Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: csp nonce generation #115

Merged
merged 8 commits into from
Mar 5, 2021
Merged

feat: csp nonce generation #115

merged 8 commits into from
Mar 5, 2021

Conversation

climba03003
Copy link
Member

@climba03003 climba03003 commented Mar 5, 2021
edited
Loading

Resolve: #89

This PR aims to simplify the usage for csp nonce generation with fastify and helmet.

Changes:

  • introduce new option enableCSPNonces
  • decorate FastifyReply with cspNonce

Checklist

@coveralls
Copy link

Pull Request Test Coverage Report for Build 623488680

  • 0 of 17 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 100.0%
Totals Coverage Status
Change from base Build 620283465: 0.0%
Covered Lines: 25
Relevant Lines: 25
💛 - Coveralls

@coveralls
Copy link

Pull Request Test Coverage Report for Build 623488680

  • 17 of 17 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 100.0%
Totals Coverage Status
Change from base Build 620283465: 0.0%
Covered Lines: 25
Relevant Lines: 25
💛 - Coveralls

@coveralls
Copy link

coveralls commented Mar 5, 2021
edited
Loading

Pull Request Test Coverage Report for Build 624002530

  • 17 of 17 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 100.0%
Totals Coverage Status
Change from base Build 620283465: 0.0%
Covered Lines: 25
Relevant Lines: 25
💛 - Coveralls

@climba03003
Copy link
Member Author

climba03003 commented Mar 5, 2021
edited
Loading

Opps, missed this comment #90 (comment)
I think this is more like the fastify style of csp nonce generation.

@climba03003 climba03003 requested review from mcollina and airhorns March 5, 2021 06:09
mcollina
mcollina requested changes Mar 5, 2021
View reviewed changes
README.md Show resolved Hide resolved
index.js
cspDirectives[styleKey] = Array.isArray(cspDirectives.styleSrc) ? cspDirectives.styleSrc : []
cspDirectives[styleKey].push('nonce-' + reply.cspNonce.style)

const cspMiddleware = helmet.contentSecurityPolicy({ directives: cspDirectives, reportOnly: cspReportOnly })
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please move the generation of this middleware outside of the hook.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is a must for this middleware to exist inside the hook. As we are not passing the function inside helmet.
The options for helmet.contentSecurityPolicy is unique for every calls.

@climba03003 climba03003 requested a review from mcollina March 5, 2021 09:32
mcollina
mcollina approved these changes Mar 5, 2021
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina
Copy link
Member

mcollina commented Mar 5, 2021

Go ahead and merge & release this!

@climba03003 climba03003 merged commit b375ad3 into fastify:master Mar 5, 2021
@climba03003 climba03003 deleted the feat-nonce-generation branch March 5, 2021 09:44
@dependabot dependabot bot mentioned this pull request Mar 8, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcollina mcollina mcollina approved these changes

@airhorns airhorns Awaiting requested review from airhorns

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Missing example of how to use upgraded fastify-helmet with a style/script nonce
3 participants
@climba03003 @coveralls @mcollina