feat: remove helmet-csp in favor of inline implementation

Credit goes to the original implementation. However, the published package contains
broken exports making it hard to use the package

Author: thetutlage

package.json

@@ -55,22 +55,20 @@
     "@japa/runner": "^4.4.0",
     "@poppinss/ts-exec": "^1.4.1",
     "@release-it/conventional-changelog": "^10.0.1",
-    "@types/node": "^24.3.1",
+    "@types/node": "^24.5.2",
     "c8": "^10.1.3",
     "copyfiles": "^2.4.1",
     "cross-env": "^10.0.0",
-    "del-cli": "^6.0.0",
+    "del-cli": "^7.0.0",
     "edge.js": "^6.3.0",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "prettier": "^3.6.2",
-    "release-it": "^19.0.4",
+    "release-it": "^19.0.5",
     "tsup": "^8.5.0",
     "typescript": "^5.9.2"
   },
   "dependencies": {
-    "@poppinss/utils": "^7.0.0-next.3",
-    "csrf": "^3.1.0",
-    "helmet-csp": "^4.0.0"
+    "csrf": "^3.1.0"
   },
   "peerDependencies": {
     "@adonisjs/core": "^7.0.0-next.0",

src/guards/csp/keywords.ts

@@ -10,7 +10,7 @@
 import type { ServerResponse, IncomingMessage } from 'node:http'
 
 import type { ValueOf } from '../../types.ts'
-import type { ContentSecurityPolicyOptions } from '../../helmet-csp.cts'
+import type { ContentSecurityPolicyOptions } from '../../helmet_csp.ts'
 
 /**
  * A collection of CSP keywords that are resolved to actual values

src/guards/csp/main.ts

@@ -16,7 +16,7 @@ import { type HttpContext } from '@adonisjs/core/http'
 import { noop } from '../../noop.ts'
 import { cspKeywords } from './keywords.ts'
 import type { CspOptions } from '../../types.ts'
-import { helmetMiddleware } from '../../helmet-csp.cts'
+import helmetMiddleware from '../../helmet_csp.ts'
 
