1 | "use strict";
|
2 | Object.defineProperty(exports, "__esModule", { value: true });
|
3 | function getHeaderValueFromOptions({ action = "SAMEORIGIN", }) {
|
4 | const normalizedAction = typeof action === "string" ? action.toUpperCase() : action;
|
5 | if (normalizedAction === "SAME-ORIGIN") {
|
6 | return "SAMEORIGIN";
|
7 | }
|
8 | else if (normalizedAction === "DENY" || normalizedAction === "SAMEORIGIN") {
|
9 | return normalizedAction;
|
10 | }
|
11 | else if (normalizedAction === "ALLOW-FROM") {
|
12 | throw new Error("X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See <https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive> for more info.");
|
13 | }
|
14 | else {
|
15 | throw new Error(`X-Frame-Options received an invalid action ${JSON.stringify(action)}`);
|
16 | }
|
17 | }
|
18 | function xFrameOptions(options = {}) {
|
19 | const headerValue = getHeaderValueFromOptions(options);
|
20 | return function xFrameOptionsMiddleware(_req, res, next) {
|
21 | res.setHeader("X-Frame-Options", headerValue);
|
22 | next();
|
23 | };
|
24 | }
|
25 | module.exports = xFrameOptions;
|
26 | exports.default = xFrameOptions;
|