rspec/rules/S5732/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

In Express.js application the code is sensitive if the https://www.npmjs.com/package/helmet-csp[helmet-csp middleware] is not used or used without the <code>frame-ancestors</code> directive (or if <code>frame-ancestors</code> is set to <code>'none'</code>):

----
const express = require('express');
const helmetCsp = require('helmet-csp');

let app = express();
let csp = helmetCsp({ // Sensitive: frame-ancestors directive doesn't specify which origins are allowed to load the page as a frame
  directives: {
    frame-ancestors: ["'none'"]
  }
}); 
app.use(csp);
----

== Compliant Solution

In Express.js application a standard way to implement CSP frame-ancestors directive is the https://www.npmjs.com/package/helmet-csp[helmet-csp middleware]:

----
const express = require('express');
const helmetCsp = require('helmet-csp');

let app = express();
let csp = helmetCsp({ // Compliant
  directives: {
    frame-ancestors: ["'self'", 'example.com']
  }
}); 
app.use(csp);
----

include::../see.adoc[]