From 069ecd8d6abbf3c1565e778a1ac8bc52e07dc5b9 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 01:01:17 -0500
Subject: [PATCH 001/239] Migrate `onFinish` callback

  Trigger `process.exit ()` on completed
  TAP test run within test helper
---
 test/serve.es | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/test/serve.es b/test/serve.es
index 34ad5b21b29..cde7cc4132a 100644
--- a/test/serve.es
+++ b/test/serve.es
@@ -2,8 +2,5 @@ const
   server = new (require ('server'))
 
 
-require ('tape')
-  .onFinish (process.exit)
-
 module.exports
   = server.serve.bind (server)

From 8f0438d975eacf2f3321dac7b6e1ee4df460ebcd Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 03:03:09 -0500
Subject: [PATCH 002/239] Fix grammatical error

---
 middleware/security.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/security.test b/middleware/security.test
index e97b95c75b4..2ef1a6946c6 100644
--- a/middleware/security.test
+++ b/middleware/security.test
@@ -14,7 +14,7 @@ const
 , Server = require ('server')
 
 
-test ('calling next middlewaree')
+test ('calling next middleware')
 
 
 test ('X-XSS-Protection: 1; mode=block', async t => {

From e406127356f62c195152b1a91988f1b86e043769 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 03:03:47 -0500
Subject: [PATCH 003/239] Convert to using object deconstruction

---
 middleware/security.test | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/middleware/security.test b/middleware/security.test
index 2ef1a6946c6..09aff2581e3 100644
--- a/middleware/security.test
+++ b/middleware/security.test
@@ -11,7 +11,8 @@ const
   { test, fetch }
     = require ('test')
 
-, Server = require ('server')
+, { Server }
+    = require ('..')
 
 
 test ('calling next middleware')

From 869d0ee2e976a4b1b15b956bdca5ff51a72cc5e2 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 03:09:44 -0500
Subject: [PATCH 004/239] Add middleware/policy to loader

---
 middleware/index.es | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/index.es b/middleware/index.es
index 43a1e692d01..dc3ffb6c0ff 100644
--- a/middleware/index.es
+++ b/middleware/index.es
@@ -6,6 +6,7 @@ module.exports = {
   auth       : require ('./auth')
 , cors       : require ('./cors')
 , security   : require ('./security')
+, policy     : require ('./policy')
 , browse     : require ('./browse')
 , snuggsi    : require ('./snuggsi')
 , route      : require ('./route')

From 5d02e1041e183b65cc6693f2ccab89ec112a4e59 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 03:09:58 -0500
Subject: [PATCH 005/239] Add middleware/policy to test loader

---
 middleware/index.test | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/middleware/index.test b/middleware/index.test
index 07f1f744931..f14faae7c32 100644
--- a/middleware/index.test
+++ b/middleware/index.test
@@ -3,5 +3,9 @@ require ('./cors.test')
 require ('./security.test')
 require ('./snuggsi.test')
 require ('./route.test')
+require ('./policy.test')
+require ('./compressor.test')
+require ('./negotiator.test')
+require ('./librarian.test')
 require ('./assets.test')
 

From 9e8f456ba861cc1914ed1da68507502cc6dcc637 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 03:10:39 -0500
Subject: [PATCH 006/239] Add middleware/policy implementaion

---
 middleware/policy.es | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 middleware/policy.es

diff --git a/middleware/policy.es b/middleware/policy.es
new file mode 100644
index 00000000000..c9a943dcdd2
--- /dev/null
+++ b/middleware/policy.es
@@ -0,0 +1,25 @@
+const
+  { test, fetch }
+    = require ('test')
+
+, { Server }
+    = require ('..')
+
+
+console.warn ((new Server).serve)
+
+test.only ('calling next middleware')
+
+
+test ('Content-Security-Policy', async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+
+
+  t.ok (response.headers)
+
+  server.close ``
+  t.end ()
+})

From cdbdbccd76b76601bfbc68d2899cddd902838e08 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 03:11:21 -0500
Subject: [PATCH 007/239] Add middleware/policy.test suite to cover Content
 Security Policy

---
 middleware/policy.test | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 middleware/policy.test

diff --git a/middleware/policy.test b/middleware/policy.test
new file mode 100644
index 00000000000..c9a943dcdd2
--- /dev/null
+++ b/middleware/policy.test
@@ -0,0 +1,25 @@
+const
+  { test, fetch }
+    = require ('test')
+
+, { Server }
+    = require ('..')
+
+
+console.warn ((new Server).serve)
+
+test.only ('calling next middleware')
+
+
+test ('Content-Security-Policy', async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+
+
+  t.ok (response.headers)
+
+  server.close ``
+  t.end ()
+})

From f785aff6e5728ab361a484fe3ff6a55142915d9e Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 03:12:03 -0500
Subject: [PATCH 008/239] Update test helper functionality

---
 middleware/policy.es | 25 -------------------------
 test/index.es        | 21 +++++++++++++++++----
 2 files changed, 17 insertions(+), 29 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index c9a943dcdd2..e69de29bb2d 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,25 +0,0 @@
-const
-  { test, fetch }
-    = require ('test')
-
-, { Server }
-    = require ('..')
-
-
-console.warn ((new Server).serve)
-
-test.only ('calling next middleware')
-
-
-test ('Content-Security-Policy', async t => {
-
-  const
-    server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
-
-
-  t.ok (response.headers)
-
-  server.close ``
-  t.end ()
-})
diff --git a/test/index.es b/test/index.es
index 2e486eb622c..c4d7236b380 100644
--- a/test/index.es
+++ b/test/index.es
@@ -1,17 +1,21 @@
 console.warn ('loading test helper')
 
 const
-  { test }
+  fetch =
+    ( resource, ... options ) =>
+      require ('node-fetch') (resource, ... options)
+
+, { test, onFinish : finish }
     = require ('tape')
 
-, fetch
-    = ( resource, ... options ) =>
-      require ('node-fetch') (resource, ... options)
+
+finish (process.exit)
 
 
 module.exports = {
   test
 , fetch
+<<<<<<< HEAD
 
 // See chunked responses
 // http://taylor.fausak.me/2013/02/17/testing-a-node-js-http-server-with-mocha/
@@ -19,4 +23,13 @@ module.exports = {
 , read   : require ('./read')
 , serve  : require ('./serve')
 , browse : require ('./browse')
+=======
+, read   : require ('./read')
+, serve  : require ('./serve')
+, browse : require ('./browse')
+
+// See chunked responses
+// http://taylor.fausak.me/2013/02/17/testing-a-node-js-http-server-with-mocha/
+, get    : require ('http').get
+>>>>>>> Update test helper functionality
 }

From 288b4fd8011e594e02b8473fce52f1b95832ba7c Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 03:15:43 -0500
Subject: [PATCH 009/239] Remove only test from middleware

---
 middleware/policy.test | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index c9a943dcdd2..475a0a67d92 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -6,9 +6,7 @@ const
     = require ('..')
 
 
-console.warn ((new Server).serve)
-
-test.only ('calling next middleware')
+test ('calling next middleware')
 
 
 test ('Content-Security-Policy', async t => {

From f8247c990f7cde645ecbb494a3d726cc242ed3e8 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 21:27:12 -0500
Subject: [PATCH 010/239] Add Node Security Platform link

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index d4f0fd0f4f1..db8ea5676ed 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -12,6 +12,7 @@ Middleware used for CSP (Content Security Policy).
 
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
+  - Node Security Platform - https://nodesecurity.io/resources
 
 ## snuggsi.route
 

From a53d3275cd17a6e28f7aa64bfcb6bdfcc3e36613 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 21:56:07 -0500
Subject: [PATCH 011/239] Add CORS section to middleware/README.md

---
 middleware/README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/middleware/README.md b/middleware/README.md
index db8ea5676ed..5f234401157 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -1,6 +1,11 @@
 # middleware
 
 
+## snuggsi.cors
+
+Cross Origin Resource Sharing
+
+
 ## snuggsi.auth
 
 Middleware used for Authentication.

From 8a2bab2d4d7023fea038e5b8dc805f9b06f02dac Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 21:56:32 -0500
Subject: [PATCH 012/239] Add security and policy information to
 middlware/README.md

---
 middleware/README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/middleware/README.md b/middleware/README.md
index 5f234401157..e53b0e4e042 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -13,6 +13,11 @@ Middleware used for Authentication.
 
 ## snuggsi.security
 
+Browser security for frames and XSS attacks
+
+
+## snuggsi.policy
+
 Middleware used for CSP (Content Security Policy).
 
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757

From e1b62e9f9a13ccc2e6e15377e14ee0808a2a7d27 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 21:56:58 -0500
Subject: [PATCH 013/239] Add middleware/policies.es implementation

---
 middleware/policy.es | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index e69de29bb2d..d12e36eda39 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -0,0 +1,16 @@
+const
+  policies = [
+    `default-src 'none';`
+  ]
+
+module.exports = options =>
+
+  async (context, next) => {
+
+    await next ()
+
+    for
+      ( let policy of policies )
+        context.set
+          ('Content-Security-Policy', policy)
+  }

From 0a7266205cf201c7b00bad7879d15245392626af Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 21:58:09 -0500
Subject: [PATCH 014/239] Test Content-Security-Policy: default-src 'none'

---
 middleware/policy.test | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 475a0a67d92..50697643eeb 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -9,14 +9,14 @@ const
 test ('calling next middleware')
 
 
-test ('Content-Security-Policy', async t => {
+test ("Content-Security-Policy: default-src 'none';", async t => {
 
   const
     server   = (new Server).serve ``
   , response = await fetch ('http://localhost:8181/')
 
 
-  t.ok (response.headers)
+  t.ok (response.headers.get ('content-security-policy'))
 
   server.close ``
   t.end ()

From cda76fe1a60d562dc66b5cd223a8d6ab62c441c9 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 21:58:42 -0500
Subject: [PATCH 015/239] Test Stub Content-Security-Policy

---
 middleware/policy.test | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/middleware/policy.test b/middleware/policy.test
index 50697643eeb..7e78b32dfaa 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -21,3 +21,8 @@ test ("Content-Security-Policy: default-src 'none';", async t => {
   server.close ``
   t.end ()
 })
+
+
+test ("Content-Security-Policy: script-src 'self';")
+test ("Content-Security-Policy: img-src 'self' https://cdn.example.com;")
+test ("Content-Security-Policy: connect-src 'self';")

From 3a4ee5d7dc511d0554d6b4d4a877bbf237f2638c Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 21:58:51 -0500
Subject: [PATCH 016/239] Add whitespace formatting

---
 middleware/security.es | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/security.es b/middleware/security.es
index 2d96ef67364..d8aca841858 100644
--- a/middleware/security.es
+++ b/middleware/security.es
@@ -13,6 +13,7 @@ const
 module.exports = options =>
 
   async (context, next) => {
+
     await next ()
 
     context.set

From 119c7d993d2d4c0aad204d027e478b94350cce9e Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Thu, 18 Jan 2018 22:00:13 -0500
Subject: [PATCH 017/239] Add policy middleware to default Server stack

---
 server/index.es | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/index.es b/server/index.es
index 72b44ea51aa..bfd2ff78795 100644
--- a/server/index.es
+++ b/server/index.es
@@ -1,5 +1,5 @@
 const
-  { cors, security, snuggsi, negotiator, assets }
+  { auth, cors, security, policy, compressor, negotiator, librarian, mixins, assets }
     = require ('middleware')
 
 
@@ -10,6 +10,7 @@ module.exports = class extends require ('koa') {
     for (let slice of [
       cors        // why is this NOT a function...
     , security `` // and this IS a function?
+    , policy ()   // and this IS a function?
     , ... middleware
     , snuggsi
     ]) this.use (slice)

From 9dd19675a9be4c22df65cd2fd51d386e4cdded72 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 09:58:28 -0500
Subject: [PATCH 018/239] Add default stubs for Content-Security-Policy

---
 middleware/policy.es   | 4 +++-
 middleware/policy.test | 5 ++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index d12e36eda39..2473f4a3d87 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,8 +1,10 @@
 const
+
   policies = [
-    `default-src 'none';`
+    `default-src 'none';` // `default-src 'self' https://${domain};`
   ]
 
+
 module.exports = options =>
 
   async (context, next) => {
diff --git a/middleware/policy.test b/middleware/policy.test
index 7e78b32dfaa..659f80fd43b 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -23,6 +23,9 @@ test ("Content-Security-Policy: default-src 'none';", async t => {
 })
 
 
-test ("Content-Security-Policy: script-src 'self';")
+test ("Content-Security-Policy: frame-src 'self';")
+test ("Content-Security-Policy: style-src 'self';")
 test ("Content-Security-Policy: img-src 'self' https://cdn.example.com;")
+test ("Content-Security-Policy: script-src 'self';")
 test ("Content-Security-Policy: connect-src 'self';")
+test ("Content-Security-Policy: report-uri 'self';")

From 59c4bd13775311e68ade0e6f1e1e4a8d955b5e5a Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 10:31:32 -0500
Subject: [PATCH 019/239] Add report-uri for Content-Security-Policy

---
 middleware/policy.test | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/middleware/policy.test b/middleware/policy.test
index 659f80fd43b..db7cb5dda7c 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -9,6 +9,9 @@ const
 test ('calling next middleware')
 
 
+test ("Content-Security-Policy: report-uri 'self';")
+
+
 test ("Content-Security-Policy: default-src 'none';", async t => {
 
   const

From cd0bbb6e90915c7707af12d03f40f1c82c5e117f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 10:31:42 -0500
Subject: [PATCH 020/239] Add default stubs for Content-Security-Policy

---
 middleware/policy.test | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index db7cb5dda7c..442aee66232 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -27,8 +27,7 @@ test ("Content-Security-Policy: default-src 'none';", async t => {
 
 
 test ("Content-Security-Policy: frame-src 'self';")
-test ("Content-Security-Policy: style-src 'self';")
+test ("Content-Security-Policy: connect-src 'self';")
 test ("Content-Security-Policy: img-src 'self' https://cdn.example.com;")
+test ("Content-Security-Policy: style-src 'self';")
 test ("Content-Security-Policy: script-src 'self';")
-test ("Content-Security-Policy: connect-src 'self';")
-test ("Content-Security-Policy: report-uri 'self';")

From 73bbde2504810f18229b2c6836302e2a68c75ab3 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:35:52 -0500
Subject: [PATCH 021/239] Add test for style-src none

---
 middleware/policy.es   | 10 ++++------
 middleware/policy.test | 19 ++++++++++++++++++-
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 2473f4a3d87..14ac289e9ec 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,7 +1,7 @@
 const
-
   policies = [
-    `default-src 'none';` // `default-src 'self' https://${domain};`
+    `default-src 'none'` // `default-src 'self' https://${domain};`
+  , `style-src 'none'` // `style-src 'self' 'unsafe-inline' https://cdn.example.com
   ]
 
 
@@ -11,8 +11,6 @@ module.exports = options =>
 
     await next ()
 
-    for
-      ( let policy of policies )
-        context.set
-          ('Content-Security-Policy', policy)
+    context.set
+      ( 'Content-Security-Policy', policies.join `; ` )
   }
diff --git a/middleware/policy.test b/middleware/policy.test
index 442aee66232..4fe3d42b122 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -29,5 +29,22 @@ test ("Content-Security-Policy: default-src 'none';", async t => {
 test ("Content-Security-Policy: frame-src 'self';")
 test ("Content-Security-Policy: connect-src 'self';")
 test ("Content-Security-Policy: img-src 'self' https://cdn.example.com;")
-test ("Content-Security-Policy: style-src 'self';")
+
+
+test.only ("Content-Security-Policy: style-src 'none';", async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+
+
+  console.log (response.headers)
+
+  t.ok (response.headers.get ('content-security-policy'))
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: script-src 'self';")

From 356dbbe4f6f4e91528007d5f08b34ff6b00e436a Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:37:30 -0500
Subject: [PATCH 022/239] Use include for header comparison

---
 middleware/policy.test | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 4fe3d42b122..d465e44e9ef 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -40,7 +40,8 @@ test.only ("Content-Security-Policy: style-src 'none';", async t => {
 
   console.log (response.headers)
 
-  t.ok (response.headers.get ('content-security-policy'))
+  t.ok
+    (response.headers.get ('content-security-policy').includes `style-src 'none'`)
 
   server.close ``
   t.end ()

From 63756f53649e75b66fd65372ad1a959757441d90 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:37:49 -0500
Subject: [PATCH 023/239] Remove console.logs

---
 middleware/policy.test | 2 --
 1 file changed, 2 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index d465e44e9ef..4fb416eab42 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -38,8 +38,6 @@ test.only ("Content-Security-Policy: style-src 'none';", async t => {
   , response = await fetch ('http://localhost:8181/')
 
 
-  console.log (response.headers)
-
   t.ok
     (response.headers.get ('content-security-policy').includes `style-src 'none'`)
 

From 6492df1fa466025e4b7ed9f8f64675a27263b69b Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:38:28 -0500
Subject: [PATCH 024/239] Remove semicolons from test definition

---
 middleware/policy.test | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 4fb416eab42..ccd16651ba2 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -9,10 +9,10 @@ const
 test ('calling next middleware')
 
 
-test ("Content-Security-Policy: report-uri 'self';")
+test ("Content-Security-Policy: report-uri 'self'")
 
 
-test ("Content-Security-Policy: default-src 'none';", async t => {
+test ("Content-Security-Policy: default-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
@@ -26,12 +26,12 @@ test ("Content-Security-Policy: default-src 'none';", async t => {
 })
 
 
-test ("Content-Security-Policy: frame-src 'self';")
-test ("Content-Security-Policy: connect-src 'self';")
-test ("Content-Security-Policy: img-src 'self' https://cdn.example.com;")
+test ("Content-Security-Policy: frame-src 'self'")
+test ("Content-Security-Policy: connect-src 'self'")
+test ("Content-Security-Policy: img-src 'self' https://cdn.example.com")
 
 
-test.only ("Content-Security-Policy: style-src 'none';", async t => {
+test.only ("Content-Security-Policy: style-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
@@ -46,4 +46,4 @@ test.only ("Content-Security-Policy: style-src 'none';", async t => {
 })
 
 
-test ("Content-Security-Policy: script-src 'self';")
+test ("Content-Security-Policy: script-src 'self'")

From 1f0e130a7dfebabeb41baedf8a15cc9d16d2658e Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:39:56 -0500
Subject: [PATCH 025/239] Refactor selectors to use includes

