Merge pull request #99 from effrenus/master

Support for Referrer-Policy header
krakenjs · Aug 7, 2017 · 6ae971a · 6ae971a
2 parents 725794c + d3bb1b8
commit 6ae971a
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -27,7 +27,8 @@ app.use(lusca({
     p3p: 'ABCDEF',
     hsts: {maxAge: 31536000, includeSubDomains: true, preload: true},
     xssProtection: true,
-    nosniff: true
+    nosniff: true,
+    referrerPolicy: 'same-origin'
 }));
 ```
 
@@ -41,6 +42,7 @@ app.use(lusca.p3p('ABCDEF'));
 app.use(lusca.hsts({ maxAge: 31536000 }));
 app.use(lusca.xssProtection(true));
 app.use(lusca.nosniff());
+app.use(lusca.referrerPolicy('same-origin'));
 ```
 
 __Please note that you must use [express-session](https://github.com/expressjs/session), [cookie-session](https://github.com/expressjs/cookie-session), their express 3.x alternatives, or other session object management in order to use lusca.__
@@ -128,3 +130,10 @@ Enables [X-XSS-Protection](http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-sec
 ### lusca.nosniff()
 
 Enables [X-Content-Type-Options](https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/) header to prevent MIME-sniffing a response away from the declared content-type.
+
+
+### lusca.referrerPolicy(value)
+
+* `value` String - Optional. The value for the header, e.g. `origin`, `same-origin`, `no-referrer`. Defaults to `` (empty string).
+
+Enables [Referrer-Policy](https://www.w3.org/TR/referrer-policy/#intro) header to control the Referer header.
diff --git a/index.js b/index.js
@@ -62,3 +62,4 @@ lusca.p3p = require('./lib/p3p');
 lusca.xframe = require('./lib/xframes');
 lusca.xssProtection = require('./lib/xssprotection');
 lusca.nosniff = require('./lib/nosniff');
+lusca.referrerPolicy = require('./lib/referrerpolicy');
diff --git a/lib/referrerpolicy.js b/lib/referrerpolicy.js
@@ -0,0 +1,40 @@
+'use strict';
+
+
+/**
+ * See https://www.w3.org/TR/referrer-policy/#referrer-policies
+ * @type {Array}
+ */
+var supportedValues = [
+    '',
+    'no-referrer',
+    'no-referrer-when-downgrade',
+    'same-origin',
+    'origin',
+    'strict-origin',
+    'origin-when-cross-origin',
+    'strict-origin-when-cross-origin',
+    'unsafe-url'
+];
+
+/**
+ * Default value.
+ * @type {String}
+ */
+var defaultValue = ''; // Browser should fallback to a Referrer Policy defined via other mechanisms elsewhere
+
+/**
+ * Referrer-Policy
+ * https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+ * Specification: https://www.w3.org/TR/referrer-policy/
+ * @param {String} value The Referrer-Policy header value, e.g. no-referrer, same-origin, origin.
+ */
+module.exports = function (value) {
+    if (supportedValues.indexOf(value) === -1 && process.env.NODE_ENV !== 'production') {
+        throw Error('Referrer-Policy header doesn\'t support value: ' + value);
+    }
+    return function referrerpolicy(req, res, next) {
+        res.header('referrer-policy', value || defaultValue);
+        next();
+    };
+};
diff --git a/test/referrerpolicy.js b/test/referrerpolicy.js
@@ -0,0 +1,52 @@
+/*global describe:false, it:false */
+'use strict';
+
+
+var lusca = require('../index'),
+    request = require('supertest'),
+    assert = require('assert'),
+    mock = require('./mocks/app');
+
+
+
+describe('referrerPolicy', function () {
+
+    it('method', function () {
+        assert(typeof lusca.referrerPolicy === 'function');
+    });
+
+    it('header (enabled)', function (done) {
+        var config = { referrerPolicy: 'no-referrer-when-downgrade' },
+            app = mock(config);
+
+        app.get('/', function (req, res) {
+            res.status(200).end();
+        });
+
+        request(app)
+            .get('/')
+            .expect('referrer-policy', 'no-referrer-when-downgrade')
+            .expect(200, done);
+    });
+
+    it('header invalid value', function () {
+        assert.throws(function () {
+            lusca.referrerPolicy('value-with-error');
+        }, /Referrer-Policy header doesn't support/);
+    });
+
+    it('header invalid value in production doesn\'t throw error', function (done) {
+        process.env.NODE_ENV = 'production';
+        var config = { referrerPolicy: 'invalid-value' },
+            app = mock(config);
+
+        app.get('/', function (req, res) {
+            res.status(200).end();
+        });
+
+        request(app)
+            .get('/')
+            .expect('referrer-policy', 'invalid-value')
+            .expect(200, done);
+    });
+});