fix(observatory): display some csp policy pass flags negated

mdn · Jun 25, 2024 · 32006f7 · 32006f7
1 parent c225b8e
commit 32006f7
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/client/src/observatory/results/csp.tsx b/client/src/observatory/results/csp.tsx
@@ -21,6 +21,21 @@ export default function ObservatoryCSP({
   result: ObservatoryResult;
 }) {
   const policy = result.tests["content-security-policy"]?.policy;
+
+  // Awkward, but so it has been on python-observatory:
+  // Negate some of the `pass` flags because sometimes
+  // a `pass` on the policy is bad, and sometimes not.
+  const negatedPolicies = [
+    "insecureBaseUri",
+    "insecureFormAction",
+    "insecureSchemeActive",
+    "insecureSchemePassive",
+    "unsafeEval",
+    "unsafeInline",
+    "unsafeInlineStyle",
+    "unsafeObjects",
+  ];
+
   return (
     <table className="csp">
       {policy ? (
@@ -43,7 +58,13 @@ export default function ObservatoryCSP({
                     }}
                   />
                   <td data-header="Pass">
-                    <PassIcon pass={!policy[pt].pass} />
+                    <PassIcon
+                      pass={
+                        negatedPolicies.includes(pt)
+                          ? !policy[pt].pass
+                          : policy[pt].pass
+                      }
+                    />
                   </td>
                   <td
                     data-header="Info"