---
 middleware/policy.test | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index ccd16651ba2..0badca9652f 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -17,9 +17,10 @@ test ("Content-Security-Policy: default-src 'none'", async t => {
   const
     server   = (new Server).serve ``
   , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok (response.headers.get ('content-security-policy'))
+  t.ok ( policy.includes `default-src 'none'` )
 
   server.close ``
   t.end ()

From 549bda52c72d51988aa19defea0ab7483507a57a Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:40:00 -0500
Subject: [PATCH 026/239] Refactor selectors to use includes

---
 middleware/policy.test | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 0badca9652f..e310fcca9a7 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -37,10 +37,10 @@ test.only ("Content-Security-Policy: style-src 'none'", async t => {
   const
     server   = (new Server).serve ``
   , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok
-    (response.headers.get ('content-security-policy').includes `style-src 'none'`)
+  t.ok ( policy.includes `style-src 'none'` )
 
   server.close ``
   t.end ()

From 4cfc6acded6e46d47a01d66e2934bc14461796a6 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:45:37 -0500
Subject: [PATCH 027/239] Refactor policies

---
 middleware/policy.es | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 14ac289e9ec..7ec678403a0 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,7 +1,15 @@
 const
-  policies = [
-    `default-src 'none'` // `default-src 'self' https://${domain};`
-  , `style-src 'none'` // `style-src 'self' 'unsafe-inline' https://cdn.example.com
+  defaults
+  // `default-src 'self' https://${domain};`
+    = [`'none'`]
+
+, styles
+  // `style-src 'self' 'unsafe-inline' https://cdn.example.com
+    = [`'none'`]
+
+, policies = [
+  , `default-src ${ defaults.join ` ` };`
+  , `style-src ${ styles.join ` ` };`
   ]
 
 

From 90dbef2c1b2eddac1cd639f8a7e7d92290d3038f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:49:07 -0500
Subject: [PATCH 028/239] Remove unnecessary semi-colon

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 7ec678403a0..75f037a7c15 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -20,5 +20,5 @@ module.exports = options =>
     await next ()
 
     context.set
-      ( 'Content-Security-Policy', policies.join `; ` )
+      ( 'Content-Security-Policy', policies.join ` ` )
   }

From d60fa9573f7ee47b8fb954d3a0130a171c142bc8 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:51:41 -0500
Subject: [PATCH 029/239] Add spec for Content-Security-Policy: frame-src

---
 middleware/policy.es   |  5 +++++
 middleware/policy.test | 18 ++++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 75f037a7c15..1f58eafe28a 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -3,12 +3,17 @@ const
   // `default-src 'self' https://${domain};`
     = [`'none'`]
 
+, frames
+  // `frame-src 'self' https://${domain};`
+    = [`'none'`]
+
 , styles
   // `style-src 'self' 'unsafe-inline' https://cdn.example.com
     = [`'none'`]
 
 , policies = [
   , `default-src ${ defaults.join ` ` };`
+  , `frame-src ${ frames.join ` ` };`
   , `style-src ${ styles.join ` ` };`
   ]
 
diff --git a/middleware/policy.test b/middleware/policy.test
index e310fcca9a7..8bc1b7cd805 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -27,12 +27,26 @@ test ("Content-Security-Policy: default-src 'none'", async t => {
 })
 
 
-test ("Content-Security-Policy: frame-src 'self'")
+test.only ("Content-Security-Policy: frame-src 'self'", async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes `frame-src 'none'` )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: connect-src 'self'")
 test ("Content-Security-Policy: img-src 'self' https://cdn.example.com")
 
 
-test.only ("Content-Security-Policy: style-src 'none'", async t => {
+test ("Content-Security-Policy: style-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``

From 5d2cd0af75fa1b116aa9de80307d5eb69f7f52e8 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:55:26 -0500
Subject: [PATCH 030/239] Add spec for Content-Security-Policy: connect-src

---
 middleware/policy.es   |  5 +++++
 middleware/policy.test | 18 ++++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 1f58eafe28a..cd33830b7a4 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -11,9 +11,14 @@ const
   // `style-src 'self' 'unsafe-inline' https://cdn.example.com
     = [`'none'`]
 
+, connects
+  // `connect-src 'self' https://${domain};`
+    = [`'none'`]
+
 , policies = [
   , `default-src ${ defaults.join ` ` };`
   , `frame-src ${ frames.join ` ` };`
+  , `connect-src ${ connects.join ` ` };`
   , `style-src ${ styles.join ` ` };`
   ]
 
diff --git a/middleware/policy.test b/middleware/policy.test
index 8bc1b7cd805..c34c5a6b969 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -27,7 +27,7 @@ test ("Content-Security-Policy: default-src 'none'", async t => {
 })
 
 
-test.only ("Content-Security-Policy: frame-src 'self'", async t => {
+test ("Content-Security-Policy: frame-src 'self'", async t => {
 
   const
     server   = (new Server).serve ``
@@ -42,7 +42,21 @@ test.only ("Content-Security-Policy: frame-src 'self'", async t => {
 })
 
 
-test ("Content-Security-Policy: connect-src 'self'")
+test.only ("Content-Security-Policy: connect-src 'self'", async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes `connect-src 'none'` )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: img-src 'self' https://cdn.example.com")
 
 

From 6e59c347af740b9516de45f4c53615f6c547f805 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 15:58:38 -0500
Subject: [PATCH 031/239] Add spec for Content-Security-Policy: img-src

---
 middleware/policy.es   |  5 +++++
 middleware/policy.test | 17 +++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index cd33830b7a4..29e56c2108a 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -15,10 +15,15 @@ const
   // `connect-src 'self' https://${domain};`
     = [`'none'`]
 
+, images
+  // `image-src 'self' https://cdn.example.com
+    = [`'none'`]
+
 , policies = [
   , `default-src ${ defaults.join ` ` };`
   , `frame-src ${ frames.join ` ` };`
   , `connect-src ${ connects.join ` ` };`
+  , `img-src ${ images.join ` ` };`
   , `style-src ${ styles.join ` ` };`
   ]
 
diff --git a/middleware/policy.test b/middleware/policy.test
index c34c5a6b969..a6e2e00f45b 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -42,7 +42,7 @@ test ("Content-Security-Policy: frame-src 'self'", async t => {
 })
 
 
-test.only ("Content-Security-Policy: connect-src 'self'", async t => {
+test ("Content-Security-Policy: connect-src 'self'", async t => {
 
   const
     server   = (new Server).serve ``
@@ -57,7 +57,20 @@ test.only ("Content-Security-Policy: connect-src 'self'", async t => {
 })
 
 
-test ("Content-Security-Policy: img-src 'self' https://cdn.example.com")
+test.only ("Content-Security-Policy: img-src 'self'", async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes `img-src 'none'` )
+
+  server.close ``
+  t.end ()
+})
+
 
 
 test ("Content-Security-Policy: style-src 'none'", async t => {

From 28ad745539ae899c5fde92ef6471cc108c14a4f1 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:02:45 -0500
Subject: [PATCH 032/239] Add spec for Content-Security-Policy: script-src

---
 middleware/policy.es   | 15 ++++++++++-----
 middleware/policy.test | 19 +++++++++++++++----
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 29e56c2108a..34083a223cc 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -7,10 +7,6 @@ const
   // `frame-src 'self' https://${domain};`
     = [`'none'`]
 
-, styles
-  // `style-src 'self' 'unsafe-inline' https://cdn.example.com
-    = [`'none'`]
-
 , connects
   // `connect-src 'self' https://${domain};`
     = [`'none'`]
@@ -19,12 +15,21 @@ const
   // `image-src 'self' https://cdn.example.com
     = [`'none'`]
 
+, styles
+  // `style-src 'self' 'unsafe-inline' https://cdn.example.com
+    = [`'none'`]
+
+, scripts
+  // `style-src 'self' https://cdn.example.com
+    = [`'none'`]
+
 , policies = [
-  , `default-src ${ defaults.join ` ` };`
+    `default-src ${ defaults.join ` ` };`
   , `frame-src ${ frames.join ` ` };`
   , `connect-src ${ connects.join ` ` };`
   , `img-src ${ images.join ` ` };`
   , `style-src ${ styles.join ` ` };`
+  , `script-src ${ scripts.join ` ` };`
   ]
 
 
diff --git a/middleware/policy.test b/middleware/policy.test
index a6e2e00f45b..8a9995e52fb 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -57,10 +57,10 @@ test ("Content-Security-Policy: connect-src 'self'", async t => {
 })
 
 
-test.only ("Content-Security-Policy: img-src 'self'", async t => {
+test ("content-security-policy: img-src 'self'", async t => {
 
   const
-    server   = (new Server).serve ``
+    server   = (new server).serve ``
   , response = await fetch ('http://localhost:8181/')
   , policy   = response.headers.get ('content-security-policy')
 
@@ -72,7 +72,6 @@ test.only ("Content-Security-Policy: img-src 'self'", async t => {
 })
 
 
-
 test ("Content-Security-Policy: style-src 'none'", async t => {
 
   const
@@ -88,4 +87,16 @@ test ("Content-Security-Policy: style-src 'none'", async t => {
 })
 
 
-test ("Content-Security-Policy: script-src 'self'")
+test.only ("Content-Security-Policy: script-src 'self'", async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes `script-src 'none'` )
+
+  server.close ``
+  t.end ()
+})

From bf2fbc2aaed58e21cff7929cc7667cbbea147b49 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:03:36 -0500
Subject: [PATCH 033/239] Remove bug from lowercased variable name

---
 middleware/policy.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 8a9995e52fb..9daf3916ab6 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -60,7 +60,7 @@ test ("Content-Security-Policy: connect-src 'self'", async t => {
 test ("content-security-policy: img-src 'self'", async t => {
 
   const
-    server   = (new server).serve ``
+    server   = (new Server).serve ``
   , response = await fetch ('http://localhost:8181/')
   , policy   = response.headers.get ('content-security-policy')
 

From fb6951dd822e7be5f645d7cba26743c5ecfc9100 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:03:42 -0500
Subject: [PATCH 034/239] Remove only test

---
 middleware/policy.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 9daf3916ab6..b49c5891f48 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -87,7 +87,7 @@ test ("Content-Security-Policy: style-src 'none'", async t => {
 })
 
 
-test.only ("Content-Security-Policy: script-src 'self'", async t => {
+test ("Content-Security-Policy: script-src 'self'", async t => {
 
   const
     server   = (new Server).serve ``

From fa67d6dd5cb19014bddce5388bcb35f8ba074ebb Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:07:12 -0500
Subject: [PATCH 035/239] Fix scripts policy comment

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 34083a223cc..18bdb179b2a 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -20,7 +20,7 @@ const
     = [`'none'`]
 
 , scripts
-  // `style-src 'self' https://cdn.example.com
+  // `scripts-src 'self' https://cdn.example.com
     = [`'none'`]
 
 , policies = [

From 36ff06a6c46c4f11c25f708005f55e59b0386e90 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:07:37 -0500
Subject: [PATCH 036/239] Add spec for Content-Security-Policy: report-uri

---
 middleware/policy.es   |  7 ++++++-
 middleware/policy.test | 16 +++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 18bdb179b2a..36b02cddc0d 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,4 +1,8 @@
 const
+  reports
+  // `reports-src 'self' https://${domain};`
+    = [`'none'`]
+
   defaults
   // `default-src 'self' https://${domain};`
     = [`'none'`]
@@ -24,7 +28,8 @@ const
     = [`'none'`]
 
 , policies = [
-    `default-src ${ defaults.join ` ` };`
+    `report-uri ${ reports.join ` ` };`
+  , `default-src ${ defaults.join ` ` };`
   , `frame-src ${ frames.join ` ` };`
   , `connect-src ${ connects.join ` ` };`
   , `img-src ${ images.join ` ` };`
diff --git a/middleware/policy.test b/middleware/policy.test
index b49c5891f48..3ef4a0c96f8 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -9,7 +9,21 @@ const
 test ('calling next middleware')
 
 
-test ("Content-Security-Policy: report-uri 'self'")
+test ("Content-Security-Policy: report-uri 'none'", async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes `report-uri 'none'` )
+
+  server.close ``
+  t.end ()
+})
+
+
 
 
 test ("Content-Security-Policy: default-src 'none'", async t => {

From 6084bf222b623c7a3d35f918521a94514c3c19c5 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:09:25 -0500
Subject: [PATCH 037/239] Convert from self to none in Content-Security-Policy
 test descriptions

---
 middleware/policy.test | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 3ef4a0c96f8..1558e9be16c 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -41,7 +41,7 @@ test ("Content-Security-Policy: default-src 'none'", async t => {
 })
 
 
-test ("Content-Security-Policy: frame-src 'self'", async t => {
+test ("Content-Security-Policy: frame-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
@@ -56,7 +56,7 @@ test ("Content-Security-Policy: frame-src 'self'", async t => {
 })
 
 
-test ("Content-Security-Policy: connect-src 'self'", async t => {
+test ("Content-Security-Policy: connect-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
@@ -71,7 +71,7 @@ test ("Content-Security-Policy: connect-src 'self'", async t => {
 })
 
 
-test ("content-security-policy: img-src 'self'", async t => {
+test ("content-security-policy: img-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
@@ -101,7 +101,7 @@ test ("Content-Security-Policy: style-src 'none'", async t => {
 })
 
 
-test ("Content-Security-Policy: script-src 'self'", async t => {
+test ("Content-Security-Policy: script-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``

From 1cd371bf46f8bece52287ce7e0be46c2bf258394 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:11:13 -0500
Subject: [PATCH 038/239] Fix comments for Content-Security-Policy middleware
 implementation

---
 middleware/policy.es | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 36b02cddc0d..d06d9080b3e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -16,15 +16,15 @@ const
     = [`'none'`]
 
 , images
-  // `image-src 'self' https://cdn.example.com
+  // `image-src 'self' data: https://cdn.example.com`
     = [`'none'`]
 
 , styles
-  // `style-src 'self' 'unsafe-inline' https://cdn.example.com
+  // `style-src 'self' 'unsafe-inline' https://cdn.example.com`
     = [`'none'`]
 
 , scripts
-  // `scripts-src 'self' https://cdn.example.com
+  // `scripts-src 'self' https://cdn.example.com`
     = [`'none'`]
 
 , policies = [

From 1e7b8e50c851dc723c7b21212717e3a5e10766aa Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:13:16 -0500
Subject: [PATCH 039/239] Add test for script nonce

---
 middleware/policy.es | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index d06d9080b3e..8777a699479 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -24,7 +24,8 @@ const
     = [`'none'`]
 
 , scripts
-  // `scripts-src 'self' https://cdn.example.com`
+  // Script Nonce for inline <script>
+  // `scripts-src 'self' 'nonce-${nonce} https://cdn.example.com`
     = [`'none'`]
 
 , policies = [

From 5be3f744c0cd047d692313dd1d09622bf83bdcbf Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:14:00 -0500
Subject: [PATCH 040/239] Add link for script nonce

---
 middleware/policy.es | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 8777a699479..275a992621c 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -25,6 +25,7 @@ const
 
 , scripts
   // Script Nonce for inline <script>
+  // https://csp.withgoogle.com/docs/strict-csp.html
   // `scripts-src 'self' 'nonce-${nonce} https://cdn.example.com`
     = [`'none'`]
 

From fd9e817a9990c76c05cd687c05dbde54fdce1992 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:16:54 -0500
Subject: [PATCH 041/239] Use defaults for Content-Security-Policy: default-src

---
 middleware/policy.es | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 275a992621c..c26ea945b0e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,33 +1,33 @@
 const
-  reports
-  // `reports-src 'self' https://${domain};`
-    = [`'none'`]
-
   defaults
   // `default-src 'self' https://${domain};`
     = [`'none'`]
 
+, reports
+  // `reports-src 'self' https://${domain};`
+    = Array.from (defaults)
+
 , frames
   // `frame-src 'self' https://${domain};`
-    = [`'none'`]
+    = Array.from (defaults)
 
 , connects
   // `connect-src 'self' https://${domain};`
-    = [`'none'`]
+    = Array.from (defaults)
 
 , images
   // `image-src 'self' data: https://cdn.example.com`
-    = [`'none'`]
+    = Array.from (defaults)
 
 , styles
   // `style-src 'self' 'unsafe-inline' https://cdn.example.com`
-    = [`'none'`]
+    = Array.from (defaults)
 
 , scripts
   // Script Nonce for inline <script>
   // https://csp.withgoogle.com/docs/strict-csp.html
   // `scripts-src 'self' 'nonce-${nonce} https://cdn.example.com`
-    = [`'none'`]
+    = Array.from (defaults)
 
 , policies = [
     `report-uri ${ reports.join ` ` };`

From a01ff2038f44732c1890923832b8ac707bf78189 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:18:19 -0500
Subject: [PATCH 042/239] Reformat TSU for Content-Security-Policy middleware

---
 middleware/policy.es | 40 +++++++++++++++++-----------------------
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index c26ea945b0e..63dc6460673 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,43 +1,37 @@
 const
-  defaults
-  // `default-src 'self' https://${domain};`
+  defaults // `default-src 'self' https://${domain};`
     = [`'none'`]
 
-, reports
-  // `reports-src 'self' https://${domain};`
+, reports // `reports-src 'self' https://${domain};`
     = Array.from (defaults)
 
-, frames
-  // `frame-src 'self' https://${domain};`
+, frames // `frame-src 'self' https://${domain};`
     = Array.from (defaults)
 
-, connects
-  // `connect-src 'self' https://${domain};`
+, connects // `connect-src 'self' https://${domain};`
     = Array.from (defaults)
 
-, images
-  // `image-src 'self' data: https://cdn.example.com`
+, images // `image-src 'self' data: https://cdn.example.com`
     = Array.from (defaults)
 
-, styles
-  // `style-src 'self' 'unsafe-inline' https://cdn.example.com`
+, styles // `style-src 'self' 'unsafe-inline' https://cdn.example.com`
     = Array.from (defaults)
 
-, scripts
-  // Script Nonce for inline <script>
+, scripts // Script Nonce for inline <script>
   // https://csp.withgoogle.com/docs/strict-csp.html
   // `scripts-src 'self' 'nonce-${nonce} https://cdn.example.com`
     = Array.from (defaults)
 
