feat: generating nonce by default and cleaning up the tests#4
Merged
jkyberneees merged 8 commits intoBackendStack21:mainfrom May 8, 2025
Merged
Conversation
…d customize a nonce desired by the customer. This improves security policy generation. These improvements ensure that our CSP generator is thoroughly tested across all major use cases and edge conditions, providing better confidence in the reliability of the generated security policies.
…o allowing a default value to it.
…since tests run locally
…l tests pass in CI - Restrict SecureCSPGenerator mocking to CLI tests only - Restore real class for core and browser tests - Fixes CI failures caused by global mock pollution - Ensures robust, environment-independent test suite
…nd ensure robust end-to-end coverage - Reinstated CLI tests to use the real SecureCSPGenerator (no mocking) - Removed timeout-based test for reliability - Fixed test isolation and process/console mocking - All tests now pass locally and in CI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR introduces significant enhancements to the CSP generator, focusing on security best practices, modern browser compatibility, and robust CLI/environment handling. The changes ensure that the generated Content Security Policy is both secure by default and backward compatible, while also improving test coverage and reliability.
Key Improvements
1. Security Best Practices
base-uri 'self'always included:Prevents attackers from injecting
<base>tags and changing the base URL for relative links.require-trusted-types-for 'script'enabled by default:Enforces Trusted Types for scripts, mitigating DOM XSS risks in modern browsers.
script-srcimprovements:'strict-dynamic'and'unsafe-inline':When
'strict-dynamic'is present,'unsafe-inline'is always added for backward compatibility with older browsers.'strict-dynamic'is present.Nonces and hashes are generated and included for inline scripts, maximizing compatibility and security.
2. Robust CLI & Environment Handling
The CLI now robustly parses boolean options from both CLI arguments and environment variables, handling empty, undefined, and boolean values, with support for default values.
requireTrustedTypesis alwaystrueby default unless explicitly set otherwise.3. Test Coverage & Reliability
Example Output
A generated CSP now looks like:
Content-Security-Policy: default-src 'self'; object-src 'none'; script-src https://cdn.cookie-script.com https://www.googletagmanager.com 'sha256-AqR2q4mEeEy4Klon15BI5AtufOZVE5OD0k6RylQCMis=' 'nonce-0MPzwlbRwl9dmL6s8GCKXw==' 'strict-dynamic'; style-src https://fonts.googleapis.com; img-src https://21no.de https://img.shields.io; upgrade-insecure-requests; block-all-mixed-contentScreenshots validating our generated output by Google CSP Validator: