Merge pull request #11 from pavkir/master

frux · web-flow · commit 873a5ec40eee · 2025-03-08T17:11:20.000+03:00
Support reporting-endpoints headers
diff --git a/packages/express-csp-header/README.md b/packages/express-csp-header/README.md
@@ -80,30 +80,25 @@ app.use(expressCspHeader({
 ```
 
 ## CSP violation report
-For more information read [csp-header documentation](https://github.com/frux/csp/tree/master/packages/csp-header#csp-violation-report). `express-csp-header` helps you manage both `Content-Security-Policy` and `Report-To` headers.
+For more information read [csp-header documentation](https://github.com/frux/csp/tree/master/packages/csp-header#csp-violation-report). `express-csp-header` helps you manage both `Content-Security-Policy` and `Reporting-Endpoints` headers. [Report-to headers  is no longer recommended to use](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Report-To)
 
 ```js
 const { expressCspHeader, INLINE, NONE, SELF } = require('express-csp-header');
 
 app.use(expressCspHeader({
     directives: {
         'default-src': [SELF],
-        'report-to': 'my-report-group'
+        'report-to': 'csp-default'
     },
     reportUri: 'https://cspreport.com/send',
-    reportTo: [
-        {
-            group: 'my-report-group',
-            max_age: 30 * 60,
-            endpoints: [{ url: 'https://cspreport.com/send'}],
-            include_subdomains: true
-        }
-    ]
+    reportingEndpoints: [
+        {'csp-default': 'https://cspreport.com/send'}
+    ]  
 }));
 
 /* express will send two headers
-1. Content-Security-Policy: default-src 'self'; report-to my-report-group; report-uri https://cspreport.com/send;
-2. Report-To: {"group":"my-report-group","max_age":1800,"endpoints":[{"url":"https://cspreport.com/send"}],"include_subdomains":true}
+1. Content-Security-Policy: default-src 'self'; report-to csp-default; report-uri https://cspreport.com/send;
+2. Reporting-Endpoints: csp-default="https://cspreport.com/send"
 */
 ```
 
diff --git a/packages/express-csp-header/src/index.ts b/packages/express-csp-header/src/index.ts
@@ -11,6 +11,11 @@ export * from './constants';
 type ReportUriFunction = (req: Request, res: Response) => string;
 type ReportToFunction = (req: Request, res: Response) => ReportTo[];
 
+export interface ReportingEndpoint {
+	name: string;
+	uri: string;
+}
+
 export interface ReportTo {
 	group: string;
 	max_age: number;
@@ -27,10 +32,11 @@ export interface ExpressCSPParams extends Omit<CSPHeaderParams, 'reportUri'> {
 	reportOnly?: boolean,
 	reportTo?: ReportTo[] | ReportToFunction,
 	reportUri?: string | ReportUriFunction,
+	reportingEndpoints?: ReportingEndpoint[] | ((req: Request, res: Response) => ReportingEndpoint[]),
 }
 
 export function expressCspHeader(params?: ExpressCSPParams): RequestHandler {
-	return function (req, res, next) {
+	return function (req: Request, res: Response, next) {
 		if (!params) {
 			next();
 			return;
@@ -51,6 +57,17 @@ export function expressCspHeader(params?: ExpressCSPParams): RequestHandler {
 			res.set(REPORT_TO_HEADER, reportTo.map(group => JSON.stringify(group)).join(','));
 		}
 
+		const reportingEndpoints = typeof params.reportingEndpoints === 'function' ?
+			params.reportingEndpoints(req, res) :
+			params.reportingEndpoints;
+
+		if (reportingEndpoints) {
+			const endpointsString = reportingEndpoints
+				.map((endpoint) => `${endpoint.name}="${encodeURI(endpoint.uri)}"`)
+				.join(', ');
+			res.set(REPORTING_ENDPOINTS_HEADER, endpointsString);
+		}
+
 		next();
 	};
 }
@@ -119,3 +136,4 @@ function parseDomain(hostname: string, domainOptions?: ParseOptions): string | n
 const CSP_HEADER = 'Content-Security-Policy';
 const CSP_REPORT_ONLY_HEADER = 'Content-Security-Policy-Report-Only';
 const REPORT_TO_HEADER = 'Report-To';
+const REPORTING_ENDPOINTS_HEADER = 'Reporting-Endpoints';
diff --git a/packages/express-csp-header/tests/index.test.ts b/packages/express-csp-header/tests/index.test.ts
@@ -223,3 +223,85 @@ describe('Report-To', () => {
 		);
 	});
 });
+
+describe('Reporting-Endpoints', () => {
+	test('should set Reporting-Endpoints header with static endpoints', () => {
+		const { res } = execMiddleware({
+			directives: {
+				'default-src': [SELF],
+				'report-to': 'csp-endpoint'
+			},
+			reportingEndpoints: [
+				{ name: 'endpoint-1', uri: 'https://reports.example/main' },
+				{ name: 'csp-endpoint', uri: 'https://reports.example/csp' }
+			]
+		});
+		expect(res.headers['Content-Security-Policy']).toEqual(
+			"default-src 'self'; report-to csp-endpoint;"
+		);
+		expect(res.headers['Reporting-Endpoints']).toEqual(
+			'endpoint-1="https://reports.example/main", csp-endpoint="https://reports.example/csp"'
+		);
+	});
+
+	test('should support specifying reporting endpoints as a function', () => {
+		const { res } = execMiddleware({
+			directives: {
+				'default-src': [SELF],
+			},
+			reportingEndpoints: (req) => [
+				{ name: 'main', uri: `https://reports.example/${req.hostname}/main` },
+				{ name: 'csp', uri: `https://reports.example/${req.hostname}/csp` }
+			]
+		}, { hostname: 'test.com' });
+
+		expect(res.headers['Content-Security-Policy']).toEqual(
+			"default-src 'self';"
+		);
+		expect(res.headers['Reporting-Endpoints']).toEqual(
+			'main="https://reports.example/test.com/main", csp="https://reports.example/test.com/csp"'
+		);
+	});
+	test('should support specifying reporting endpoints as a function with special characters', () => {
+		const { res } = execMiddleware({
+			directives: {
+				'default-src': [SELF],
+			},
+			reportingEndpoints: (req) => [
+				{ name: 'csp-reports', uri: `https://reports.example/${req.headers.login}/csp` }
+			]
+		}, { headers: {'login':'Abobus"\' Test' }});
+
+		expect(res.headers['Content-Security-Policy']).toEqual(
+			"default-src 'self';"
+		);
+		expect(res.headers['Reporting-Endpoints']).toEqual(
+			'csp-reports="https://reports.example/Abobus%22\'%20Test/csp"'
+		);
+	});
+
+	test('should work together with Report-To header', () => {
+		const { res } = execMiddleware({
+			directives: {
+				'default-src': [SELF],
+				'report-to': 'my-report-group'
+			},
+			reportTo: [{
+				group: 'my-report-group',
+				max_age: 1800,
+				endpoints: [{ url: 'https://reports.example/report-to' }],
+				include_subdomains: true
+			}],
+			reportingEndpoints: [
+				{ name: 'endpoint-1', uri: 'https://reports.example/endpoints' }
+			]
+		});
+
+		expect(res.headers['Report-To']).toEqual(
+			'{"group":"my-report-group","max_age":1800,"endpoints":[{"url":"https://reports.example/report-to"}],"include_subdomains":true}'
+		);
+		expect(res.headers['Reporting-Endpoints']).toEqual(
+			'endpoint-1="https://reports.example/endpoints"'
+		);
+	});
+});