-, policies = [
-    `report-uri ${ reports.join ` ` };`
-  , `default-src ${ defaults.join ` ` };`
-  , `frame-src ${ frames.join ` ` };`
-  , `connect-src ${ connects.join ` ` };`
-  , `img-src ${ images.join ` ` };`
-  , `style-src ${ styles.join ` ` };`
-  , `script-src ${ scripts.join ` ` };`
-  ]
+, policies
+    = [
+      `report-uri ${ reports.join ` ` };`
+    , `default-src ${ defaults.join ` ` };`
+    , `frame-src ${ frames.join ` ` };`
+    , `connect-src ${ connects.join ` ` };`
+    , `img-src ${ images.join ` ` };`
+    , `style-src ${ styles.join ` ` };`
+    , `script-src ${ scripts.join ` ` };`
+    ]
 
 
 module.exports = options =>

From 8ed6088aa83a04a10184987244e603a89d8e11dc Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:20:24 -0500
Subject: [PATCH 043/239] Only join policies without trailing semi-colon

---
 middleware/policy.es | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 63dc6460673..00b77660a2b 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -24,13 +24,13 @@ const
 
 , policies
     = [
-      `report-uri ${ reports.join ` ` };`
-    , `default-src ${ defaults.join ` ` };`
-    , `frame-src ${ frames.join ` ` };`
-    , `connect-src ${ connects.join ` ` };`
-    , `img-src ${ images.join ` ` };`
-    , `style-src ${ styles.join ` ` };`
-    , `script-src ${ scripts.join ` ` };`
+      `report-uri ${ reports.join ` ` }`
+    , `default-src ${ defaults.join ` ` }`
+    , `frame-src ${ frames.join ` ` }`
+    , `connect-src ${ connects.join ` ` }`
+    , `img-src ${ images.join ` ` }`
+    , `style-src ${ styles.join ` ` }`
+    , `script-src ${ scripts.join ` ` }`
     ]
 
 
@@ -41,5 +41,5 @@ module.exports = options =>
     await next ()
 
     context.set
-      ( 'Content-Security-Policy', policies.join ` ` )
+      ( 'Content-Security-Policy', policies.join `; ` )
   }

From 9f8b35c6762d505586ce1838afeab10d070a3f85 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:21:14 -0500
Subject: [PATCH 044/239] Update comment for report-uri

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 00b77660a2b..a65fa4cbc66 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -2,7 +2,7 @@ const
   defaults // `default-src 'self' https://${domain};`
     = [`'none'`]
 
-, reports // `reports-src 'self' https://${domain};`
+, reports // `reports-src ${path};`
     = Array.from (defaults)
 
 , frames // `frame-src 'self' https://${domain};`

From 5ce352f882bad99bfc88e2cbbdf110d9dc3b0682 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:21:32 -0500
Subject: [PATCH 045/239] Update comment for report-uri

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index a65fa4cbc66..2e5b4573ca9 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -2,7 +2,7 @@ const
   defaults // `default-src 'self' https://${domain};`
     = [`'none'`]
 
-, reports // `reports-src ${path};`
+, reports // `report-uri ${path};`
     = Array.from (defaults)
 
 , frames // `frame-src 'self' https://${domain};`

From 01102dc6ec4eaa446a96a4c48f4a264d2821d64f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:24:10 -0500
Subject: [PATCH 046/239] Use defaults for Content-Security-Policy: font-src

---
 middleware/policy.es   |  4 ++++
 middleware/policy.test | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 2e5b4573ca9..a8c40bab7bd 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -14,6 +14,9 @@ const
 , images // `image-src 'self' data: https://cdn.example.com`
     = Array.from (defaults)
 
+, fonts // `fonts-src 'self' https://cdn.example.com`
+    = Array.from (defaults)
+
 , styles // `style-src 'self' 'unsafe-inline' https://cdn.example.com`
     = Array.from (defaults)
 
@@ -29,6 +32,7 @@ const
     , `frame-src ${ frames.join ` ` }`
     , `connect-src ${ connects.join ` ` }`
     , `img-src ${ images.join ` ` }`
+    , `font-src ${ fonts.join ` ` }`
     , `style-src ${ styles.join ` ` }`
     , `script-src ${ scripts.join ` ` }`
     ]
diff --git a/middleware/policy.test b/middleware/policy.test
index 1558e9be16c..a451191fd1e 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -86,6 +86,21 @@ test ("content-security-policy: img-src 'none'", async t => {
 })
 
 
+test ("Content-Security-Policy: font-src 'none'", async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes `font-src 'none'` )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: style-src 'none'", async t => {
 
   const

From fb128dde29c59662e5d37be285fd1f1ea49b54f7 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:24:35 -0500
Subject: [PATCH 047/239] Fix font-src comment

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index a8c40bab7bd..6ec85a59ff0 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -14,7 +14,7 @@ const
 , images // `image-src 'self' data: https://cdn.example.com`
     = Array.from (defaults)
 
-, fonts // `fonts-src 'self' https://cdn.example.com`
+, fonts // `font-src 'self' https://cdn.example.com`
     = Array.from (defaults)
 
 , styles // `style-src 'self' 'unsafe-inline' https://cdn.example.com`

From 3caa818bb90b956eebc8c2eaaf7f0230af2570db Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:26:00 -0500
Subject: [PATCH 048/239] Add spec for Content-Security-Policy: object-uri

---
 middleware/policy.es   |  4 ++++
 middleware/policy.test | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 6ec85a59ff0..706f552149c 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -17,6 +17,9 @@ const
 , fonts // `font-src 'self' https://cdn.example.com`
     = Array.from (defaults)
 
+, objects // `object-src 'self' https://cdn.example.com`
+    = Array.from (defaults)
+
 , styles // `style-src 'self' 'unsafe-inline' https://cdn.example.com`
     = Array.from (defaults)
 
@@ -33,6 +36,7 @@ const
     , `connect-src ${ connects.join ` ` }`
     , `img-src ${ images.join ` ` }`
     , `font-src ${ fonts.join ` ` }`
+    , `object-src ${ objects.join ` ` }`
     , `style-src ${ styles.join ` ` }`
     , `script-src ${ scripts.join ` ` }`
     ]
diff --git a/middleware/policy.test b/middleware/policy.test
index a451191fd1e..9cc4a34488e 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -101,6 +101,21 @@ test ("Content-Security-Policy: font-src 'none'", async t => {
 })
 
 
+test ("Content-Security-Policy: object-src 'none'", async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes `object-src 'none'` )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: style-src 'none'", async t => {
 
   const

From 8a960de72216e03384d3229f90e2b8517e434c96 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:27:51 -0500
Subject: [PATCH 049/239] Add spec for Content-Security-Policy: media-uri

---
 middleware/policy.es   |  4 ++++
 middleware/policy.test | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 706f552149c..624050d2d08 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -20,6 +20,9 @@ const
 , objects // `object-src 'self' https://cdn.example.com`
     = Array.from (defaults)
 
+, medias // `media-src 'self' https://cdn.example.com`
+    = Array.from (defaults)
+
 , styles // `style-src 'self' 'unsafe-inline' https://cdn.example.com`
     = Array.from (defaults)
 
@@ -37,6 +40,7 @@ const
     , `img-src ${ images.join ` ` }`
     , `font-src ${ fonts.join ` ` }`
     , `object-src ${ objects.join ` ` }`
+    , `media-src ${ medias.join ` ` }`
     , `style-src ${ styles.join ` ` }`
     , `script-src ${ scripts.join ` ` }`
     ]
diff --git a/middleware/policy.test b/middleware/policy.test
index 9cc4a34488e..21663a0034a 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -116,6 +116,21 @@ test ("Content-Security-Policy: object-src 'none'", async t => {
 })
 
 
+test ("Content-Security-Policy: media-src 'none'", async t => {
+
+  const
+    server   = (new Server).serve ``
+  , response = await fetch ('http://localhost:8181/')
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes `media-src 'none'` )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: style-src 'none'", async t => {
 
   const

From 06bc717d1e37ee91fef4c96e03221abb594e8bcb Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:29:49 -0500
Subject: [PATCH 050/239] Add note about report-uri analytics

---
 middleware/policy.es | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 624050d2d08..0d7e5193c6a 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -2,6 +2,9 @@ const
   defaults // `default-src 'self' https://${domain};`
     = [`'none'`]
 
+// Depending on analytics framework,
+// may want to listen for securitypolicyviolation events
+// with JavaScript and collect more information about the client before reporting.
 , reports // `report-uri ${path};`
     = Array.from (defaults)
 

From d368c5660dda6c148274e6e6c06f122121a8979f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:31:34 -0500
Subject: [PATCH 051/239] Add comment for default-src in
 Content-Security-Policy

---
 middleware/policy.es | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 0d7e5193c6a..5dad4e57480 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,5 +1,6 @@
 const
-  defaults // `default-src 'self' https://${domain};`
+  // `default-src 'self' safari-extension:// chrome-extension:// https://${domain};`
+  defaults
     = [`'none'`]
 
 // Depending on analytics framework,

From 0e13003cea5ffc1185af5c986fe3c9dd432e2038 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:34:17 -0500
Subject: [PATCH 052/239] Add comment for report-uri.com pricing

---
 middleware/policy.es | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 5dad4e57480..1036008f383 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,3 +1,6 @@
+// Can actually charge for this feature
+// https://report-uri.com/#prices
+
 const
   // `default-src 'self' safari-extension:// chrome-extension:// https://${domain};`
   defaults

From f66318dba32b32e50aa8a433930af491a7aa93b5 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 16:40:33 -0500
Subject: [PATCH 053/239] Add report-uri.com url for reporting

---
 middleware/policy.es   | 2 +-
 middleware/policy.test | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 1036008f383..344561ea15e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -10,7 +10,7 @@ const
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
 , reports // `report-uri ${path};`
-    = Array.from (defaults)
+    = ['https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce']
 
 , frames // `frame-src 'self' https://${domain};`
     = Array.from (defaults)
diff --git a/middleware/policy.test b/middleware/policy.test
index 21663a0034a..d401a51bc15 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -9,7 +9,9 @@ const
 test ('calling next middleware')
 
 
-test ("Content-Security-Policy: report-uri 'none'", async t => {
+test (`Content-Security-Policy: report-uri
+      'https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce'`
+, async t => {
 
   const
     server   = (new Server).serve ``
@@ -17,7 +19,7 @@ test ("Content-Security-Policy: report-uri 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `report-uri 'none'` )
+  t.ok ( policy.includes`report-uri https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce` )
 
   server.close ``
   t.end ()

From e9ba86ab7af9521fef5af6dc0ab888dc16e53677 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:05:20 -0500
Subject: [PATCH 054/239] Add spec for Content-Security-Policy-Report-Only

---
 middleware/policy.es   | 10 +++++++---
 middleware/policy.test | 17 +++++++++++++++--
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 344561ea15e..a2c21f7aaf8 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -55,10 +55,14 @@ const
 
 module.exports = options =>
 
-  async (context, next) => {
+  async (context, next, header) => {
 
     await next ()
 
-    context.set
-      ( 'Content-Security-Policy', policies.join `; ` )
+    header
+      = 'Content-Security-Policy'
+      + ( 'report' in context.request.query ? '-Report-Only' : '' )
+
+    context
+      .set ( header, policies.join `; ` )
   }
diff --git a/middleware/policy.test b/middleware/policy.test
index d401a51bc15..73a311a7fbe 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -9,6 +9,21 @@ const
 test ('calling next middleware')
 
 
+test ('Content-Security-Policy-Report-Only', async t => {
+
+  const
+    server   = (new Server).serve ``
+    // notice ?report
+  , response = await fetch ('http://localhost:8181/?report')
+
+
+  t.ok ( response.headers.get ('Content-Security-Policy-Report-Only') )
+
+  server.close ``
+  t.end ()
+})
+
+
 test (`Content-Security-Policy: report-uri
       'https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce'`
 , async t => {
@@ -26,8 +41,6 @@ test (`Content-Security-Policy: report-uri
 })
 
 
-
-
 test ("Content-Security-Policy: default-src 'none'", async t => {
 
   const

From fdf382d793540ea2cb35d719d0cd2d5a7efbde81 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:07:40 -0500
Subject: [PATCH 055/239] Add test to ensure Content-Security-Policy is not
 sent with ?report

---
 middleware/policy.test | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 73a311a7fbe..f0c38e2f343 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -17,7 +17,11 @@ test ('Content-Security-Policy-Report-Only', async t => {
   , response = await fetch ('http://localhost:8181/?report')
 
 
-  t.ok ( response.headers.get ('Content-Security-Policy-Report-Only') )
+  t.notOk
+    ( response.headers.get ('Content-Security-Policy') )
+
+  t.ok
+    ( response.headers.get ('Content-Security-Policy-Report-Only') )
 
   server.close ``
   t.end ()

From 68f44f901030de683eba76e5fea07e4183c1932b Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:08:23 -0500
Subject: [PATCH 056/239] Add comment about security breach of ?report

  /cc @brandondees @tmornini
---
 middleware/policy.es | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index a2c21f7aaf8..ff2fae69944 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -61,6 +61,8 @@ module.exports = options =>
 
     header
       = 'Content-Security-Policy'
+      // Is this a security breach?
+      // Will someone be able to disable CSP with this?
       + ( 'report' in context.request.query ? '-Report-Only' : '' )
 
     context

From 24403b63fe181ccb5880f0756888323269fc3ab3 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:11:13 -0500
Subject: [PATCH 057/239] Add comment about XSS attacks using unsafe-inline

---
 middleware/policy.es | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index ff2fae69944..af1b1151672 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -36,6 +36,7 @@ const
 , scripts // Script Nonce for inline <script>
   // https://csp.withgoogle.com/docs/strict-csp.html
   // `scripts-src 'self' 'nonce-${nonce} https://cdn.example.com`
+  // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
     = Array.from (defaults)
 
 , policies

From 65609ad3ea3628b6632201ef19e969c41e67be0b Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:12:41 -0500
Subject: [PATCH 058/239] Add W3C specification link to README.md

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index e53b0e4e042..c4bbbcbbcf0 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -20,6 +20,7 @@ Browser security for frames and XSS attacks
 
 Middleware used for CSP (Content Security Policy).
 
+  - W3C Specification - https://w3c.github.io/webappsec-csp
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
   - Node Security Platform - https://nodesecurity.io/resources

From 7ccf2e2c88a5af96c8790037791a3ee122fd6cec Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:14:03 -0500
Subject: [PATCH 059/239] Add W3C NONCE reference to middleware/policy.es

---
 middleware/policy.es | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index af1b1151672..1a169e4470d 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -35,7 +35,9 @@ const
 
 , scripts // Script Nonce for inline <script>
   // https://csp.withgoogle.com/docs/strict-csp.html
-  // `scripts-src 'self' 'nonce-${nonce} https://cdn.example.com`
+  // `scripts-src 'self'
+  // 'nonce-${nonce} https://cdn.example.com`
+  //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
   // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
     = Array.from (defaults)
 

From 9a2c6062605bf6ebef16a46c6c521dca05d6fb1a Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:14:54 -0500
Subject: [PATCH 060/239] Add W3C NONCE uniqueness comment

---
 middleware/policy.es | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 1a169e4470d..02e7d9121d5 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -37,6 +37,7 @@ const
   // https://csp.withgoogle.com/docs/strict-csp.html
   // `scripts-src 'self'
   // 'nonce-${nonce} https://cdn.example.com`
+  // ** NONCE MUST BE UNIQUE **
   //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
   // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
     = Array.from (defaults)

From 649a6df499e9492c0fe5a6df8624f7040ae9186f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:19:15 -0500
Subject: [PATCH 061/239] Add comment about nonces for Safari Lack of
 support:-(

---
 middleware/policy.es | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 02e7d9121d5..880b6976b02 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -35,11 +35,13 @@ const
 
 , scripts // Script Nonce for inline <script>
   // https://csp.withgoogle.com/docs/strict-csp.html
-  // `scripts-src 'self'
-  // 'nonce-${nonce} https://cdn.example.com`
+  // scripts-src 'self'
+  // nonce-${nonce}
   // ** NONCE MUST BE UNIQUE **
   //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
   // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
+  // **THAT BEING SAID...For Safari 😢
+  // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
     = Array.from (defaults)
 
 , policies

From 4ac58953a189817bf7a6e928a72aeb38b2e14dad Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:21:10 -0500
Subject: [PATCH 062/239] Add link to MDN documentaiton for CSP

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index c4bbbcbbcf0..0e3b4b1b723 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -21,6 +21,7 @@ Browser security for frames and XSS attacks
 Middleware used for CSP (Content Security Policy).
 
   - W3C Specification - https://w3c.github.io/webappsec-csp
+  - MDN Documentation - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
   - Node Security Platform - https://nodesecurity.io/resources

From 7fff2896e432787267170bac742687f1a465b491 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:22:33 -0500
Subject: [PATCH 063/239] Add link to MDN documentaiton for HTTP Header
 Content-Security-Policy

---
 middleware/policy.es | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 880b6976b02..05d534ae74d 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -65,6 +65,7 @@ module.exports = options =>
 
     await next ()
 
+    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
     header
       = 'Content-Security-Policy'
       // Is this a security breach?

From 47fe530377fb643ad1c01d13a2a48b150c562d7d Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:37:04 -0500
Subject: [PATCH 064/239] Add documentation about CSP to middleware/README.md

---
 middleware/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware/README.md b/middleware/README.md
index 0e3b4b1b723..eba60357b0b 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -20,7 +20,9 @@ Browser security for frames and XSS attacks
 
 Middleware used for CSP (Content Security Policy).
 