 /**
  * Registering nonce keyword

src/helmet-csp.cts

@@ -0,0 +1,260 @@
+/*
+ * @adonisjs/shield
+ *
+ * (c) AdonisJS
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+/**
+ * CREDITS
+ * https://github.com/helmetjs/helmet/blob/main/middlewares/content-security-policy/index.ts
+ */
+
+import type { IncomingMessage, ServerResponse } from 'node:http'
+
+type ContentSecurityPolicyDirectiveValueFunction = (
+  req: IncomingMessage,
+  res: ServerResponse
+) => string
+
+type ContentSecurityPolicyDirectiveValue = string | ContentSecurityPolicyDirectiveValueFunction
+
+export interface ContentSecurityPolicyOptions {
+  useDefaults?: boolean
+  directives?: Record<
+    string,
+    null | Iterable<ContentSecurityPolicyDirectiveValue> | typeof dangerouslyDisableDefaultSrc
+  >
+  reportOnly?: boolean
+}
+
+type NormalizedDirectives = Map<string, Iterable<ContentSecurityPolicyDirectiveValue>>
+
+interface ContentSecurityPolicy {
+  (
+    options?: Readonly<ContentSecurityPolicyOptions>
+  ): (req: IncomingMessage, res: ServerResponse, next: (err?: Error) => void) => void
+  getDefaultDirectives: typeof getDefaultDirectives
+  dangerouslyDisableDefaultSrc: typeof dangerouslyDisableDefaultSrc
+}
+
+const dangerouslyDisableDefaultSrc = Symbol('dangerouslyDisableDefaultSrc')
+
+const SHOULD_BE_QUOTED: ReadonlySet<string> = new Set([
+  'none',
+  'self',
+  'strict-dynamic',
+  'report-sample',
+  'inline-speculation-rules',
+  'unsafe-inline',
+  'unsafe-eval',
+  'unsafe-hashes',
+  'wasm-unsafe-eval',
+])
+
+const getDefaultDirectives = (): Record<string, Iterable<ContentSecurityPolicyDirectiveValue>> => ({
+  'default-src': ["'self'"],
+  'base-uri': ["'self'"],
+  'font-src': ["'self'", 'https:', 'data:'],
+  'form-action': ["'self'"],
+  'frame-ancestors': ["'self'"],
+  'img-src': ["'self'", 'data:'],
+  'object-src': ["'none'"],
+  'script-src': ["'self'"],
+  'script-src-attr': ["'none'"],
+  'style-src': ["'self'", 'https:', "'unsafe-inline'"],
+  'upgrade-insecure-requests': [],
+})
+
+const dashify = (str: string): string =>
+  str.replace(/[A-Z]/g, (capitalLetter) => '-' + capitalLetter.toLowerCase())
+
+const assertDirectiveValueIsValid = (directiveName: string, directiveValue: string): void => {
+  if (/;|,/.test(directiveValue)) {
+    throw new Error(
+      `Content-Security-Policy received an invalid directive value for ${JSON.stringify(
+        directiveName
+      )}`
+    )
+  }
+}
+
+const assertDirectiveValueEntryIsValid = (
+  directiveName: string,
+  directiveValueEntry: string
+): void => {
+  if (
+    SHOULD_BE_QUOTED.has(directiveValueEntry) ||
+    directiveValueEntry.startsWith('nonce-') ||
+    directiveValueEntry.startsWith('sha256-') ||
+    directiveValueEntry.startsWith('sha384-') ||
+    directiveValueEntry.startsWith('sha512-')
+  ) {
+    throw new Error(
+      `Content-Security-Policy received an invalid directive value for ${JSON.stringify(
+        directiveName
+      )}. ${JSON.stringify(directiveValueEntry)} should be quoted`
+    )
+  }
+}
+
+function normalizeDirectives(
+  options: Readonly<ContentSecurityPolicyOptions>
+): NormalizedDirectives {
+  const defaultDirectives = getDefaultDirectives()
+
+  const { useDefaults = true, directives: rawDirectives = defaultDirectives } = options
+
+  const result: NormalizedDirectives = new Map()
+  const directiveNamesSeen = new Set<string>()
+  const directivesExplicitlyDisabled = new Set<string>()
+
+  for (const rawDirectiveName in rawDirectives) {
+    if (!Object.hasOwn(rawDirectives, rawDirectiveName)) {
+      continue
+    }
+
+    if (rawDirectiveName.length === 0 || /[^a-zA-Z0-9-]/.test(rawDirectiveName)) {
+      throw new Error(
+        `Content-Security-Policy received an invalid directive name ${JSON.stringify(
+          rawDirectiveName
+        )}`
+      )
+    }
+
+    const directiveName = dashify(rawDirectiveName)
+
+    if (directiveNamesSeen.has(directiveName)) {
+      throw new Error(
+        `Content-Security-Policy received a duplicate directive ${JSON.stringify(directiveName)}`
+      )
+    }
+    directiveNamesSeen.add(directiveName)
+
+    const rawDirectiveValue = rawDirectives[rawDirectiveName]
+    let directiveValue: Iterable<ContentSecurityPolicyDirectiveValue>
+    if (rawDirectiveValue === null) {
+      if (directiveName === 'default-src') {
