import { ObservatoryResult } from "../types"; import { PassIcon } from "../utils"; const policyTests = [ "unsafeInline", "unsafeEval", "unsafeObjects", "unsafeInlineStyle", "insecureSchemeActive", "insecureSchemePassive", "antiClickjacking", "defaultNone", "insecureBaseUri", "insecureFormAction", "strictDynamic", ]; export default function ObservatoryCSP({ result, }: { result: ObservatoryResult; }) { const policy = result.tests["content-security-policy"]?.policy; // Awkward, but so it has been on python-observatory: // Negate some of the `pass` flags because sometimes // a `pass` on the policy is bad, and sometimes not. const negatedPolicies = [ "insecureBaseUri", "insecureFormAction", "insecureSchemeActive", "insecureSchemePassive", "unsafeEval", "unsafeInline", "unsafeInlineStyle", "unsafeObjects", ]; const pass = result.tests["content-security-policy"]?.pass; // cookies && Object.keys(cookies).length !== 0 ? return policy ? ( <>

None

`, }} />

{policyTests.map((pt) => { return policy[pt] ? ( ) : ( [] ); })}

Test	Result	Info

) : result.tests["content-security-policy"]?.result === "csp-not-implemented-but-reporting-enabled" ? (

Content-Security-Policy-Report-Only header detected. Implement an enforced policy; see{" "} MDN's Content Security Policy (CSP) documentation .

) : (

No CSP headers detected

); }