-  - W3C Specification - https://w3c.github.io/webappsec-csp
+  - W3C CSP3 Specification - https://w3c.github.io/webappsec-csp
+  - W3C Mixed Content (CR) - https://w3c.github.io/webappsec-mixed-content
+  - W3C Upgrade Insecure Requests (CR) - https://w3c.github.io/webappsec/specs/upgrade/
   - MDN Documentation - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

From 9094a135a6884c6a9d8d7ac039efb9834ebdb1d2 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:37:56 -0500
Subject: [PATCH 065/239] Add dummy logic for remaining CSP directives

---
 middleware/policy.es | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 05d534ae74d..ee7b46ce451 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -46,7 +46,12 @@ const
 
 , policies
     = [
-      `report-uri ${ reports.join ` ` }`
+
+    // Reporting directives
+      `report-uri ${ reports.join ` ` }` // backwards compatibility
+//  , `report-to ${ reports.join ` ` }`  // greenfield
+
+    // Fetch directives
     , `default-src ${ defaults.join ` ` }`
     , `frame-src ${ frames.join ` ` }`
     , `connect-src ${ connects.join ` ` }`
@@ -56,6 +61,24 @@ const
     , `media-src ${ medias.join ` ` }`
     , `style-src ${ styles.join ` ` }`
     , `script-src ${ scripts.join ` ` }`
+
+//  , `worker-src ${ workers.join ` ` }`
+
+    // Document directives
+//  , `form-action ${ forms.join ` ` }`
+//  , `frame-ancestors ${ ancestors.join ` ` }`
+//  , `sandbox ${ sandboxes.join ` ` }`
+
+//  // Other directives
+//  // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
+//  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
+//  , `require-sri-for ${ integrities.join ` ` }`
+//  , `block-all-mixed-content ${ reports.join ` ` }`
+//  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
+//  , `update-insecure-requests`
+
+//  // DEPRECATED!! See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+//  , `referrer`
     ]
 
 
@@ -65,13 +88,18 @@ module.exports = options =>
 
     await next ()
 
-    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+
     header
+
+      // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
       = 'Content-Security-Policy'
+
       // Is this a security breach?
       // Will someone be able to disable CSP with this?
+      // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
       + ( 'report' in context.request.query ? '-Report-Only' : '' )
 
+
     context
       .set ( header, policies.join `; ` )
   }

From 6b58fd078efd281a7468d42ab41d099f3d6a9c39 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 17:39:30 -0500
Subject: [PATCH 066/239] Add link to Moz://a Security Guidelines

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index eba60357b0b..c1c0d758a31 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -24,6 +24,7 @@ Middleware used for CSP (Content Security Policy).
   - W3C Mixed Content (CR) - https://w3c.github.io/webappsec-mixed-content
   - W3C Upgrade Insecure Requests (CR) - https://w3c.github.io/webappsec/specs/upgrade/
   - MDN Documentation - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+  - Mozilla Security Guidelines - https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
   - Node Security Platform - https://nodesecurity.io/resources

From e7dca4a4dd8211c184e6e3ffe8959ab4c8e9f895 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 19 Jan 2018 20:24:49 -0500
Subject: [PATCH 067/239] Add link to GOOGLE CSP

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index c1c0d758a31..b359acff824 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -24,6 +24,7 @@ Middleware used for CSP (Content Security Policy).
   - W3C Mixed Content (CR) - https://w3c.github.io/webappsec-mixed-content
   - W3C Upgrade Insecure Requests (CR) - https://w3c.github.io/webappsec/specs/upgrade/
   - MDN Documentation - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+  - GOOGLE CSP - https://csp.withgoogle.com/docs/strict-csp.html
   - Mozilla Security Guidelines - https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

From 3c6b9464df5af978acbb8c3355d97c783da851e6 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 00:35:54 -0500
Subject: [PATCH 068/239] Add link to security headers.io

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index b359acff824..310ccc8976a 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -20,6 +20,7 @@ Browser security for frames and XSS attacks
 
 Middleware used for CSP (Content Security Policy).
 
+  - https://securityheaders.io
   - W3C CSP3 Specification - https://w3c.github.io/webappsec-csp
   - W3C Mixed Content (CR) - https://w3c.github.io/webappsec-mixed-content
   - W3C Upgrade Insecure Requests (CR) - https://w3c.github.io/webappsec/specs/upgrade/

From 99a721824127648fc23bf7e23e1e543d591c9055 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 00:43:45 -0500
Subject: [PATCH 069/239] Add wikipedia link for CSP

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index 310ccc8976a..d9baaa81782 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -24,6 +24,7 @@ Middleware used for CSP (Content Security Policy).
   - W3C CSP3 Specification - https://w3c.github.io/webappsec-csp
   - W3C Mixed Content (CR) - https://w3c.github.io/webappsec-mixed-content
   - W3C Upgrade Insecure Requests (CR) - https://w3c.github.io/webappsec/specs/upgrade/
+  - Wikipedia Documentation - https://en.wikipedia.org/wiki/Content_Security_Policy
   - MDN Documentation - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
   - GOOGLE CSP - https://csp.withgoogle.com/docs/strict-csp.html
   - Mozilla Security Guidelines - https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy

From 44570474f10625a4777848a1027a3060b50802c0 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 00:45:48 -0500
Subject: [PATCH 070/239] Add Github link for CSP

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index d9baaa81782..71d24835a6b 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -31,6 +31,7 @@ Middleware used for CSP (Content Security Policy).
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
   - Node Security Platform - https://nodesecurity.io/resources
+  - Github's CSP Journey - https://githubengineering.com/githubs-csp-journey
 
 ## snuggsi.route
 

From 4ab49bfe0997069eaceb3551a608d5b852714e3e Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 00:59:02 -0500
Subject: [PATCH 071/239] Add Github link for post-CSP journey

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index 71d24835a6b..5cc405cbfb7 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -32,6 +32,7 @@ Middleware used for CSP (Content Security Policy).
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
   - Node Security Platform - https://nodesecurity.io/resources
   - Github's CSP Journey - https://githubengineering.com/githubs-csp-journey
+  - Github's post-CSP Journey - https://githubengineering.com/githubs-post-csp-journey
 
 ## snuggsi.route
 

From 08d634735a932ea2a85077e2f11cc523bf482267 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 01:07:19 -0500
Subject: [PATCH 072/239] Add services and links section to middleware

---
 middleware/README.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/middleware/README.md b/middleware/README.md
index 5cc405cbfb7..3a506289bde 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -20,12 +20,21 @@ Browser security for frames and XSS attacks
 
 Middleware used for CSP (Content Security Policy).
 
-  - https://securityheaders.io
   - W3C CSP3 Specification - https://w3c.github.io/webappsec-csp
   - W3C Mixed Content (CR) - https://w3c.github.io/webappsec-mixed-content
   - W3C Upgrade Insecure Requests (CR) - https://w3c.github.io/webappsec/specs/upgrade/
   - Wikipedia Documentation - https://en.wikipedia.org/wiki/Content_Security_Policy
   - MDN Documentation - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+
+
+### Services
+
+  - https://securityheaders.io
+
+
+### Links
+
+  - Helmet - https://helmetjs.github.io
   - GOOGLE CSP - https://csp.withgoogle.com/docs/strict-csp.html
   - Mozilla Security Guidelines - https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757

From b8c832d5552decbe2a8c92fc75ec277e9b99377c Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 01:20:41 -0500
Subject: [PATCH 073/239] Add link to W3C Web App Security

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index 3a506289bde..c96b9a52fad 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -20,6 +20,7 @@ Browser security for frames and XSS attacks
 
 Middleware used for CSP (Content Security Policy).
 
+  - W3C Web App Security - https://github.com/w3c/webappsec
   - W3C CSP3 Specification - https://w3c.github.io/webappsec-csp
   - W3C Mixed Content (CR) - https://w3c.github.io/webappsec-mixed-content
   - W3C Upgrade Insecure Requests (CR) - https://w3c.github.io/webappsec/specs/upgrade/

From bf3544f8d50f708a668f3bad8d5bbf94e2151638 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 01:34:18 -0500
Subject: [PATCH 074/239] Remove quotes from test description

---
 middleware/policy.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index f0c38e2f343..bf11c044600 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -29,7 +29,7 @@ test ('Content-Security-Policy-Report-Only', async t => {
 
 
 test (`Content-Security-Policy: report-uri
-      'https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce'`
+      https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce`
 , async t => {
 
   const

From 64626fb7ea0f578206362c1da1f784e3ccb68987 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 02:59:18 -0500
Subject: [PATCH 075/239] Add links for report-uri

---
 middleware/README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/middleware/README.md b/middleware/README.md
index c96b9a52fad..f7fb48724da 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -30,7 +30,8 @@ Middleware used for CSP (Content Security Policy).
 
 ### Services
 
-  - https://securityheaders.io
+  - Report-Uri - https://report-uri.com
+  - Reporting for security headershttps://securityheaders.io
 
 
 ### Links

From 6c61387ad850bc15e604cdc7e5e6d53e4295ac1a Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 03:03:55 -0500
Subject: [PATCH 076/239] Add Collection of CSP Bypasses

---
 middleware/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware/README.md b/middleware/README.md
index f7fb48724da..888f5e99c7c 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -32,6 +32,7 @@ Middleware used for CSP (Content Security Policy).
 
   - Report-Uri - https://report-uri.com
   - Reporting for security headershttps://securityheaders.io
+  - Collection of CSP Bypasses - http://sebastian-lekies.de/csp/bypasses.php
 
 
 ### Links

From 4847e821a353319b576050f067d5e5b0332dc9ce Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 21:15:52 -0500
Subject: [PATCH 077/239] Format whitespace in middleware/policy.test

---
 middleware/policy.test | 54 +++++++++++++++++++++++++++++++++---------
 1 file changed, 43 insertions(+), 11 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index bf11c044600..d36522e3623 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -13,8 +13,10 @@ test ('Content-Security-Policy-Report-Only', async t => {
 
   const
     server   = (new Server).serve ``
+
     // notice ?report
-  , response = await fetch ('http://localhost:8181/?report')
+  , response = await
+      fetch ('http://localhost:8181/?report')
 
 
   t.notOk
@@ -34,7 +36,10 @@ test (`Content-Security-Policy: report-uri
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 
@@ -49,7 +54,10 @@ test ("Content-Security-Policy: default-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 
@@ -64,7 +72,10 @@ test ("Content-Security-Policy: frame-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 
@@ -79,7 +90,10 @@ test ("Content-Security-Policy: connect-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 
@@ -94,7 +108,10 @@ test ("content-security-policy: img-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 
@@ -109,7 +126,10 @@ test ("Content-Security-Policy: font-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 
@@ -124,7 +144,10 @@ test ("Content-Security-Policy: object-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 
@@ -139,7 +162,10 @@ test ("Content-Security-Policy: media-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 
@@ -154,7 +180,10 @@ test ("Content-Security-Policy: style-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 
@@ -169,7 +198,10 @@ test ("Content-Security-Policy: script-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``
-  , response = await fetch ('http://localhost:8181/')
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
   , policy   = response.headers.get ('content-security-policy')
 
 

From 92cdff363c38eac237b54330d2a9f94a1b4ed254 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 22:17:45 -0500
Subject: [PATCH 078/239] Add spec for Content-Security-Policy: worker-src
 specification

---
 middleware/policy.es   |  6 ++++--
 middleware/policy.test | 22 ++++++++++++++++++++--
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index ee7b46ce451..90e48d2c446 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -44,9 +44,11 @@ const
   // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
     = Array.from (defaults)
 
+, workers // `worker-src 'self'
+    = Array.from (defaults)
+
 , policies
     = [
-
     // Reporting directives
       `report-uri ${ reports.join ` ` }` // backwards compatibility
 //  , `report-to ${ reports.join ` ` }`  // greenfield
@@ -61,8 +63,8 @@ const
     , `media-src ${ medias.join ` ` }`
     , `style-src ${ styles.join ` ` }`
     , `script-src ${ scripts.join ` ` }`
+    , `worker-src ${ workers.join ` ` }`
 
-//  , `worker-src ${ workers.join ` ` }`
 
     // Document directives
 //  , `form-action ${ forms.join ` ` }`
diff --git a/middleware/policy.test b/middleware/policy.test
index d36522e3623..941658d5ea6 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -12,7 +12,7 @@ test ('calling next middleware')
 test ('Content-Security-Policy-Report-Only', async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
     // notice ?report
   , response = await
@@ -53,7 +53,7 @@ test (`Content-Security-Policy: report-uri
 test ("Content-Security-Policy: default-src 'none'", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
@@ -210,3 +210,21 @@ test ("Content-Security-Policy: script-src 'none'", async t => {
   server.close ``
   t.end ()
 })
+
+
+test.only ("Content-Security-Policy: worker-src 'none'", async t => {
+
+  const
+    server   = (new Server).serve ``
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes `worker-src 'none'` )
+
+  server.close ``
+  t.end ()
+})

From 4dd7f10d1518b1a0736a4d0bfd7310ae610c1607 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 22:18:11 -0500
Subject: [PATCH 079/239] Remove only test

---
 middleware/policy.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 941658d5ea6..8dc6060b2a7 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -212,7 +212,7 @@ test ("Content-Security-Policy: script-src 'none'", async t => {
 })
 
 
-test.only ("Content-Security-Policy: worker-src 'none'", async t => {
+test ("Content-Security-Policy: worker-src 'none'", async t => {
 
   const
     server   = (new Server).serve ``

From 0bc06c656faf8e3b0b8b410b3413e2fb95f6ccf0 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 22:21:49 -0500
Subject: [PATCH 080/239] Fix formatting of middleware/policy.es

---
 middleware/policy.es | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 90e48d2c446..7bdce2655a3 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -47,26 +47,25 @@ const
 , workers // `worker-src 'self'
     = Array.from (defaults)
 
-, policies
-    = [
-    // Reporting directives
-      `report-uri ${ reports.join ` ` }` // backwards compatibility
+, policies = [
+  // Reporting directives
+    `report-uri ${ reports.join ` ` }` // backwards compatibility
 //  , `report-to ${ reports.join ` ` }`  // greenfield
 
-    // Fetch directives
-    , `default-src ${ defaults.join ` ` }`
-    , `frame-src ${ frames.join ` ` }`
-    , `connect-src ${ connects.join ` ` }`
-    , `img-src ${ images.join ` ` }`
-    , `font-src ${ fonts.join ` ` }`
-    , `object-src ${ objects.join ` ` }`
-    , `media-src ${ medias.join ` ` }`
-    , `style-src ${ styles.join ` ` }`
-    , `script-src ${ scripts.join ` ` }`
-    , `worker-src ${ workers.join ` ` }`
+  // Fetch directives
+  , `default-src ${ defaults.join ` ` }`
+  , `frame-src ${ frames.join ` ` }`
+  , `connect-src ${ connects.join ` ` }`
+  , `img-src ${ images.join ` ` }`
+  , `font-src ${ fonts.join ` ` }`
+  , `object-src ${ objects.join ` ` }`
+  , `media-src ${ medias.join ` ` }`
+  , `style-src ${ styles.join ` ` }`
+  , `script-src ${ scripts.join ` ` }`
+  , `worker-src ${ workers.join ` ` }`
 
 
-    // Document directives
+  // Document directives
 //  , `form-action ${ forms.join ` ` }`
 //  , `frame-ancestors ${ ancestors.join ` ` }`
 //  , `sandbox ${ sandboxes.join ` ` }`
@@ -81,7 +80,7 @@ const
 
 //  // DEPRECATED!! See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 //  , `referrer`
-    ]
+  ]
 
 
 module.exports = options =>

From 842b6903b7505e46e0b466256499cbd9af691164 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 22:23:50 -0500
Subject: [PATCH 081/239] Remove default 'self' value from policy comments

---
 middleware/policy.es | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 7bdce2655a3..a29d2cc675f 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -12,30 +12,30 @@ const
 , reports // `report-uri ${path};`
     = ['https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce']
 
-, frames // `frame-src 'self' https://${domain};`
+, frames // frame-src
     = Array.from (defaults)
 
-, connects // `connect-src 'self' https://${domain};`
+, connects // connect-src
     = Array.from (defaults)
 
-, images // `image-src 'self' data: https://cdn.example.com`
+, images // image-src
     = Array.from (defaults)
 
-, fonts // `font-src 'self' https://cdn.example.com`
+, fonts // font-src
     = Array.from (defaults)
 
-, objects // `object-src 'self' https://cdn.example.com`
+, objects // object-src
     = Array.from (defaults)
 
-, medias // `media-src 'self' https://cdn.example.com`
+, medias // media-src
     = Array.from (defaults)
 
-, styles // `style-src 'self' 'unsafe-inline' https://cdn.example.com`
+, styles // style-src
     = Array.from (defaults)
 
 , scripts // Script Nonce for inline <script>
   // https://csp.withgoogle.com/docs/strict-csp.html
-  // scripts-src 'self'
+  // scripts-src
   // nonce-${nonce}
   // ** NONCE MUST BE UNIQUE **
   //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
@@ -44,7 +44,7 @@ const
   // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
     = Array.from (defaults)
 
-, workers // `worker-src 'self'
+, workers // worker-src
     = Array.from (defaults)
 
 , policies = [

From 7ce2ecd16577f7b23f85067fadc4b4f5b430dcd6 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 22:39:34 -0500
Subject: [PATCH 082/239] Content-Security-Policy fallback worker-src to
 script-src

---
 middleware/policy.es | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index a29d2cc675f..b86701964c2 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -45,7 +45,8 @@ const
     = Array.from (defaults)
 
 , workers // worker-src
-    = Array.from (defaults)
+    // script-src fallback
+    = Array.from (scripts)
 
 , policies = [
   // Reporting directives

From a9e398daf24823df52d98a2b7c7c9162fcf99ea8 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 22:41:25 -0500
Subject: [PATCH 083/239] Content-Security-Policy fallback frame-src to
 default-src

---
 middleware/policy.es | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index b86701964c2..37c99cabc93 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -13,6 +13,8 @@ const
     = ['https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce']
 
 , frames // frame-src
+    // *DEPRECATED* child-src fallback
+    // default-src fallback
     = Array.from (defaults)
 
 , connects // connect-src

From 680f423715107f4752f9dca253658df29edbc382 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 22:42:15 -0500
Subject: [PATCH 084/239] Content-Security-Policy fallback script-src to
 default-src

---
 middleware/policy.es | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 37c99cabc93..f6b280f4fe5 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -36,14 +36,15 @@ const
     = Array.from (defaults)
 
 , scripts // Script Nonce for inline <script>
-  // https://csp.withgoogle.com/docs/strict-csp.html
-  // scripts-src
-  // nonce-${nonce}
-  // ** NONCE MUST BE UNIQUE **
-  //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
-  // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
-  // **THAT BEING SAID...For Safari 😢
-  // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
+    // https://csp.withgoogle.com/docs/strict-csp.html
+    // scripts-src
+    // nonce-${nonce}
+    // ** NONCE MUST BE UNIQUE **
+    //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
+    // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
+    // **THAT BEING SAID...For Safari 😢
+    // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
+    // default-src fallback
     = Array.from (defaults)
 
 , workers // worker-src

From 7921d9f3661299ff1dde8462c38b4c7f811f75a7 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 23:07:24 -0500
Subject: [PATCH 085/239] Content-Security-Policy Deprecate report-uri for
 report-to

---
 middleware/policy.es   | 6 +++---
 middleware/policy.test | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index f6b280f4fe5..ff0ab2da1a2 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -9,7 +9,8 @@ const
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
-, reports // `report-uri ${path};`
+, reports // report-to
+    // *DEPRECATED* report-uri
     = ['https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce']
 
