rspec/rules/S5732/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

In Express.js application the code is sensitive if the https://www.npmjs.com/package/helmet-csp[helmet-csp] or https://www.npmjs.com/package/helmet[helmet] middleware is used without the ``++frameAncestors++`` directive (or if ``++frameAncestors++`` is set to ``++'none'++``):

----
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      // other directives
      frameAncestors: ["'none'"] // Sensitive: frameAncestors  is set to none
    } 
  })
);
----

== Compliant Solution

In Express.js application a standard way to implement CSP frame-ancestors directive is the https://www.npmjs.com/package/helmet-csp[helmet-csp] or https://www.npmjs.com/package/helmet[helmet] middleware:

[source,javascript]
----
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      // other directives
      frameAncestors: ["'example.com'"] // Compliant
    } 
  })
);
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			In Express.js application the code is sensitive if the https://www.npmjs.com/package/helmet-csp[helmet-csp] or https://www.npmjs.com/package/helmet[helmet] middleware is used without the ``++frameAncestors++`` directive (or if ``++frameAncestors++`` is set to ``++'none'++``):
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`const express = require('express');`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`const helmet = require('helmet');`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`let app = express();`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
			`app.use(`
			`helmet.contentSecurityPolicy({`
			`directives: {`
			`// other directives`
			`frameAncestors: ["'none'"] // Sensitive: frameAncestors is set to none`
			`}`
			`})`
			`);`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`

			`== Compliant Solution`

Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`In Express.js application a standard way to implement CSP frame-ancestors directive is the https://www.npmjs.com/package/helmet-csp[helmet-csp] or https://www.npmjs.com/package/helmet[helmet] middleware:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`const express = require('express');`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`const helmet = require('helmet');`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`let app = express();`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
			`app.use(`
			`helmet.contentSecurityPolicy({`
			`directives: {`
			`// other directives`
			`frameAncestors: ["'example.com'"] // Compliant`
			`}`
			`})`
			`);`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`