+        throw new Error(
+          'Content-Security-Policy needs a default-src but it was set to `null`. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`.'
+        )
+      }
+      directivesExplicitlyDisabled.add(directiveName)
+      continue
+    } else if (typeof rawDirectiveValue === 'string') {
+      directiveValue = [rawDirectiveValue]
+    } else if (!rawDirectiveValue) {
+      throw new Error(
+        `Content-Security-Policy received an invalid directive value for ${JSON.stringify(
+          directiveName
+        )}`
+      )
+    } else if (rawDirectiveValue === dangerouslyDisableDefaultSrc) {
+      if (directiveName === 'default-src') {
+        directivesExplicitlyDisabled.add('default-src')
+        continue
+      } else {
+        throw new Error(
+          `Content-Security-Policy: tried to disable ${JSON.stringify(
+            directiveName
+          )} as if it were default-src; simply omit the key`
+        )
+      }
+    } else {
+      directiveValue = rawDirectiveValue
+    }
+
+    for (const element of directiveValue) {
+      if (typeof element !== 'string') continue
+      assertDirectiveValueIsValid(directiveName, element)
+      assertDirectiveValueEntryIsValid(directiveName, element)
+    }
+
+    result.set(directiveName, directiveValue)
+  }
+
+  if (useDefaults) {
+    Object.entries(defaultDirectives).forEach(([defaultDirectiveName, defaultDirectiveValue]) => {
+      if (
+        !result.has(defaultDirectiveName) &&
+        !directivesExplicitlyDisabled.has(defaultDirectiveName)
+      ) {
+        result.set(defaultDirectiveName, defaultDirectiveValue)
+      }
+    })
+  }
+
+  if (!result.size) {
+    throw new Error(
+      'Content-Security-Policy has no directives. Either set some or disable the header'
+    )
+  }
+  if (!result.has('default-src') && !directivesExplicitlyDisabled.has('default-src')) {
+    throw new Error(
+      'Content-Security-Policy needs a default-src but none was provided. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`.'
+    )
+  }
+
+  return result
+}
+
+function getHeaderValue(
+  req: IncomingMessage,
+  res: ServerResponse,
+  normalizedDirectives: Readonly<NormalizedDirectives>
+): string | Error {
+  const result: string[] = []
+
+  for (const [directiveName, rawDirectiveValue] of normalizedDirectives) {
+    let directiveValue = ''
+    for (const element of rawDirectiveValue) {
+      if (typeof element === 'function') {
+        const newElement = element(req, res)
+        assertDirectiveValueEntryIsValid(directiveName, newElement)
+        directiveValue += ' ' + newElement
+      } else {
+        directiveValue += ' ' + element
+      }
+    }
+
+    if (directiveValue) {
+      assertDirectiveValueIsValid(directiveName, directiveValue)
+      result.push(`${directiveName}${directiveValue}`)
+    } else {
+      result.push(directiveName)
+    }
+  }
+
+  return result.join(';')
+}
+
+const contentSecurityPolicy: ContentSecurityPolicy = function contentSecurityPolicy(
+  options: Readonly<ContentSecurityPolicyOptions> = {}
+): (req: IncomingMessage, res: ServerResponse, next: (err?: Error) => void) => void {
+  const headerName = options.reportOnly
+    ? 'Content-Security-Policy-Report-Only'
+    : 'Content-Security-Policy'
+
+  const normalizedDirectives = normalizeDirectives(options)
+
+  return function contentSecurityPolicyMiddleware(
+    req: IncomingMessage,
+    res: ServerResponse,
+    next: (error?: Error) => void
+  ) {
+    const result = getHeaderValue(req, res, normalizedDirectives)
+    if (result instanceof Error) {
+      next(result)
+    } else {
+      res.setHeader(headerName, result)
+      next()
+    }
+  }
+}
+contentSecurityPolicy.getDefaultDirectives = getDefaultDirectives
+contentSecurityPolicy.dangerouslyDisableDefaultSrc = dangerouslyDisableDefaultSrc
+
+export default contentSecurityPolicy
+export { dangerouslyDisableDefaultSrc, getDefaultDirectives }

src/helmet_csp.ts

@@ -9,7 +9,7 @@
 
 import type { HttpContext } from '@adonisjs/core/http'
 import type { CookieOptions } from '@adonisjs/core/types/http'
-import type { ContentSecurityPolicyOptions } from './helmet-csp.cts'
+import type { ContentSecurityPolicyOptions } from './helmet_csp.ts'
 
 /**
  * Utility type that extracts the values of all properties in an object type.