 , frames // frame-src
@@ -53,8 +54,7 @@ const
 
 , policies = [
   // Reporting directives
-    `report-uri ${ reports.join ` ` }` // backwards compatibility
-//  , `report-to ${ reports.join ` ` }`  // greenfield
+  , `report-to ${ reports.join ` ` }`  // greenfield
 
   // Fetch directives
   , `default-src ${ defaults.join ` ` }`
diff --git a/middleware/policy.test b/middleware/policy.test
index 8dc6060b2a7..25c5072c31b 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -30,7 +30,7 @@ test ('Content-Security-Policy-Report-Only', async t => {
 })
 
 
-test (`Content-Security-Policy: report-uri
+test (`Content-Security-Policy: report-to
       https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce`
 , async t => {
 
@@ -43,7 +43,7 @@ test (`Content-Security-Policy: report-uri
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes`report-uri https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce` )
+  t.ok ( policy.includes`report-to https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce` )
 
   server.close ``
   t.end ()

From 59cd8d1912ae45aa343d77b6ce673f0dfb0e9348 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 23:10:33 -0500
Subject: [PATCH 086/239] Content-Security-Policy: Rename policies collection
 to directives

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index ff0ab2da1a2..5d6181e971e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -52,7 +52,7 @@ const
     // script-src fallback
     = Array.from (scripts)
 
-, policies = [
+, directives = [
   // Reporting directives
   , `report-to ${ reports.join ` ` }`  // greenfield
 
@@ -106,5 +106,5 @@ module.exports = options =>
 
 
     context
-      .set ( header, policies.join `; ` )
+      .set ( header, directives.join `; ` )
   }

From 2c1e847c083880dbc5b9008676681376a9919fd6 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 23:16:44 -0500
Subject: [PATCH 087/239] Content-Security-Policy: fix broken link

---
 middleware/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/README.md b/middleware/README.md
index 888f5e99c7c..cbdc6043aab 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -31,7 +31,7 @@ Middleware used for CSP (Content Security Policy).
 ### Services
 
   - Report-Uri - https://report-uri.com
-  - Reporting for security headershttps://securityheaders.io
+  - Reporting for security headers https://securityheaders.io
   - Collection of CSP Bypasses - http://sebastian-lekies.de/csp/bypasses.php
 
 

From 5bbf3eb27e79af9c3c1c348e648d05db80977ff2 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 23:31:29 -0500
Subject: [PATCH 088/239] Add comment for default-src

---
 middleware/policy.es | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 5d6181e971e..ae97286c45d 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -19,21 +19,27 @@ const
     = Array.from (defaults)
 
 , connects // connect-src
+    // default-src fallback
     = Array.from (defaults)
 
 , images // image-src
+    // default-src fallback
     = Array.from (defaults)
 
 , fonts // font-src
+    // default-src fallback
     = Array.from (defaults)
 
 , objects // object-src
+    // default-src fallback
     = Array.from (defaults)
 
 , medias // media-src
+    // default-src fallback
     = Array.from (defaults)
 
 , styles // style-src
+    // default-src fallback
     = Array.from (defaults)
 
 , scripts // Script Nonce for inline <script>

From a27293f3cafa6d31bc2d4e6477d5e0ff61a01bf3 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 20 Jan 2018 23:46:23 -0500
Subject: [PATCH 089/239] Fix bug in Content-Security-Policy creating prefixing
 semi-colon

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index ae97286c45d..ff23a342b14 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -60,7 +60,7 @@ const
 
 , directives = [
   // Reporting directives
-  , `report-to ${ reports.join ` ` }`  // greenfield
+    `report-to ${ reports.join ` ` }`  // greenfield
 
   // Fetch directives
   , `default-src ${ defaults.join ` ` }`

From 1a9bce66b91047ed114a5ca2c97d5459b6775309 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 00:46:34 -0500
Subject: [PATCH 090/239] Remove only test

---
 middleware/policy.test | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 25c5072c31b..2b7473fc169 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -5,6 +5,8 @@ const
 , { Server }
     = require ('..')
 
+, defaults = [`'none'`].join `; `
+
 
 test ('calling next middleware')
 
@@ -30,9 +32,7 @@ test ('Content-Security-Policy-Report-Only', async t => {
 })
 
 
-test (`Content-Security-Policy: report-to
-      https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce`
-, async t => {
+test (`Content-Security-Policy: report-to` , async t => {
 
   const
     server   = (new Server).serve ``
@@ -50,7 +50,7 @@ test (`Content-Security-Policy: report-to
 })
 
 
-test ("Content-Security-Policy: default-src 'none'", async t => {
+test ("Content-Security-Policy: default-src", async t => {
 
   const
     server = (new Server).serve ``
@@ -61,7 +61,9 @@ test ("Content-Security-Policy: default-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `default-src 'none'` )
+  console.log (policy, `default-src ${defaults}`)
+
+  t.ok ( policy.includes `default-src ${defaults}` )
 
   server.close ``
   t.end ()

From 214d61040c3d9d1e4c112c5db0293713072b7c4e Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 00:47:02 -0500
Subject: [PATCH 091/239] Content-Security-Policy: Fallback to using defaults
 for each directive

---
 middleware/policy.test | 40 +++++++++++++++++++---------------------
 1 file changed, 19 insertions(+), 21 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 2b7473fc169..377766c3b1f 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -61,16 +61,14 @@ test ("Content-Security-Policy: default-src", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  console.log (policy, `default-src ${defaults}`)
-
-  t.ok ( policy.includes `default-src ${defaults}` )
+  t.ok ( policy.includes (`default-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ("Content-Security-Policy: frame-src 'none'", async t => {
+test ("Content-Security-Policy: frame-src", async t => {
 
   const
     server   = (new Server).serve ``
@@ -81,14 +79,14 @@ test ("Content-Security-Policy: frame-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `frame-src 'none'` )
+  t.ok ( policy.includes (`frame-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ("Content-Security-Policy: connect-src 'none'", async t => {
+test ("Content-Security-Policy: connect-src", async t => {
 
   const
     server   = (new Server).serve ``
@@ -99,14 +97,14 @@ test ("Content-Security-Policy: connect-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `connect-src 'none'` )
+  t.ok ( policy.includes (`connect-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ("content-security-policy: img-src 'none'", async t => {
+test ("content-security-policy: img-src", async t => {
 
   const
     server   = (new Server).serve ``
@@ -117,14 +115,14 @@ test ("content-security-policy: img-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `img-src 'none'` )
+  t.ok ( policy.includes (`img-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ("Content-Security-Policy: font-src 'none'", async t => {
+test ("Content-Security-Policy: font-src", async t => {
 
   const
     server   = (new Server).serve ``
@@ -135,14 +133,14 @@ test ("Content-Security-Policy: font-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `font-src 'none'` )
+  t.ok ( policy.includes (`font-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ("Content-Security-Policy: object-src 'none'", async t => {
+test ("Content-Security-Policy: object-src", async t => {
 
   const
     server   = (new Server).serve ``
@@ -153,14 +151,14 @@ test ("Content-Security-Policy: object-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `object-src 'none'` )
+  t.ok ( policy.includes (`object-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ("Content-Security-Policy: media-src 'none'", async t => {
+test ("Content-Security-Policy: media-src", async t => {
 
   const
     server   = (new Server).serve ``
@@ -171,14 +169,14 @@ test ("Content-Security-Policy: media-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `media-src 'none'` )
+  t.ok ( policy.includes (`media-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ("Content-Security-Policy: style-src 'none'", async t => {
+test ("Content-Security-Policy: style-src", async t => {
 
   const
     server   = (new Server).serve ``
@@ -189,14 +187,14 @@ test ("Content-Security-Policy: style-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `style-src 'none'` )
+  t.ok ( policy.includes (`style-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ("Content-Security-Policy: script-src 'none'", async t => {
+test ("Content-Security-Policy: script-src", async t => {
 
   const
     server   = (new Server).serve ``
@@ -207,14 +205,14 @@ test ("Content-Security-Policy: script-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `script-src 'none'` )
+  t.ok ( policy.includes (`script-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ("Content-Security-Policy: worker-src 'none'", async t => {
+test ("Content-Security-Policy: worker-src", async t => {
 
   const
     server   = (new Server).serve ``
@@ -225,7 +223,7 @@ test ("Content-Security-Policy: worker-src 'none'", async t => {
   , policy   = response.headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes `worker-src 'none'` )
+  t.ok ( policy.includes (`worker-src ${defaults}`) )
 
   server.close ``
   t.end ()

From e5317fb616e18106f14b856ecedd96aa1fe46147 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 00:49:13 -0500
Subject: [PATCH 092/239] Add schemes comment

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index ff23a342b14..5b799650d28 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -2,7 +2,7 @@
 // https://report-uri.com/#prices
 
 const
-  // `default-src 'self' safari-extension:// chrome-extension:// https://${domain};`
+//schemes = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
   defaults
     = [`'none'`]
 

From a0ed1bfda731ae53e21fd4cc59b9fe16ea158e93 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 00:50:06 -0500
Subject: [PATCH 093/239] Fix comment for scripts directives

---
 middleware/policy.es | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 5b799650d28..6e9ca70d458 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -44,9 +44,7 @@ const
 
 , scripts // Script Nonce for inline <script>
     // https://csp.withgoogle.com/docs/strict-csp.html
-    // scripts-src
-    // nonce-${nonce}
-    // ** NONCE MUST BE UNIQUE **
+    // nonce-${nonce} ** MUST BE UNIQUE **
     //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
     // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
     // **THAT BEING SAID...For Safari 😢

From cdae1d75ffded846f64c0128a9558cb5f17b3489 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 00:51:21 -0500
Subject: [PATCH 094/239] Remove comment about Content-Security-Policy in favor
 of README.md

---
 middleware/policy.es | 2 --
 1 file changed, 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 6e9ca70d458..0181b6db88c 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -99,8 +99,6 @@ module.exports = options =>
 
 
     header
-
-      // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
       = 'Content-Security-Policy'
 
       // Is this a security breach?

From 8a8e4d001410666012d6c652537396f42782c733 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 01:00:12 -0500
Subject: [PATCH 095/239] Remove google strict-csp document in favor of
 README.md

---
 middleware/policy.es | 1 -
 1 file changed, 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 0181b6db88c..f94c42622cd 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -43,7 +43,6 @@ const
     = Array.from (defaults)
 
 , scripts // Script Nonce for inline <script>
-    // https://csp.withgoogle.com/docs/strict-csp.html
     // nonce-${nonce} ** MUST BE UNIQUE **
     //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
     // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'

From 329f209053762c2d923d943aea26992485e1b99c Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 01:00:31 -0500
Subject: [PATCH 096/239] Set INSECURE true for request upgrade

---
 middleware/policy.es | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index f94c42622cd..9749c268112 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -6,6 +6,8 @@ const
   defaults
     = [`'none'`]
 
+, INSECURE = true
+
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.

From 02882b12d272b83052c776c3a6773e6aca4b97f4 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 01:00:43 -0500
Subject: [PATCH 097/239] fix whitespace

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 9749c268112..141d9393a3b 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -73,8 +73,7 @@ const
   , `script-src ${ scripts.join ` ` }`
   , `worker-src ${ workers.join ` ` }`
 
-
-  // Document directives
+// Document directives
 //  , `form-action ${ forms.join ` ` }`
 //  , `frame-ancestors ${ ancestors.join ` ` }`
 //  , `sandbox ${ sandboxes.join ` ` }`
@@ -83,6 +82,7 @@ const
 //  // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
 //  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
 //  , `require-sri-for ${ integrities.join ` ` }`
+
 //  , `block-all-mixed-content ${ reports.join ` ` }`
 //  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
 //  , `update-insecure-requests`

From 98353dfa911b87a371bbd0161d695d9f49a0a843 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 01:02:17 -0500
Subject: [PATCH 098/239] Remove greenfield comment

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 141d9393a3b..da0801050b7 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -59,7 +59,7 @@ const
 
 , directives = [
   // Reporting directives
-    `report-to ${ reports.join ` ` }`  // greenfield
+    `report-to ${ reports.join ` ` }`
 
   // Fetch directives
   , `default-src ${ defaults.join ` ` }`

From 9c4b24c2994ecb04d56453c07c50d876d45428c3 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 01:05:53 -0500
Subject: [PATCH 099/239] Content-Security-Policy: block-all-mixed-content
 specification

---
 middleware/policy.es   |  6 +++---
 middleware/policy.test | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index da0801050b7..4232426d704 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -6,7 +6,7 @@ const
   defaults
     = [`'none'`]
 
-, INSECURE = true
+, SECURE = true
 
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
@@ -83,9 +83,9 @@ const
 //  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
 //  , `require-sri-for ${ integrities.join ` ` }`
 
-//  , `block-all-mixed-content ${ reports.join ` ` }`
+  , (SECURE ? `block-all-mixed-content` : `update-insecure-requests`)
+
 //  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
-//  , `update-insecure-requests`
 
 //  // DEPRECATED!! See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 //  , `referrer`
diff --git a/middleware/policy.test b/middleware/policy.test
index 377766c3b1f..583611a5fe7 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -228,3 +228,21 @@ test ("Content-Security-Policy: worker-src", async t => {
   server.close ``
   t.end ()
 })
+
+
+test ("Content-Security-Policy: block-all-mixed-content", async t => {
+
+  const
+    server   = (new Server).serve ``
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`block-all-mixed-content`) )
+
+  server.close ``
+  t.end ()
+})

From 6d8b9870aa90ad5477d65be575bd6d2d5a52c76c Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 01:07:07 -0500
Subject: [PATCH 100/239] Content-Security-Policy: update-insecure-requests
 specification

---
 middleware/policy.test | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/middleware/policy.test b/middleware/policy.test
index 583611a5fe7..aa6a216bf17 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -246,3 +246,21 @@ test ("Content-Security-Policy: block-all-mixed-content", async t => {
   server.close ``
   t.end ()
 })
+
+
+test ("Content-Security-Policy: update-insecure-requests", async t => {
+
+  const
+    server   = (new Server).serve ``
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
+  , policy   = response.headers.get ('content-security-policy')
+
+
+  t.notOk ( policy.includes (`update-insecure-requests`) )
+
+  server.close ``
+  t.end ()
+})

From de3b6cb8b32dd4327ca7f64eb81ac5a121dd7edc Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 02:52:12 -0500
Subject: [PATCH 101/239] Adjust const(ant) whitespace

---
 middleware/policy.test | 50 +++++++++++++++++++++---------------------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index aa6a216bf17..b8d516c20ac 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -35,12 +35,12 @@ test ('Content-Security-Policy-Report-Only', async t => {
 test (`Content-Security-Policy: report-to` , async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes`report-to https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce` )
@@ -58,7 +58,7 @@ test ("Content-Security-Policy: default-src", async t => {
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`default-src ${defaults}`) )
@@ -71,12 +71,12 @@ test ("Content-Security-Policy: default-src", async t => {
 test ("Content-Security-Policy: frame-src", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`frame-src ${defaults}`) )
@@ -89,12 +89,12 @@ test ("Content-Security-Policy: frame-src", async t => {
 test ("Content-Security-Policy: connect-src", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`connect-src ${defaults}`) )
@@ -107,12 +107,12 @@ test ("Content-Security-Policy: connect-src", async t => {
 test ("content-security-policy: img-src", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`img-src ${defaults}`) )
@@ -125,12 +125,12 @@ test ("content-security-policy: img-src", async t => {
 test ("Content-Security-Policy: font-src", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`font-src ${defaults}`) )
@@ -143,12 +143,12 @@ test ("Content-Security-Policy: font-src", async t => {
 test ("Content-Security-Policy: object-src", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`object-src ${defaults}`) )
@@ -161,12 +161,12 @@ test ("Content-Security-Policy: object-src", async t => {
 test ("Content-Security-Policy: media-src", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`media-src ${defaults}`) )
@@ -179,12 +179,12 @@ test ("Content-Security-Policy: media-src", async t => {
 test ("Content-Security-Policy: style-src", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`style-src ${defaults}`) )
@@ -197,12 +197,12 @@ test ("Content-Security-Policy: style-src", async t => {
 test ("Content-Security-Policy: script-src", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`script-src ${defaults}`) )
@@ -215,12 +215,12 @@ test ("Content-Security-Policy: script-src", async t => {
 test ("Content-Security-Policy: worker-src", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`worker-src ${defaults}`) )
@@ -233,12 +233,12 @@ test ("Content-Security-Policy: worker-src", async t => {
 test ("Content-Security-Policy: block-all-mixed-content", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`block-all-mixed-content`) )
@@ -251,12 +251,12 @@ test ("Content-Security-Policy: block-all-mixed-content", async t => {
 test ("Content-Security-Policy: update-insecure-requests", async t => {
 
   const
-    server   = (new Server).serve ``
+    server = (new Server).serve ``
 
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy   = response.headers.get ('content-security-policy')
+  , policy = response.headers.get ('content-security-policy')
 
 
   t.notOk ( policy.includes (`update-insecure-requests`) )

From afa40fe8bc06a453d55af453803aa3578a9487da Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:05:25 -0500
Subject: [PATCH 102/239] Content-Security-Policy: Rearrange and reformat
 directives

---
 middleware/policy.es | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 4232426d704..23b01829bea 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -74,19 +74,22 @@ const
   , `worker-src ${ workers.join ` ` }`
 
 // Document directives
+//  , `base-uri ${ bases.join ` ` }`
+//  , `sandbox ${ sandboxes.join ` ` }`
+//  , `plugin-types ${ plugins.join ` ` }`
+
+//  Navigation Directives
 //  , `form-action ${ forms.join ` ` }`
 //  , `frame-ancestors ${ ancestors.join ` ` }`
-//  , `sandbox ${ sandboxes.join ` ` }`
 
 //  // Other directives
+//  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
+  , (SECURE ? `block-all-mixed-content` : `update-insecure-requests`)
+
 //  // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
 //  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
 //  , `require-sri-for ${ integrities.join ` ` }`
 
-  , (SECURE ? `block-all-mixed-content` : `update-insecure-requests`)
-
-//  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
-
 //  // DEPRECATED!! See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 //  , `referrer`
   ]

From 85e8c6130e72e38f41a468a4a0eb9638a9cf8085 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:19:57 -0500
Subject: [PATCH 103/239] Content-Security-Policy: base-uri

---
 middleware/policy.es   |  7 ++++++-
 middleware/policy.test | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 23b01829bea..c05359ae5c3 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -57,6 +57,11 @@ const
     // script-src fallback
     = Array.from (scripts)
 
