refactor(secure-headers): optimize getPermissionsPolicyDirectives fun…

…ction
honojs · Sep 9, 2024 · 8add1b7 · 8add1b7
1 parent c2b0de4
commit 8add1b7
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 23 deletions.
diff --git a/src/middleware/secure-headers/index.test.ts b/src/middleware/secure-headers/index.test.ts
@@ -160,27 +160,36 @@ describe('Secure Headers Middleware', () => {
     expect(res.headers.get('X-XSS-Protection')).toEqual('1')
   })
 
-  it('should set Permission-Policy header', async () => {
-    const app = new Hono()
-    app.use(
-      '/test',
-      secureHeaders({
-        permissionsPolicy: {
-          fullscreen: ['self'],
-          bluetooth: ['none'],
-          payment: ['self', 'example.com'],
-          syncXhr: [],
-          camera: false,
-          microphone: true,
-          geolocation: ['*'],
-        },
-      })
-    )
+  describe('secureHeaders middleware', () => {
+    it('should set Permission-Policy header', async () => {
+      const app = new Hono()
+      app.use(
+        '/test',
+        secureHeaders({
+          permissionsPolicy: {
+            fullscreen: ['self'],
+            bluetooth: ['none'],
+            payment: ['self', 'https://example.com'],
+            syncXhr: [],
+            camera: false,
+            microphone: true,
+            geolocation: ['*'],
+            usb: ['self', 'https://a.example.com', 'https://b.example.com'],
+            accelerometer: ['https://*.example.com'],
+            gyroscope: ['src'],
+            magnetometer: ['https://a.example.com', 'https://b.example.com'],
+          },
+        })
+      )
 
-    const res = await app.request('/test')
-    expect(res.headers.get('Permissions-Policy')).toEqual(
-      'fullscreen=(self), bluetooth=(none), payment=(self example.com), sync-xhr=(), camera=none, microphone=(), geolocation=(*)'
-    )
+      const res = await app.request('/test')
+      expect(res.headers.get('Permissions-Policy')).toEqual(
+        'fullscreen=(self), bluetooth=(none), payment=(self "https://example.com"), sync-xhr=(), camera=none, microphone=*, ' +
+          'geolocation=(*), usb=(self "https://a.example.com" "https://b.example.com"), ' +
+          'accelerometer=("https://*.example.com"), gyroscope=(src), ' +
+          'magnetometer=("https://a.example.com" "https://b.example.com")'
+      )
+    })
   })
   it('CSP Setting', async () => {
     const app = new Hono()

diff --git a/src/middleware/secure-headers/secure-headers.ts b/src/middleware/secure-headers/secure-headers.ts
@@ -278,12 +278,18 @@ function getPermissionsPolicyDirectives(policy: PermissionsPolicyOptions): strin
       const kebabDirective = camelToKebab(directive)
 
       if (typeof value === 'boolean') {
-        return `${kebabDirective}=${value ? '()' : 'none'}`
+        return `${kebabDirective}=${value ? '*' : 'none'}`
       }
 
       if (Array.isArray(value)) {
-        const allowlist = value.length === 0 ? '()' : `(${value.join(' ')})`
-        return `${kebabDirective}=${allowlist}`
+        const allowlist = value.map((item) => {
+          if (item === 'self' || item === 'src' || item === 'none' || item === '*') {
+            return item
+          }
+          return `"${item}"`
+        })
+        const allowlistString = allowlist.length === 0 ? '()' : `(${allowlist.join(' ')})`
+        return `${kebabDirective}=${allowlistString}`
       }
 
       return ''