| 1 | "use strict";
|
| 2 | Object.defineProperty(exports, "__esModule", { value: true });
|
| 3 | function getHeaderValueFromOptions({ action = "SAMEORIGIN", }) {
|
| 4 | const normalizedAction = typeof action === "string" ? action.toUpperCase() : action;
|
| 5 | if (normalizedAction === "SAME-ORIGIN") {
|
| 6 | return "SAMEORIGIN";
|
| 7 | }
|
| 8 | else if (normalizedAction === "DENY" || normalizedAction === "SAMEORIGIN") {
|
| 9 | return normalizedAction;
|
| 10 | }
|
| 11 | else if (normalizedAction === "ALLOW-FROM") {
|
| 12 | throw new Error("X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See <https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive> for more info.");
|
| 13 | }
|
| 14 | else {
|
| 15 | throw new Error(`X-Frame-Options received an invalid action ${JSON.stringify(action)}`);
|
| 16 | }
|
| 17 | }
|
| 18 | function xFrameOptions(options = {}) {
|
| 19 | const headerValue = getHeaderValueFromOptions(options);
|
| 20 | return function xFrameOptionsMiddleware(_req, res, next) {
|
| 21 | res.setHeader("X-Frame-Options", headerValue);
|
| 22 | next();
|
| 23 | };
|
| 24 | }
|
| 25 | module.exports = xFrameOptions;
|
| 26 | exports.default = xFrameOptions;
|