+, bases // base-uri
+    // default-src fallback
+    = Array.from (defaults)
+
+
 , directives = [
   // Reporting directives
     `report-to ${ reports.join ` ` }`
@@ -74,7 +79,7 @@ const
   , `worker-src ${ workers.join ` ` }`
 
 // Document directives
-//  , `base-uri ${ bases.join ` ` }`
+  , `base-uri ${ bases.join ` ` }`
 //  , `sandbox ${ sandboxes.join ` ` }`
 //  , `plugin-types ${ plugins.join ` ` }`
 
diff --git a/middleware/policy.test b/middleware/policy.test
index b8d516c20ac..2922dcae8f6 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -230,6 +230,24 @@ test ("Content-Security-Policy: worker-src", async t => {
 })
 
 
+test ("Content-Security-Policy: base-uri", async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
+  , policy = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`base-uri ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: block-all-mixed-content", async t => {
 
   const

From b030599b128d0713b7bf2be66867f8c86a4ea02d Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:29:01 -0500
Subject: [PATCH 104/239] Content-Security-Policy: sandbox specification

---
 middleware/policy.es   | 20 +++++++++++++++++++-
 middleware/policy.test | 18 ++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index c05359ae5c3..d5e9c8d16ee 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -61,6 +61,21 @@ const
     // default-src fallback
     = Array.from (defaults)
 
+, sandboxes // sandbox
+    // default-src fallback
+    = [/*
+      allow-forms
+    , allow-popups
+    , allow-modals
+    , allow-scripts
+    , allow-same-origin
+    , allow-presentation
+    , allow-pointer-lock
+    , allow-top-navigation
+    , allow-orientation-lock
+    , allow-popups-to-escape-sandbox
+    */]
+
 
 , directives = [
   // Reporting directives
@@ -80,7 +95,10 @@ const
 
 // Document directives
   , `base-uri ${ bases.join ` ` }`
-//  , `sandbox ${ sandboxes.join ` ` }`
+  //  `sandbox  ...` is not supported in the <meta> element
+  //  or by the Content-Security-policy-Report-Only header field.
+  //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
+  , `sandbox ${ sandboxes.join ` ` }`
 //  , `plugin-types ${ plugins.join ` ` }`
 
 //  Navigation Directives
diff --git a/middleware/policy.test b/middleware/policy.test
index 2922dcae8f6..8b1713b9ee3 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -248,6 +248,24 @@ test ("Content-Security-Policy: base-uri", async t => {
 })
 
 
+test ("Content-Security-Policy: sandbox", async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
+  , policy = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`sandbox`) )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: block-all-mixed-content", async t => {
 
   const

From 76a45921a12593eaa518e0932cd94840f386f22f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:32:22 -0500
Subject: [PATCH 105/239] Content-Security-Policy: plugin-types specification

---
 middleware/policy.es   |  6 +++++-
 middleware/policy.test | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index d5e9c8d16ee..b7ce328e45e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -61,6 +61,10 @@ const
     // default-src fallback
     = Array.from (defaults)
 
+, plugins // plugin-types
+    // default-src fallback
+    = Array.from (defaults)
+
 , sandboxes // sandbox
     // default-src fallback
     = [/*
@@ -99,7 +103,7 @@ const
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
   , `sandbox ${ sandboxes.join ` ` }`
-//  , `plugin-types ${ plugins.join ` ` }`
+  , `plugin-types ${ plugins.join ` ` }`
 
 //  Navigation Directives
 //  , `form-action ${ forms.join ` ` }`
diff --git a/middleware/policy.test b/middleware/policy.test
index 8b1713b9ee3..26818a16eba 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -266,6 +266,24 @@ test ("Content-Security-Policy: sandbox", async t => {
 })
 
 
+test ("Content-Security-Policy: plugin-types", async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
+  , policy = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`plugin-types ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: block-all-mixed-content", async t => {
 
   const

From 7f9cba8fb1ccf733969934b1da448652fd318330 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:37:38 -0500
Subject: [PATCH 106/239] Content-Security-Policy: form-action specification

---
 middleware/policy.es   |  6 +++++-
 middleware/policy.test | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index b7ce328e45e..4986b4c74c6 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -65,6 +65,10 @@ const
     // default-src fallback
     = Array.from (defaults)
 
+, forms // form-action
+    // default-src fallback
+    = Array.from (defaults)
+
 , sandboxes // sandbox
     // default-src fallback
     = [/*
@@ -106,7 +110,7 @@ const
   , `plugin-types ${ plugins.join ` ` }`
 
 //  Navigation Directives
-//  , `form-action ${ forms.join ` ` }`
+  , `form-action ${ forms.join ` ` }`
 //  , `frame-ancestors ${ ancestors.join ` ` }`
 
 //  // Other directives
diff --git a/middleware/policy.test b/middleware/policy.test
index 26818a16eba..5cd3d5c98a3 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -284,6 +284,24 @@ test ("Content-Security-Policy: plugin-types", async t => {
 })
 
 
+test ("Content-Security-Policy: form-action", async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
+  , policy = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`form-action ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: block-all-mixed-content", async t => {
 
   const

From e5c4c66eec8cc58e7f5dc2ac11f9211090960af1 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:40:32 -0500
Subject: [PATCH 107/239] Content-Security-Policy: frame-ancestors
 specification

---
 middleware/policy.es   |  6 +++++-
 middleware/policy.test | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 4986b4c74c6..0fbf6dbe047 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -69,6 +69,10 @@ const
     // default-src fallback
     = Array.from (defaults)
 
+, ancestors // frame-ancestors
+    // default-src fallback
+    = Array.from (defaults)
+
 , sandboxes // sandbox
     // default-src fallback
     = [/*
@@ -111,7 +115,7 @@ const
 
 //  Navigation Directives
   , `form-action ${ forms.join ` ` }`
-//  , `frame-ancestors ${ ancestors.join ` ` }`
+  , `frame-ancestors ${ ancestors.join ` ` }`
 
 //  // Other directives
 //  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
diff --git a/middleware/policy.test b/middleware/policy.test
index 5cd3d5c98a3..ee5a7f37b9a 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -302,6 +302,24 @@ test ("Content-Security-Policy: form-action", async t => {
 })
 
 
+test ("Content-Security-Policy: frame-ancestors", async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , response = await
+      fetch ('http://localhost:8181/')
+
+  , policy = response.headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`frame-ancestors ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ("Content-Security-Policy: block-all-mixed-content", async t => {
 
   const

From 004044123108fe85209f8881cdd17c6254841af2 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:40:37 -0500
Subject: [PATCH 108/239] Fix whitespace

---
 middleware/policy.es | 1 -
 1 file changed, 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 0fbf6dbe047..60eab2f292b 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -88,7 +88,6 @@ const
     , allow-popups-to-escape-sandbox
     */]
 
-
 , directives = [
   // Reporting directives
     `report-to ${ reports.join ` ` }`

From ba0020c5d4757c570649d0489a423780fedb87e2 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:47:39 -0500
Subject: [PATCH 109/239] Refactor const(ant) variables

---
 middleware/policy.test | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index ee5a7f37b9a..57038a64814 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -40,7 +40,9 @@ test (`Content-Security-Policy: report-to` , async t => {
   , response = await
       fetch ('http://localhost:8181/')
 
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes`report-to https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce` )

From 39267da8c5fa39f8a6524f879c10c77041040f07 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:53:16 -0500
Subject: [PATCH 110/239] Content-Security-Policy: Refactor report url into
 variable

---
 middleware/policy.test | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 57038a64814..68bf18def98 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -44,8 +44,10 @@ test (`Content-Security-Policy: report-to` , async t => {
       = (await fetch ('http://localhost:8181/'))
         .headers.get ('content-security-policy')
 
+  , url = 'https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce'
 
-  t.ok ( policy.includes`report-to https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce` )
+
+  t.ok ( policy.includes (`report-to ${url}`))
 
   server.close ``
   t.end ()

From de7c1c57e2b260402799192218643ca1ce9955d6 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 03:54:01 -0500
Subject: [PATCH 111/239] Content-Security-Policy: Refactor async/await fetch
 into expression to retrieve header only '

---
 middleware/policy.test | 122 +++++++++++++++++------------------------
 1 file changed, 51 insertions(+), 71 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 68bf18def98..88d1746d0a6 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -37,9 +37,6 @@ test (`Content-Security-Policy: report-to` , async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
   , policy
       = (await fetch ('http://localhost:8181/'))
         .headers.get ('content-security-policy')
@@ -59,10 +56,9 @@ test ("Content-Security-Policy: default-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`default-src ${defaults}`) )
@@ -77,10 +73,9 @@ test ("Content-Security-Policy: frame-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`frame-src ${defaults}`) )
@@ -95,10 +90,9 @@ test ("Content-Security-Policy: connect-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`connect-src ${defaults}`) )
@@ -113,10 +107,9 @@ test ("content-security-policy: img-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`img-src ${defaults}`) )
@@ -131,10 +124,9 @@ test ("Content-Security-Policy: font-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`font-src ${defaults}`) )
@@ -149,10 +141,9 @@ test ("Content-Security-Policy: object-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`object-src ${defaults}`) )
@@ -167,10 +158,9 @@ test ("Content-Security-Policy: media-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`media-src ${defaults}`) )
@@ -185,10 +175,9 @@ test ("Content-Security-Policy: style-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`style-src ${defaults}`) )
@@ -203,10 +192,9 @@ test ("Content-Security-Policy: script-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`script-src ${defaults}`) )
@@ -221,10 +209,9 @@ test ("Content-Security-Policy: worker-src", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`worker-src ${defaults}`) )
@@ -239,10 +226,9 @@ test ("Content-Security-Policy: base-uri", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`base-uri ${defaults}`) )
@@ -257,10 +243,9 @@ test ("Content-Security-Policy: sandbox", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`sandbox`) )
@@ -275,10 +260,9 @@ test ("Content-Security-Policy: plugin-types", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`plugin-types ${defaults}`) )
@@ -293,10 +277,9 @@ test ("Content-Security-Policy: form-action", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`form-action ${defaults}`) )
@@ -311,10 +294,9 @@ test ("Content-Security-Policy: frame-ancestors", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`frame-ancestors ${defaults}`) )
@@ -329,10 +311,9 @@ test ("Content-Security-Policy: block-all-mixed-content", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.ok ( policy.includes (`block-all-mixed-content`) )
@@ -347,10 +328,9 @@ test ("Content-Security-Policy: update-insecure-requests", async t => {
   const
     server = (new Server).serve ``
 
-  , response = await
-      fetch ('http://localhost:8181/')
-
-  , policy = response.headers.get ('content-security-policy')
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
 
 
   t.notOk ( policy.includes (`update-insecure-requests`) )

From 569c4b6d46488dffba0d19f0f0145ec8c2d06513 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 05:16:19 -0500
Subject: [PATCH 112/239] Convert to use single quotes instead of double quotes

---
 middleware/policy.test | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 88d1746d0a6..6ea232f6c3e 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -32,7 +32,7 @@ test ('Content-Security-Policy-Report-Only', async t => {
 })
 
 
-test (`Content-Security-Policy: report-to` , async t => {
+test ('Content-Security-Policy: report-to' , async t => {
 
   const
     server = (new Server).serve ``
@@ -51,7 +51,7 @@ test (`Content-Security-Policy: report-to` , async t => {
 })
 
 
-test ("Content-Security-Policy: default-src", async t => {
+test ('Content-Security-Policy: default-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -68,7 +68,7 @@ test ("Content-Security-Policy: default-src", async t => {
 })
 
 
-test ("Content-Security-Policy: frame-src", async t => {
+test ('Content-Security-Policy: frame-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -85,7 +85,7 @@ test ("Content-Security-Policy: frame-src", async t => {
 })
 
 
-test ("Content-Security-Policy: connect-src", async t => {
+test ('Content-Security-Policy: connect-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -102,7 +102,7 @@ test ("Content-Security-Policy: connect-src", async t => {
 })
 
 
-test ("content-security-policy: img-src", async t => {
+test ('content-security-policy: img-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -119,7 +119,7 @@ test ("content-security-policy: img-src", async t => {
 })
 
 
-test ("Content-Security-Policy: font-src", async t => {
+test ('Content-Security-Policy: font-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -136,7 +136,7 @@ test ("Content-Security-Policy: font-src", async t => {
 })
 
 
-test ("Content-Security-Policy: object-src", async t => {
+test ('Content-Security-Policy: object-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -153,7 +153,7 @@ test ("Content-Security-Policy: object-src", async t => {
 })
 
 
-test ("Content-Security-Policy: media-src", async t => {
+test ('Content-Security-Policy: media-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -170,7 +170,7 @@ test ("Content-Security-Policy: media-src", async t => {
 })
 
 
-test ("Content-Security-Policy: style-src", async t => {
+test ('Content-Security-Policy: style-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -187,7 +187,7 @@ test ("Content-Security-Policy: style-src", async t => {
 })
 
 
-test ("Content-Security-Policy: script-src", async t => {
+test ('Content-Security-Policy: script-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -204,7 +204,7 @@ test ("Content-Security-Policy: script-src", async t => {
 })
 
 
-test ("Content-Security-Policy: worker-src", async t => {
+test ('Content-Security-Policy: worker-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -221,7 +221,7 @@ test ("Content-Security-Policy: worker-src", async t => {
 })
 
 
-test ("Content-Security-Policy: base-uri", async t => {
+test ('Content-Security-Policy: base-uri', async t => {
 
   const
     server = (new Server).serve ``
@@ -238,7 +238,7 @@ test ("Content-Security-Policy: base-uri", async t => {
 })
 
 
-test ("Content-Security-Policy: sandbox", async t => {
+test ('Content-Security-Policy: sandbox', async t => {
 
   const
     server = (new Server).serve ``
@@ -255,7 +255,7 @@ test ("Content-Security-Policy: sandbox", async t => {
 })
 
 
-test ("Content-Security-Policy: plugin-types", async t => {
+test ('Content-Security-Policy: plugin-types', async t => {
 
   const
     server = (new Server).serve ``
@@ -272,7 +272,7 @@ test ("Content-Security-Policy: plugin-types", async t => {
 })
 
 
-test ("Content-Security-Policy: form-action", async t => {
+test ('Content-Security-Policy: form-action', async t => {
 
   const
     server = (new Server).serve ``
@@ -289,7 +289,7 @@ test ("Content-Security-Policy: form-action", async t => {
 })
 
 
-test ("Content-Security-Policy: frame-ancestors", async t => {
+test ('Content-Security-Policy: frame-ancestors', async t => {
 
   const
     server = (new Server).serve ``
@@ -306,7 +306,7 @@ test ("Content-Security-Policy: frame-ancestors", async t => {
 })
 
 
-test ("Content-Security-Policy: block-all-mixed-content", async t => {
+test ('Content-Security-Policy: block-all-mixed-content', async t => {
 
   const
     server = (new Server).serve ``
@@ -323,7 +323,7 @@ test ("Content-Security-Policy: block-all-mixed-content", async t => {
 })
 
 
-test ("Content-Security-Policy: update-insecure-requests", async t => {
+test ('Content-Security-Policy: update-insecure-requests', async t => {
 
   const
     server = (new Server).serve ``

From a4117cb8ea01d9bb4f45882de0edcc2907fbc80d Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 21 Jan 2018 05:19:59 -0500
Subject: [PATCH 113/239] Convert to use vanity report-uri endpoint

---
 middleware/policy.es   | 2 +-
 middleware/policy.test | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 60eab2f292b..269ce422850 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -13,7 +13,7 @@ const
 // with JavaScript and collect more information about the client before reporting.
 , reports // report-to
     // *DEPRECATED* report-uri
-    = ['https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce']
+    = ['https://snuggsi.report-uri.com/r/d/csp/enforce']
 
 , frames // frame-src
     // *DEPRECATED* child-src fallback
diff --git a/middleware/policy.test b/middleware/policy.test
index 6ea232f6c3e..811c2cb1fa0 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -41,7 +41,7 @@ test ('Content-Security-Policy: report-to' , async t => {
       = (await fetch ('http://localhost:8181/'))
         .headers.get ('content-security-policy')
 
-  , url = 'https://ffb4d440b7878d6a1d371906dbe25fcd.report-uri.com/r/d/csp/enforce'
+  , url = 'https://snuggsi.report-uri.com/r/d/csp/enforce'
 
 
   t.ok ( policy.includes (`report-to ${url}`))

From 5435dc247463bd9f4d64140dac887dcda2922374 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 15 Jun 2018 00:51:57 -0400
Subject: [PATCH 114/239] Remove merge conflict

---
 test/index.es | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/test/index.es b/test/index.es
index c4d7236b380..ee4affc97ee 100644
--- a/test/index.es
+++ b/test/index.es
@@ -15,15 +15,6 @@ finish (process.exit)
 module.exports = {
   test
 , fetch
-<<<<<<< HEAD
-
-// See chunked responses
-// http://taylor.fausak.me/2013/02/17/testing-a-node-js-http-server-with-mocha/
-, get    : require ('http')
-, read   : require ('./read')
-, serve  : require ('./serve')
-, browse : require ('./browse')
-=======
 , read   : require ('./read')
 , serve  : require ('./serve')
 , browse : require ('./browse')
@@ -31,5 +22,4 @@ module.exports = {
 // See chunked responses
 // http://taylor.fausak.me/2013/02/17/testing-a-node-js-http-server-with-mocha/
 , get    : require ('http').get
->>>>>>> Update test helper functionality
 }

From 1c8f2c131afe645d22cbf86a15353298a7a8bfa7 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 15 Jun 2018 00:53:15 -0400
Subject: [PATCH 115/239] Fix snuggsi error

---
 server/index.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/index.es b/server/index.es
index bfd2ff78795..8c069c89600 100644
--- a/server/index.es
+++ b/server/index.es
@@ -1,5 +1,5 @@
 const
-  { auth, cors, security, policy, compressor, negotiator, librarian, mixins, assets }
+  { auth, cors, security, policy, compressor, snuggsi, negotiator, librarian, mixins, assets }
     = require ('middleware')
 
 

From c3e5acc2abe74ba2dec226fd2de23656b0e324fe Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 15 Jun 2018 00:54:17 -0400
Subject: [PATCH 116/239] Comment compressor test for future PR

---
 middleware/index.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/index.test b/middleware/index.test
index f14faae7c32..20b2bb8bf81 100644
--- a/middleware/index.test
+++ b/middleware/index.test
@@ -4,7 +4,7 @@ require ('./security.test')
 require ('./snuggsi.test')
 require ('./route.test')
 require ('./policy.test')
-require ('./compressor.test')
+// require ('./compressor.test')
 require ('./negotiator.test')
 require ('./librarian.test')
 require ('./assets.test')

