Skip to content

Commit

Permalink
CSP: Added missing directives and keywords (#2664)
Browse files Browse the repository at this point in the history
This adds missing CSP and UISecurity directives and keywords.
  • Loading branch information
edukisto authored Dec 1, 2020
1 parent a7ccc16 commit f154134
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 10 deletions.
11 changes: 7 additions & 4 deletions components/prism-csp.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,20 @@
*/

Prism.languages.csp = {
'directive': {
pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,
'directive': {
pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,
lookbehind: true,
alias: 'keyword'
},
'safe': {
pattern: /'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/,
// CSP2 hashes and nonces are base64 values. CSP3 accepts both base64 and base64url values.
// See https://tools.ietf.org/html/rfc4648#section-4
// See https://tools.ietf.org/html/rfc4648#section-5
pattern: /'(?:deny|none|report-sample|self|strict-dynamic|top-only|(?:nonce|sha(?:256|384|512))-[-+/\d=_a-z]+)'/i,
alias: 'selector'
},
'unsafe': {
pattern: /(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/,
pattern: /(?:'unsafe-(?:allow-redirects|dynamic|eval|hash-attributes|hashed-attributes|hashes|inline)'|\*)/i,
alias: 'function'
}
};
2 changes: 1 addition & 1 deletion components/prism-csp.min.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 16 additions & 2 deletions tests/languages/csp/directive_with_source_expression_feature.test
Original file line number Diff line number Diff line change
@@ -1,10 +1,24 @@
script-src example.com;
input-protection tolerance=50; input-protection-clip before=60; input-protection-selectors div; policy-uri https://example.com; script-src example.com; script-src-attr 'none'; style-src-elem 'none';

----------------------------------------------------

[
["directive", "input-protection"],
" tolerance=50; ",
["directive", "input-protection-clip"],
" before=60; ",
["directive", "input-protection-selectors"],
" div; ",
["directive", "policy-uri"],
" https://example.com; ",
["directive", "script-src"],
" example.com;"
" example.com; ",
["directive", "script-src-attr"],
["safe", "'none'"],
"; ",
["directive", "style-src-elem"],
["safe", "'none'"],
";"
]

----------------------------------------------------
Expand Down
3 changes: 2 additions & 1 deletion tests/languages/csp/safe_feature.test
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
default-src 'none'; style-src 'self' 'strict-dynamic' 'nonce-yeah' 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4=';
default-src 'none' 'report-sample'; style-src 'self' 'strict-dynamic' 'nonce-yeah' 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4=';

----------------------------------------------------

[
["directive", "default-src"],
["safe", "'none'"],
["safe", "'report-sample'"],
"; ",
["directive", "style-src"],
["safe", "'self'"],
Expand Down
10 changes: 8 additions & 2 deletions tests/languages/csp/unsafe_feature.test
Original file line number Diff line number Diff line change
@@ -1,12 +1,18 @@
script-src 'unsafe-inline' 'unsafe-eval' 'unsafe-hashed-attributes';
navigate-to 'unsafe-allow-redirects'; script-src 'unsafe-dynamic' 'unsafe-eval' 'unsafe-hash-attributes' 'unsafe-hashed-attributes' 'unsafe-hashes' 'unsafe-inline';

----------------------------------------------------

[
["directive", "navigate-to"],
["unsafe", "'unsafe-allow-redirects'"],
"; ",
["directive", "script-src"],
["unsafe", "'unsafe-inline'"],
["unsafe", "'unsafe-dynamic'"],
["unsafe", "'unsafe-eval'"],
["unsafe", "'unsafe-hash-attributes'"],
["unsafe", "'unsafe-hashed-attributes'"],
["unsafe", "'unsafe-hashes'"],
["unsafe", "'unsafe-inline'"],
";"
]

Expand Down

0 comments on commit f154134

Please sign in to comment.