());
+
+    expect(merged.get("Content-Type")).toBe("text/html");
+    expect(merged.get("x-foo")).toBe("bar");
+    expect(merged.get("Content-Security-Policy")).toBe("default-src 'self'");
+  });
+});

packages/http-helmet/src/utils.ts

@@ -2,9 +2,11 @@ export function isQuoted(value: string): boolean {
   return /^".*"$/.test(value);
 }
 
-type Algorithm = "sha256" | "sha384" | "sha512";
+export type Algorithm = "sha256" | "sha384" | "sha512";
 
-type HashSource = `'${Algorithm}-${string}'`;
+export type HashSource = `'${Algorithm}-${string}'`;
+
+export type NonceSource = `'nonce-${string}'`;
 
 export type QuotedSource =
   | "'self'"
@@ -26,7 +28,8 @@ export let WASM_UNSAFE_EVAL = "'wasm-unsafe-eval'" as const;
 export let UNSAFE_HASHES = "'unsafe-hashes'" as const;
 export let STRICT_DYNAMIC = "'strict-dynamic'" as const;
 export let REPORT_SAMPLE = "'report-sample'" as const;
-export function NONCE(nonce: string): `'nonce-${string}'` {
+
+export function NONCE(nonce: string): NonceSource {
   return `'nonce-${nonce}'`;
 }
 export function HASH(algorithm: Algorithm, hash: string): HashSource {
@@ -37,7 +40,9 @@ function isObject(value: unknown) {
   return value !== null && typeof value === "object";
 }
 
-export function mergeHeaders(...sources: HeadersInit[]): Headers {
+export function mergeHeaders(
+  ...sources: [HeadersInit, ...HeadersInit[]]
+): Headers {
   let result = new Headers();
 
   for (let source of sources) {

packages/http-helmet/src/v2/content-security-policy.spec.ts

@@ -0,0 +1,101 @@
+import { SELF } from "#src/utils.ts";
+import { expect, it } from "vitest";
+import { ContentSecurityPolicy } from "./content-security-policy";
+
+it("creates a CSP policy with a single directive", () => {
+  let csp = new ContentSecurityPolicy();
+  csp.set("default-src", [SELF]);
+  expect(csp.toString()).toBe("default-src 'self'");
+});
+
+it("creates a CSP policy with no directives", () => {
+  let csp = new ContentSecurityPolicy();
+  expect(csp.toString()).toBe("");
+});
+
+it("creates a CSP policy with multiple directives", () => {
+  let csp = new ContentSecurityPolicy();
+  csp.set("default-src", [SELF]);
+  csp.set("script-src", ["https://example.com"]);
+  expect(csp.toString()).toBe(
+    "default-src 'self'; script-src https://example.com",
+  );
+});
+
+it("creates a CSP policy with multiple values in a directive", () => {
+  let csp = new ContentSecurityPolicy();
+  csp.set("script-src", [SELF, "https://example.com"]);
+  expect(csp.toString()).toBe("script-src 'self' https://example.com");
+});
+
+it("can parse a CSP string", () => {
+  let csp = new ContentSecurityPolicy();
+  csp.parse("default-src 'self'; script-src https://example.com");
+  expect(csp.get("default-src")).toEqual(["'self'"]);
+  expect(csp.get("script-src")).toEqual(["https://example.com"]);
+});
+
+it("handles `upgrade-insecure-requests` directive", () => {
+  let csp = new ContentSecurityPolicy();
+  csp.set("upgrade-insecure-requests", []);
+  expect(csp.toString()).toBe("upgrade-insecure-requests");
+});
+
+it("handles upgradeInsecureRequests method", () => {
+  let csp = new ContentSecurityPolicy();
+  csp.upgradeInsecureRequests();
+  expect(csp.toString()).toBe("upgrade-insecure-requests");
+});
+
+it("can call `append` multiple times for the same key", () => {
+  let csp = new ContentSecurityPolicy();
+  csp.append("default-src", [SELF]);
+  csp.append("default-src", ["https://example.com"]);
+  expect(csp.toString()).toBe("default-src 'self' https://example.com");
+});
+
+it("can create csp with predefined directives", () => {
+  let csp = new ContentSecurityPolicy({
+    "default-src": [SELF],
+    "script-src": ["https://example.com"],
+  });
+  expect(csp.toString()).toBe(
+    "default-src 'self'; script-src https://example.com",
+  );
+});
+
+it("can create csp with predefined policy string", () => {
+  let csp = new ContentSecurityPolicy(
+    "default-src 'self'; script-src https://example.com",
+  );
+  expect(csp.toString()).toBe(
+    "default-src 'self'; script-src https://example.com",
+  );
+});
+
+it("allows and filters out `undefined` values", () => {
+  let csp = new ContentSecurityPolicy({
+    "connect-src": [undefined, "'self'", undefined],
+  });
+
+  expect(csp.toString()).toMatchInlineSnapshot(`"connect-src 'self'"`);
+});
+
+it("allows there to be no define values for a csp key", () => {
+  let csp = new ContentSecurityPolicy({
+    "base-uri": [undefined],
+    "default-src": ["'none'"],
+  });
+  expect(csp.toString()).toBe("default-src 'none'");
+});
+
+it("throws an error if the value is reserved, but not properly quoted", () => {
+  expect(
+    () =>
+      new ContentSecurityPolicy({
+        "default-src": ["self", "https://example.com"],
+      }),
+  ).toThrowErrorMatchingInlineSnapshot(
+    `[ContentSecurityPolicyError: reserved keyword self must be quoted.]`,
+  );
+});