From 068bf85bfc2a77e1b6f771f1c71dc05b5f48af7a Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 15 Jun 2018 00:55:10 -0400
Subject: [PATCH 117/239] Comment negotiator test for future PR

---
 middleware/index.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/index.test b/middleware/index.test
index 20b2bb8bf81..300263ff4d7 100644
--- a/middleware/index.test
+++ b/middleware/index.test
@@ -5,7 +5,7 @@ require ('./snuggsi.test')
 require ('./route.test')
 require ('./policy.test')
 // require ('./compressor.test')
-require ('./negotiator.test')
+// require ('./negotiator.test')
 require ('./librarian.test')
 require ('./assets.test')
 

From 11f62e059fec26d18602836bca063f9ff5b32886 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 15 Jun 2018 00:55:35 -0400
Subject: [PATCH 118/239] Comment librarian test for future PR

---
 middleware/index.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/index.test b/middleware/index.test
index 300263ff4d7..46227a2288f 100644
--- a/middleware/index.test
+++ b/middleware/index.test
@@ -6,6 +6,6 @@ require ('./route.test')
 require ('./policy.test')
 // require ('./compressor.test')
 // require ('./negotiator.test')
-require ('./librarian.test')
+//require ('./librarian.test')
 require ('./assets.test')
 

From 0ca196900c8dcef3d8954859a22b908d7d8035c3 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 15 Jun 2018 21:41:55 -0400
Subject: [PATCH 119/239] Add server.close

---
 middleware/security.test | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/middleware/security.test b/middleware/security.test
index 09aff2581e3..9a3e79038b5 100644
--- a/middleware/security.test
+++ b/middleware/security.test
@@ -34,7 +34,7 @@ test ('X-XSS-Protection: 1; mode=block', async t => {
   t.ok
     (expected.test (response.headers.get ('x-xss-protection')))
 
-  server.close ()
+  server.close ``
   t.end ()
 
 })
@@ -50,7 +50,7 @@ test ('X-Frame-Options: deny', async t => {
   t.equal
     ('deny', response.headers.get ('x-frame-options'))
 
-  server.close ()
+  server.close ``
   t.end ()
 })
 
@@ -65,7 +65,7 @@ test ('X-Content-Type-Options: nosniff', async t => {
   t.equal
     ('nosniff', response.headers.get ('x-content-type-options'))
 
-  server.close ()
+  server.close ``
   t.end ()
 })
 
@@ -84,6 +84,6 @@ test ('Strict-Transport-Security', async t => {
   t.ok
     (expected.test (response.headers.get ('strict-transport-security')))
 
-  server.close ()
+  server.close ``
   t.end ()
 })

From f3c7f12e2e67597ab1beefaf18429dda97d76942 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 15 Jun 2018 22:56:07 -0400
Subject: [PATCH 120/239] use serve test helper method. /cc @brandondees
 @tmornini

---
 middleware/security.test | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/middleware/security.test b/middleware/security.test
index 9a3e79038b5..ee614c931ae 100644
--- a/middleware/security.test
+++ b/middleware/security.test
@@ -8,12 +8,9 @@
 
 
 const
-  { test, fetch }
+  { test, fetch, serve }
     = require ('test')
 
-, { Server }
-    = require ('..')
-
 
 test ('calling next middleware')
 
@@ -21,7 +18,7 @@ test ('calling next middleware')
 test ('X-XSS-Protection: 1; mode=block', async t => {
 
   const
-    server   = (new Server).serve ``
+    server   = serve ``
   , response = await fetch ('http://localhost:8181/')
 
 
@@ -43,7 +40,7 @@ test ('X-XSS-Protection: 1; mode=block', async t => {
 test ('X-Frame-Options: deny', async t => {
 
   const
-    server   = (new Server).serve ``
+    server   = serve ``
   , response = await fetch ('http://localhost:8181/')
 
 
@@ -58,7 +55,7 @@ test ('X-Frame-Options: deny', async t => {
 test ('X-Content-Type-Options: nosniff', async t => {
 
   const
-    server   = (new Server).serve ``
+    server   = serve ``
   , response = await fetch ('http://localhost:8181/')
 
 
@@ -73,7 +70,7 @@ test ('X-Content-Type-Options: nosniff', async t => {
 test ('Strict-Transport-Security', async t => {
 
   const
-    server   = (new Server).serve ``
+    server   = serve ``
   , response = await fetch ('http://localhost:8181/')
 
   , age      = 60 * 60 * 24 * 365

From 4c6db97097507ae572249397b4987da3fbb77473 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:46:40 -0400
Subject: [PATCH 121/239] Update CSP default frames

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 269ce422850..7e75b47acee 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -18,7 +18,7 @@ const
 , frames // frame-src
     // *DEPRECATED* child-src fallback
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , connects // connect-src
     // default-src fallback

From db91f51865e193a87601baa6b68cd66f1f760520 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:48:10 -0400
Subject: [PATCH 122/239] Update CSP default connects

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 7e75b47acee..d09f0bdc46e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -22,7 +22,7 @@ const
 
 , connects // connect-src
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , images // image-src
     // default-src fallback

From 5870284fdaa1328e573382da05c32d1acb956e4d Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:48:21 -0400
Subject: [PATCH 123/239] Update CSP default images

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index d09f0bdc46e..9d79d4fa637 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -26,7 +26,7 @@ const
 
 , images // image-src
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , fonts // font-src
     // default-src fallback

From 5f2183af0ec4561e423b49232b37c819e5fc99b7 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:48:42 -0400
Subject: [PATCH 124/239] Update CSP default fonts

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 9d79d4fa637..119d92d2059 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -30,7 +30,7 @@ const
 
 , fonts // font-src
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , objects // object-src
     // default-src fallback

From e414bfdea69cb296633a0806904d1197363b768b Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:48:52 -0400
Subject: [PATCH 125/239] Update CSP default objects

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 119d92d2059..c9921f96a78 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -34,7 +34,7 @@ const
 
 , objects // object-src
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , medias // media-src
     // default-src fallback

From e132a36055f67a4286b61cc0c5de58ee4e363c37 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:49:01 -0400
Subject: [PATCH 126/239] Update CSP default medias

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index c9921f96a78..23d886e6f70 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -38,7 +38,7 @@ const
 
 , medias // media-src
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , styles // style-src
     // default-src fallback

From 4935fb9682e25d2aed35310ff06a7d61fa14fc79 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:49:11 -0400
Subject: [PATCH 127/239] Update CSP default styles

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 23d886e6f70..d0be9317ace 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -42,7 +42,7 @@ const
 
 , styles // style-src
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , scripts // Script Nonce for inline <script>
     // nonce-${nonce} ** MUST BE UNIQUE **

From d6a1ecf4ba7edb38ae2bf41359553e09eae10e37 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:49:33 -0400
Subject: [PATCH 128/239] Update CSP default scripts

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index d0be9317ace..dbaad4283f0 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -51,7 +51,7 @@ const
     // **THAT BEING SAID...For Safari 😢
     // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , workers // worker-src
     // script-src fallback

From 094e29fc85d30f872900dd481fd24f5ef929dc7f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:49:42 -0400
Subject: [PATCH 129/239] Update CSP default workers

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index dbaad4283f0..d8c5efe3d37 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -55,7 +55,7 @@ const
 
 , workers // worker-src
     // script-src fallback
-    = Array.from (scripts)
+    = scripts
 
 , bases // base-uri
     // default-src fallback

From 9ebf938eb80457b1e74bed9d74fd3804c650314d Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:50:13 -0400
Subject: [PATCH 130/239] Update CSP default bases

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index d8c5efe3d37..c6b20237efe 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -59,11 +59,11 @@ const
 
 , bases // base-uri
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , plugins // plugin-types
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , forms // form-action
     // default-src fallback

From 55866967575fff1ece5663f1c6b37abba06ebe9a Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:50:23 -0400
Subject: [PATCH 131/239] Update CSP default forms

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index c6b20237efe..912913f8ce1 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -67,7 +67,7 @@ const
 
 , forms // form-action
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , ancestors // frame-ancestors
     // default-src fallback

From ed9dd97d36e2c455e55d0291f8031bb90400aceb Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sat, 30 Jun 2018 08:50:32 -0400
Subject: [PATCH 132/239] Update CSP default ancestors

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 912913f8ce1..ae8f7a1503e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -71,7 +71,7 @@ const
 
 , ancestors // frame-ancestors
     // default-src fallback
-    = Array.from (defaults)
+    = defaults
 
 , sandboxes // sandbox
     // default-src fallback

From b4884e165b69a42237cbf07afda4497eb5a4ece0 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 12:13:31 -0400
Subject: [PATCH 133/239] Convert default-src to use self

---
 middleware/policy.es   | 2 +-
 middleware/policy.test | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index ae8f7a1503e..61dcb41bea1 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -4,7 +4,7 @@
 const
 //schemes = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
   defaults
-    = [`'none'`]
+    = [`'self'`]
 
 , SECURE = true
 
diff --git a/middleware/policy.test b/middleware/policy.test
index 811c2cb1fa0..499e64a44a1 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -5,7 +5,7 @@ const
 , { Server }
     = require ('..')
 
-, defaults = [`'none'`].join `; `
+, defaults = [`'self'`].join `; `
 
 
 test ('calling next middleware')

From 36ec8e157b224d445e4a36f40fb112da5cc2f5bc Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 12:13:53 -0400
Subject: [PATCH 134/239] Migrate to use serve  routine

---
 middleware/policy.test | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 499e64a44a1..e8d12fc7f10 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -1,5 +1,5 @@
 const
-  { test, fetch }
+  { test, fetch, serve }
     = require ('test')
 
 , { Server }
@@ -54,7 +54,7 @@ test ('Content-Security-Policy: report-to' , async t => {
 test ('Content-Security-Policy: default-src', async t => {
 
   const
-    server = (new Server).serve ``
+    server = serve ``
 
   , policy
       = (await fetch ('http://localhost:8181/'))

From 6afebd8f07db2c92e4d85b45d328a09662f561c5 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 13:48:23 -0400
Subject: [PATCH 135/239] Update to use serve in plugin-types

---
 middleware/policy.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index e8d12fc7f10..bb6a8fb054f 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -258,7 +258,7 @@ test ('Content-Security-Policy: sandbox', async t => {
 test ('Content-Security-Policy: plugin-types', async t => {
 
   const
-    server = (new Server).serve ``
+    server = serve ``
 
   , policy
       = (await fetch ('http://localhost:8181/'))

From 5b99692075e89c86eee22b317a5c3cbdc68eac29 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 14:12:13 -0400
Subject: [PATCH 136/239] Update object-src to none

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 61dcb41bea1..5e7dcb38efe 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -34,7 +34,7 @@ const
 
 , objects // object-src
     // default-src fallback
-    = defaults
+    = [`'none'`]
 
 , medias // media-src
     // default-src fallback

From 1feb4402782c21ce9aad8a59e302e298318d2df5 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 14:12:28 -0400
Subject: [PATCH 137/239] update plugin types to mime type defaults

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 5e7dcb38efe..e08e9494b18 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -63,7 +63,7 @@ const
 
 , plugins // plugin-types
     // default-src fallback
-    = defaults
+    = ['audio/*', 'video/*']
 
 , forms // form-action
     // default-src fallback

From f6b0176b5081f1cfa3cb9fc7550b9d35c7fafd1e Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 14:12:45 -0400
Subject: [PATCH 138/239] Update object-src policy to 'none'

---
 middleware/policy.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index bb6a8fb054f..f2e37afe0c0 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -146,7 +146,7 @@ test ('Content-Security-Policy: object-src', async t => {
         .headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes (`object-src ${defaults}`) )
+  t.ok ( policy.includes (`object-src 'none'`) )
 
   server.close ``
   t.end ()

From 6712d6b501bac42678de56d13c04ddd52ead8155 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 14:13:00 -0400
Subject: [PATCH 139/239] Update plugins for plugin-src CSP

---
 middleware/policy.test | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index f2e37afe0c0..3d4c9bd5f54 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -258,7 +258,8 @@ test ('Content-Security-Policy: sandbox', async t => {
 test ('Content-Security-Policy: plugin-types', async t => {
 
   const
-    server = serve ``
+    server  = serve ``
+  , plugins = ['audio/*', 'video/*'].join ` `
 
   , policy
       = (await fetch ('http://localhost:8181/'))

From b5b6e582fffbaba3377d1d3da0bd18be6ecaaa1d Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 14:13:08 -0400
Subject: [PATCH 140/239] Update plugins for plugin-src CSP

---
 middleware/policy.test | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 3d4c9bd5f54..96d92406003 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -266,7 +266,9 @@ test ('Content-Security-Policy: plugin-types', async t => {
         .headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes (`plugin-types ${defaults}`) )
+  console.warn (policy)
+
+  t.ok ( policy.includes (`plugin-types ${plugins}`) )
 
   server.close ``
   t.end ()

From c0b355b3f7ec85ede5ab249da7939e93f2ec0d03 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 14:14:07 -0400
Subject: [PATCH 141/239] Migrate plugin-types to near object-src since they
 are dependent

---
 middleware/policy.test | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 96d92406003..34926f4075c 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -153,24 +153,27 @@ test ('Content-Security-Policy: object-src', async t => {
 })
 
 
-test ('Content-Security-Policy: media-src', async t => {
+test.only ('Content-Security-Policy: plugin-types', async t => {
 
   const
-    server = (new Server).serve ``
+    server  = serve ``
+  , plugins = ['audio/*', 'video/*'].join ` `
 
   , policy
       = (await fetch ('http://localhost:8181/'))
         .headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes (`media-src ${defaults}`) )
+  console.warn (policy)
+
+  t.ok ( policy.includes (`plugin-types ${plugins}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ('Content-Security-Policy: style-src', async t => {
+test ('Content-Security-Policy: media-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -180,14 +183,14 @@ test ('Content-Security-Policy: style-src', async t => {
         .headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes (`style-src ${defaults}`) )
+  t.ok ( policy.includes (`media-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ('Content-Security-Policy: script-src', async t => {
+test ('Content-Security-Policy: style-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -197,14 +200,14 @@ test ('Content-Security-Policy: script-src', async t => {
         .headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes (`script-src ${defaults}`) )
+  t.ok ( policy.includes (`style-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ('Content-Security-Policy: worker-src', async t => {
+test ('Content-Security-Policy: script-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -214,14 +217,14 @@ test ('Content-Security-Policy: worker-src', async t => {
         .headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes (`worker-src ${defaults}`) )
+  t.ok ( policy.includes (`script-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ('Content-Security-Policy: base-uri', async t => {
+test ('Content-Security-Policy: worker-src', async t => {
 
   const
     server = (new Server).serve ``
@@ -231,14 +234,14 @@ test ('Content-Security-Policy: base-uri', async t => {
         .headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes (`base-uri ${defaults}`) )
+  t.ok ( policy.includes (`worker-src ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ('Content-Security-Policy: sandbox', async t => {
+test ('Content-Security-Policy: base-uri', async t => {
 
   const
     server = (new Server).serve ``
@@ -248,27 +251,24 @@ test ('Content-Security-Policy: sandbox', async t => {
         .headers.get ('content-security-policy')
 
 
-  t.ok ( policy.includes (`sandbox`) )
+  t.ok ( policy.includes (`base-uri ${defaults}`) )
 
   server.close ``
   t.end ()
 })
 
 
-test ('Content-Security-Policy: plugin-types', async t => {
+test ('Content-Security-Policy: sandbox', async t => {
 
   const
-    server  = serve ``
-  , plugins = ['audio/*', 'video/*'].join ` `
+    server = (new Server).serve ``
 
   , policy
       = (await fetch ('http://localhost:8181/'))
         .headers.get ('content-security-policy')
 
 
-  console.warn (policy)
-
-  t.ok ( policy.includes (`plugin-types ${plugins}`) )
+  t.ok ( policy.includes (`sandbox`) )
 
   server.close ``
   t.end ()

From 135a031f9ac2dbe3605d642dd75c86e59d264f08 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 14:15:03 -0400
Subject: [PATCH 142/239] Update object-src test to none

---
 middleware/policy.test | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 34926f4075c..15fcc21b503 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -136,16 +136,18 @@ test ('Content-Security-Policy: font-src', async t => {
 })
 
 
-test ('Content-Security-Policy: object-src', async t => {
+test.only ('Content-Security-Policy: object-src', async t => {
 
   const
-    server = (new Server).serve ``
+    server = serve ``
 
   , policy
       = (await fetch ('http://localhost:8181/'))
         .headers.get ('content-security-policy')
 
 
+  console.warn (policy)
+
   t.ok ( policy.includes (`object-src 'none'`) )
 
   server.close ``
@@ -153,7 +155,7 @@ test ('Content-Security-Policy: object-src', async t => {
 })
 
 
-test.only ('Content-Security-Policy: plugin-types', async t => {
+test ('Content-Security-Policy: plugin-types', async t => {
 
   const
     server  = serve ``
@@ -164,8 +166,6 @@ test.only ('Content-Security-Policy: plugin-types', async t => {
         .headers.get ('content-security-policy')
 
 
-  console.warn (policy)
-
   t.ok ( policy.includes (`plugin-types ${plugins}`) )
 
   server.close ``

From 96395bb16b5f47adbde4abd8c897ba664faf245f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 14:19:09 -0400
Subject: [PATCH 143/239] Update spec description for object-src and
 plugin-types

---
 middleware/policy.test | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 15fcc21b503..347c72cc9ef 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -136,7 +136,7 @@ test ('Content-Security-Policy: font-src', async t => {
 })
 
 
-test.only ('Content-Security-Policy: object-src', async t => {
+test.only ("Content-Security-Policy: object-src 'none'", async t => {
 
   const
     server = serve ``
@@ -155,7 +155,7 @@ test.only ('Content-Security-Policy: object-src', async t => {
 })
 
 
-test ('Content-Security-Policy: plugin-types', async t => {
+test ("Content-Security-Policy: object-src 'self'; plugin-types", async t => {
 
   const
     server  = serve ``

From 021560e4c00805c36b80bb33aa83c39936ea272c Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 14:20:34 -0400
Subject: [PATCH 144/239] Add comment for when object-sr is NOT 'none'

