Add support for HTTP security headers. #1016
Conversation
| alias: 'keyword' | ||
| }, | ||
| 'safe': { | ||
| pattern: /('self'|'none'|'strict-dynamic'|('nonce-|'sha256-)[a-zA-Z0-9]{1,}('))/, |
There was a problem hiding this comment.
Couldn't {1,} be written as +? Also why is the last single quote between parentheses?
Finally, couldn't the single quotes be put outside of the alternative to prevent unneeded repetition?
|
Thanks for contributing! Please take a look at the comments I made regarding the code itself. It would be great if you could add examples and tests. Please refer to my comment #1014 (comment) for details. |
|
|
||
| Prism.languages.csp = { | ||
| 'directive': { | ||
| pattern: /\b(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri |require-sri-for|sandbox|upgrade-insecure-requests)\b/i, |
There was a problem hiding this comment.
There’s extra space after “report-uri”.
There was a problem hiding this comment.
Even with the \b at the end?
|
Hey :-) I fixed up the code based on the comments. I think that should now be good. I will have a look at the requirements for the examples and tests. |
| alias: 'keyword' | ||
| }, | ||
| 'safe': { | ||
| pattern: /([0-9]{7,})/, |
There was a problem hiding this comment.
Parentheses are not needed around the whole pattern. Same goes for the regexp below and the others in the hsts component. ;)
# Conflicts: # components/prism-csp.js # components/prism-csp.min.js # components/prism-hpkp.js # components/prism-hpkp.min.js # components/prism-hsts.min.js
|
I've learnt a lot more about regexp than I intended ;-) How is it looking now? |
|
|
||
| Prism.languages.csp = { | ||
| 'directive': { | ||
| pattern: /\b(?:(?:base-uri|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox) |(?:block-all-mixed-content|disown-opener|upgrade-insecure-requests(?: |;))|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src )/i, |
There was a problem hiding this comment.
I'm pretty sure there is still a problem with the parentheses in the second group.
|
Getting there... :-D |
|
I won't merge until I'm back on a computer next week (currently reviewing with my phone). In the meantime, if you can write examples and tests, and think about my suggestion to merge hpkp and hsts, it would be really great! |
|
We could merge HPKP and HSTS but they're different technologies and may diverge further in the future. Also, the numeric value ranges are different for the two. From my side it makes sense to keep these separate. As for the examples and test I will take a look at what's required. |
|
Very interested in seeing this landed. Anything I can do to help out? |
|
I think it's just the examples and test that are outstanding. |
|
@ScottHelme, fixed some bugs and added the missing pieces over here: #1275 If you'd rather work some more on this, feel free to cherry-pick the relevant changes back here :) |
|
Closing after #1275 was merged. |
|
Big +1 on this, too. We just contributed the Content-Security-Policy highlighting to the ace editor. ajaxorg/ace#3511. Would be great to have it for prism as well. |
|
Oops, had an outdated cached tab open. Glad it's merged! |
I often find myself writing configurations for CSP, HSTS and HPKP. These changes add support for these configurations to Prism.