Allow string values for script- and style-src policies

[wanecek]

Summary

Ensure that the script- and style-src found on the policyObj are indeed arrays before applying Array.prototype.concat.

This is necessary because "'self'".concat("'sha256-xx'") evaluates to 'self''sha256-xx', which is an invalid policy. The same bug does not appear when using an array, because buildPolicy joins each item in the array with a space between, while it leaves strings intact.

Requirements (place an x in each [ ])

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've written tests to cover the new code and functionality included in this PR.
• I've read, agree to, and signed the Contributor License Agreement (CLA).

I was unable to sign the CLA using the link provided, it just showed a blank page for me.

[wanecek]

Two alternative ways to solve the issue without relying on lodash/flatten are:

Just straight up, but a bit difficult to read imo

policyObj['script-src'] = Array.isArray(policyObj['script-src']) ? policyObj['script-src'].concat(inlineSrc) : [policyObj['script-src'], inlineSrc]; policyObj['style-src'] = Array.isArray(policyObj['style-src']) ? policyObj['style-src'].concat(inlineStyle) : [policyObj['style-src'], inlineStyle];

or

creating a helper function that I can't come up with a good name for 😂

// Somewhere in plugin.js, e.g. line 19. function castToArray(strOrArray) { return Array.isArray(strOrArray) ? strOrArray : [strOrArray]; } // and at line 119 policyObj['script-src'] = castToArray(policyObj['script-src']).concat(inlineSrc); policyObj['style-src'] = castToArray(policyObj['style-src']).concat(inlineStyle);

[codecov-io]

Codecov Report

Merging #9 into master will not change coverage.
The diff coverage is 100%.

@@ Coverage Diff @@ ## master #9 +/- ## ===================================== Coverage 100% 100% ===================================== Files 2 2 Lines 110 117 +7 Branches 5 5 ===================================== + Hits 110 117 +7

Impacted Files	Coverage Δ
spec/plugin.spec.js	100% <100%> (ø)	⬆️
plugin.js	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2605f00...3c29bf7. Read the comment docs.

[AnujRNair]

Hi @wanecek, thanks for the contribution(s)! I'm just checking about the contributor guidelines and will get back to you as soon as I get an answer :)

[AnujRNair]

@wanecek the contributor guidelines are up! Mind checking them out and signing? Thanks againf or your patience!

[wanecek]

@AnujRNair No worries at all :) I signed the CLA 👍

[wanecek]

Hi @AnujRNair! Is there anything more you need me to do?

[AnujRNair]

Hi @wanecek! I'm just confirming with the team that everything has been setup correctly - again, apologies for the delay! This first PR will always be the longest one, but others after this should be reviewed pretty quickly :)

[wanecek]

That's perfect, thank you @AnujRNair! Don't worry about it, take your time :) I just wanted to make sure that the PR wasn't forgotten :)

[AnujRNair]

@wanecek would you mind signing the license agreement one more time? I think I misconfigured it before
Thanks!

[wanecek]

Sure! Done!

[AnujRNair]

Thanks for the contribution!