---
 middleware/policy.test | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/middleware/policy.test b/middleware/policy.test
index 347c72cc9ef..952d89ea2ae 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -156,6 +156,8 @@ test.only ("Content-Security-Policy: object-src 'none'", async t => {
 
 
 test ("Content-Security-Policy: object-src 'self'; plugin-types", async t => {
+  // only available when object-src is NOT 'none'
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types#Examples
 
   const
     server  = serve ``

From 67f46740c5ae7f284aee195cc08f678eede29c6f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 19:17:06 -0400
Subject: [PATCH 145/239] Add not ok test for plugin-types

---
 middleware/policy.test | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 952d89ea2ae..de96cca22f5 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -141,14 +141,16 @@ test.only ("Content-Security-Policy: object-src 'none'", async t => {
   const
     server = serve ``
 
-  , policy
+  , { headers }
       = (await fetch ('http://localhost:8181/'))
-        .headers.get ('content-security-policy')
+
+  , policy = headers.get ('content-security-policy')
 
 
   console.warn (policy)
 
   t.ok ( policy.includes (`object-src 'none'`) )
+  t.notOk ( policy.includes (`plugin-types`) )
 
   server.close ``
   t.end ()

From 78176e043db6c91a33d07a6d351f47a47dcddeb1 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 19:18:23 -0400
Subject: [PATCH 146/239] Migrate plugin-types juxtaposed to object-src

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index e08e9494b18..4427f8bf2bd 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -99,6 +99,7 @@ const
   , `img-src ${ images.join ` ` }`
   , `font-src ${ fonts.join ` ` }`
   , `object-src ${ objects.join ` ` }`
+  , `plugin-types ${ plugins.join ` ` }`
   , `media-src ${ medias.join ` ` }`
   , `style-src ${ styles.join ` ` }`
   , `script-src ${ scripts.join ` ` }`
@@ -110,7 +111,6 @@ const
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
   , `sandbox ${ sandboxes.join ` ` }`
-  , `plugin-types ${ plugins.join ` ` }`
 
 //  Navigation Directives
   , `form-action ${ forms.join ` ` }`

From d4fca686ba8edf1b0839adb343fae1c78473a731 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 19:25:25 -0400
Subject: [PATCH 147/239] Remove CSP plugin-types when objects default to
 'none'

---
 middleware/policy.es | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 4427f8bf2bd..66320ae579e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -99,7 +99,9 @@ const
   , `img-src ${ images.join ` ` }`
   , `font-src ${ fonts.join ` ` }`
   , `object-src ${ objects.join ` ` }`
-  , `plugin-types ${ plugins.join ` ` }`
+  , !!! objects.includes (`'none'`)
+      ? `plugin-types ${ plugins.join ` ` }`
+      : ''
   , `media-src ${ medias.join ` ` }`
   , `style-src ${ styles.join ` ` }`
   , `script-src ${ scripts.join ` ` }`

From 2cd64bb9ffed8f99507927f6b45f271bfa8b3f92 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Sun, 1 Jul 2018 19:47:54 -0400
Subject: [PATCH 148/239] Fix whitespace with context set derectives

---
 middleware/policy.es | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 66320ae579e..8a4223d30d3 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -147,6 +147,5 @@ module.exports = options =>
       + ( 'report' in context.request.query ? '-Report-Only' : '' )
 
 
-    context
-      .set ( header, directives.join `; ` )
+    context .set ( header, directives.filter (Boolean).join `; ` )
   }

From 40a701c5617d06f969ab5adb64c8701dc796ed12 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 09:13:02 -0400
Subject: [PATCH 149/239] Refactor secure

---
 middleware/policy.es | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 8a4223d30d3..0eea474ae34 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -3,10 +3,10 @@
 
 const
 //schemes = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
-  defaults
-    = [`'self'`]
+  SECURE = true
 
-, SECURE = true
+, defaults
+    = [`'self'`]
 
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events

From af666818e6317f1ebeb11664e2333ce1f042ca91 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 09:13:18 -0400
Subject: [PATCH 150/239] Migrate await next within policy middleware

---
 middleware/policy.es | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 0eea474ae34..4450d83bd3d 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -135,9 +135,6 @@ module.exports = options =>
 
   async (context, next, header) => {
 
-    await next ()
-
-
     header
       = 'Content-Security-Policy'
 
@@ -146,6 +143,7 @@ module.exports = options =>
       // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
       + ( 'report' in context.request.query ? '-Report-Only' : '' )
 
-
     context .set ( header, directives.filter (Boolean).join `; ` )
+
+    await next ()
   }

From 3d57255953edf7135c176f0478e71f7e4f5b4814 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 09:25:17 -0400
Subject: [PATCH 151/239] Add middleware/policy.json

---
 middleware/policy.json | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 middleware/policy.json

diff --git a/middleware/policy.json b/middleware/policy.json
new file mode 100644
index 00000000000..b767dc284d5
--- /dev/null
+++ b/middleware/policy.json
@@ -0,0 +1,5 @@
+{
+  "default-src": [
+    "'self'"
+  ]
+}

From 52203c5b8afd802b62d9c9771e76df21263e4c01 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 09:25:33 -0400
Subject: [PATCH 152/239] Add image-src to policy.json

---
 middleware/policy.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/middleware/policy.json b/middleware/policy.json
index b767dc284d5..7b84f6c17b2 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -2,4 +2,9 @@
   "default-src": [
     "'self'"
   ]
+
+, "image-src": [
+    "'self'"
+  , /* */
+  ]
 }

From 482d2782778f1301f3ea4c81d0ef7d96c4fc14ef Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 09:25:48 -0400
Subject: [PATCH 153/239] Add script-src to policy.json

---
 middleware/policy.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/middleware/policy.json b/middleware/policy.json
index 7b84f6c17b2..0505ba22d66 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -7,4 +7,8 @@
     "'self'"
   , /* */
   ]
+
+, "script-src": [
+    "'self'"
+  ]
 }

From 5399fee2fdd37480b1b4eb91403d58d864cfb545 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:01:24 -0400
Subject: [PATCH 154/239] Convert image-src to img-src

---
 middleware/policy.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.json b/middleware/policy.json
index 0505ba22d66..a27a3f1359d 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -3,7 +3,7 @@
     "'self'"
   ]
 
-, "image-src": [
+, "img-src": [
     "'self'"
   , /* */
   ]

From c5cecc56a0cc8a3f598df51d79d9fa3eda08a82c Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:01:37 -0400
Subject: [PATCH 155/239] Use google analytics in img-src

---
 middleware/policy.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.json b/middleware/policy.json
index a27a3f1359d..4205052edf0 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -5,7 +5,7 @@
 
 , "img-src": [
     "'self'"
-  , /* */
+  , "https://www.google-analytics.com"
   ]
 
 , "script-src": [

From 1302079dcff39b166f01817e135ed36de39290d5 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:01:59 -0400
Subject: [PATCH 156/239] Add style-src to policy.json

---
 middleware/policy.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/middleware/policy.json b/middleware/policy.json
index 4205052edf0..2cbe750b126 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -11,4 +11,8 @@
 , "script-src": [
     "'self'"
   ]
+
+, "style-src": [
+    "'self'"
+  ]
 }

From f9c00b866bad077c422f1a4065ea71e53245fad9 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:02:57 -0400
Subject: [PATCH 157/239] Add report-uri to policy.json

---
 middleware/policy.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.json b/middleware/policy.json
index 2cbe750b126..d1b7a94024a 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -1,5 +1,7 @@
 {
-  "default-src": [
+  "report-uri" : "https://snuggsi.report-uri.com/r/d/csp/enforce"
+
+, "default-src" : [
     "'self'"
   ]
 

From 2026506545fa2e7b38e2544d6dce00a286dba280 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:03:02 -0400
Subject: [PATCH 158/239] Fix whitespace

---
 middleware/policy.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.json b/middleware/policy.json
index d1b7a94024a..e2ead8a8b48 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -5,16 +5,16 @@
     "'self'"
   ]
 
-, "img-src": [
+, "img-src" : [
     "'self'"
   , "https://www.google-analytics.com"
   ]
 
-, "script-src": [
+, "script-src" : [
     "'self'"
   ]
 
-, "style-src": [
+, "style-src" : [
     "'self'"
   ]
 }

From a1f99675f8b2a671874c3cd7b84928a54c786a54 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:03:34 -0400
Subject: [PATCH 159/239] Remove google analytics

---
 middleware/policy.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/middleware/policy.json b/middleware/policy.json
index e2ead8a8b48..9b1387286e0 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -7,7 +7,6 @@
 
 , "img-src" : [
     "'self'"
-  , "https://www.google-analytics.com"
   ]
 
 , "script-src" : [

From d655de1013ef1833ba82e7afdc9b2e6e1b3753e9 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:06:03 -0400
Subject: [PATCH 160/239] Fix whitespace for report-uri

---
 middleware/policy.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.json b/middleware/policy.json
index 9b1387286e0..fd4954e7da7 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -1,5 +1,6 @@
 {
-  "report-uri" : "https://snuggsi.report-uri.com/r/d/csp/enforce"
+  "report-uri"
+    : "https://snuggsi.report-uri.com/r/d/csp/enforce"
 
 , "default-src" : [
     "'self'"

From 03d4cd1f8c17210bdf0319cfa3c6702130daed34 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:10:42 -0400
Subject: [PATCH 161/239] Fix header level for resource/README.md

---
 resource/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resource/README.md b/resource/README.md
index 5b13b00ebd3..1fb188a0ed4 100644
--- a/resource/README.md
+++ b/resource/README.md
@@ -24,7 +24,7 @@
   - Context-Specific sniffing - https://mimesniff.spec.whatwg.org/#context-specific-sniffing
   
 
-## References
+# References
 
   - Rest Cookbook -  http://restcookbook.com/
   - HTTP Status Codes - https://httpstatuses.com/

From 9b8d28f6c593904aa340e72255274ae8756fc7cb Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:13:19 -0400
Subject: [PATCH 162/239] Add comment for updated require

---
 middleware/index.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/index.es b/middleware/index.es
index dc3ffb6c0ff..0650e60fd06 100644
--- a/middleware/index.es
+++ b/middleware/index.es
@@ -6,7 +6,7 @@ module.exports = {
   auth       : require ('./auth')
 , cors       : require ('./cors')
 , security   : require ('./security')
-, policy     : require ('./policy')
+, policy     : require ('./policy.es') // because .json ❓❓❓
 , browse     : require ('./browse')
 , snuggsi    : require ('./snuggsi')
 , route      : require ('./route')

From 348823a7edb0fc7837b75553da39cb9c43422028 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:14:13 -0400
Subject: [PATCH 163/239] Reorganize external links for request methods

---
 resource/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resource/README.md b/resource/README.md
index 1fb188a0ed4..8d0950e1bd4 100644
--- a/resource/README.md
+++ b/resource/README.md
@@ -2,9 +2,9 @@
 
 ## Request Methods
 
-- HTTP Method Definitions - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
-- MDN Request Methods - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
 - Handling A Resource - https://mimesniff.spec.whatwg.org/#handling-a-resource
+- MDN Request Methods - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
+- HTTP Method Definitions - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
 
 
 ## Response Streams

From 5e325f7cd16f72abeca10796c5825640fa70a8ab Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:17:03 -0400
Subject: [PATCH 164/239] Add types to  definition in resource/README.md

---
 resource/README.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/resource/README.md b/resource/README.md
index 8d0950e1bd4..4309bcd9104 100644
--- a/resource/README.md
+++ b/resource/README.md
@@ -1,5 +1,14 @@
 # `Resource`
 
+## Types
+
+  A `Resource` (and for that matter (sub)`Resource` can be one of 4 media types (There will be more):
+
+  1. - `text/*`
+  2. - `image/*`
+  3. - `script/*`
+  4. - `style/*`
+
 ## Request Methods
 
 - Handling A Resource - https://mimesniff.spec.whatwg.org/#handling-a-resource

From 6a0927b2f836e718a851c54dfdf3bef50846a93a Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:17:44 -0400
Subject: [PATCH 165/239] Reorganize  definition in resource/README.md

---
 resource/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resource/README.md b/resource/README.md
index 4309bcd9104..d21a5f384ba 100644
--- a/resource/README.md
+++ b/resource/README.md
@@ -6,8 +6,8 @@
 
   1. - `text/*`
   2. - `image/*`
-  3. - `script/*`
-  4. - `style/*`
+  3. - `style/*`
+  4. - `script/*`
 
 ## Request Methods
 

From c4f46d009b62c1a22d371e03094e698867a6eff8 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:17:55 -0400
Subject: [PATCH 166/239] Fix whitespace

---
 resource/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/resource/README.md b/resource/README.md
index d21a5f384ba..9add3c2a5a5 100644
--- a/resource/README.md
+++ b/resource/README.md
@@ -9,6 +9,7 @@
   3. - `style/*`
   4. - `script/*`
 
+
 ## Request Methods
 
 - Handling A Resource - https://mimesniff.spec.whatwg.org/#handling-a-resource

From 588a6610a1a874bf7ca0d27b707d8f1413b77234 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:18:40 -0400
Subject: [PATCH 167/239] Reorganize mime sniffing section

---
 resource/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resource/README.md b/resource/README.md
index 9add3c2a5a5..17e2a16f528 100644
--- a/resource/README.md
+++ b/resource/README.md
@@ -29,9 +29,9 @@
 ## MIME Sniffing
 
   - https://mimesniff.spec.whatwg.org/#javascript-mime-type
+  - Context-Specific sniffing - https://mimesniff.spec.whatwg.org/#context-specific-sniffing
   - Matching a MIME type pattern - https://mimesniff.spec.whatwg.org/#matching-a-mime-type-pattern
   - Determining the computed MIME type of a resource - https://mimesniff.spec.whatwg.org/#matching-an-image-type-pattern
-  - Context-Specific sniffing - https://mimesniff.spec.whatwg.org/#context-specific-sniffing
   
 
 # References

From 2a784752c936eae228797492b5eb9ab1ac723f0d Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:20:48 -0400
Subject: [PATCH 168/239] Fix comment bug LOLZ

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 4450d83bd3d..63f96a0819d 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -24,7 +24,7 @@ const
     // default-src fallback
     = defaults
 
-, images // image-src
+, images // img-src
     // default-src fallback
     = defaults
 

From bf4a839331e45fcf91058a2becb98c9974992628 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:24:26 -0400
Subject: [PATCH 169/239] Update default-src fallback comments

---
 middleware/policy.es | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 63f96a0819d..4f09ed57b41 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -6,6 +6,7 @@ const
   SECURE = true
 
 , defaults
+    // default-src fallback
     = [`'self'`]
 
 // Depending on analytics framework,
@@ -17,31 +18,24 @@ const
 
 , frames // frame-src
     // *DEPRECATED* child-src fallback
-    // default-src fallback
     = defaults
 
 , connects // connect-src
-    // default-src fallback
     = defaults
 
 , images // img-src
-    // default-src fallback
     = defaults
 
 , fonts // font-src
-    // default-src fallback
     = defaults
 
 , objects // object-src
-    // default-src fallback
     = [`'none'`]
 
 , medias // media-src
-    // default-src fallback
     = defaults
 
 , styles // style-src
-    // default-src fallback
     = defaults
 
 , scripts // Script Nonce for inline <script>

From 0ce788ada03dafd2f4c7389ccc8857349fd26528 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:28:41 -0400
Subject: [PATCH 170/239] Refactor policy variables

---
 middleware/policy.es | 34 ++++++++--------------------------
 1 file changed, 8 insertions(+), 26 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 4f09ed57b41..9817c03e99d 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -12,32 +12,14 @@ const
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
-, reports // report-to
-    // *DEPRECATED* report-uri
-    = ['https://snuggsi.report-uri.com/r/d/csp/enforce']
-
-, frames // frame-src
-    // *DEPRECATED* child-src fallback
-    = defaults
-
-, connects // connect-src
-    = defaults
-
-, images // img-src
-    = defaults
-
-, fonts // font-src
-    = defaults
-
-, objects // object-src
-    = [`'none'`]
-
-, medias // media-src
-    = defaults
-
-, styles // style-src
-    = defaults
-
+, reports  = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
+, frames   = defaults // frame-src // *DEPRECATED* child-src fallback
+, connects = defaults // connect-src
+, images   = defaults // img-src
+, fonts    = defaults // font-src
+, medias   = defaults // media-src
+, styles   = defaults // style-src
+, objects  = [`'none'`] // object-src
 , scripts // Script Nonce for inline <script>
     // nonce-${nonce} ** MUST BE UNIQUE **
     //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list

From 4e45f0b4e9a48845d25d646427bd9ece6c8d90ad Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:29:19 -0400
Subject: [PATCH 171/239] Refactor policy variables

---
 middleware/policy.es | 33 +++++++++++++++------------------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 9817c03e99d..ab2687334a9 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -5,29 +5,26 @@ const
 //schemes = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
   SECURE = true
 
-, defaults
-    // default-src fallback
-    = [`'self'`]
-
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
 , reports  = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
-, frames   = defaults // frame-src // *DEPRECATED* child-src fallback
-, connects = defaults // connect-src
-, images   = defaults // img-src
-, fonts    = defaults // font-src
-, medias   = defaults // media-src
-, styles   = defaults // style-src
+
+, defaults = [`'self'`] // default-src
+, images   = defaults   // img-src
+, styles   = defaults   // style-src
+
+  // nonce-${nonce} ** MUST BE UNIQUE **
+  //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
+  // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
+  // **THAT BEING SAID...For Safari 😢
+  // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
+, scripts  = defaults   // script-src Script Nonce for inline <script>
+, fonts    = defaults   // font-src
+, medias   = defaults   // media-src
+, frames   = defaults   // frame-src // *DEPRECATED* child-src fallback
+, connects = defaults   // connect-src
 , objects  = [`'none'`] // object-src
-, scripts // Script Nonce for inline <script>
-    // nonce-${nonce} ** MUST BE UNIQUE **
-    //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
-    // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
-    // **THAT BEING SAID...For Safari 😢
-    // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
-    // default-src fallback
-    = defaults
 
 , workers // worker-src
     // script-src fallback

From c2b14129584099bac2fc890abd19b303ab26dfda Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:30:15 -0400
Subject: [PATCH 172/239] Convert backticks to double quotes

---
 middleware/policy.es | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index ab2687334a9..d7bea293f6b 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -9,11 +9,9 @@ const
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
 , reports  = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
-
-, defaults = [`'self'`] // default-src
+, defaults = ["'self'"] // default-src
 , images   = defaults   // img-src
 , styles   = defaults   // style-src
-
   // nonce-${nonce} ** MUST BE UNIQUE **
   //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
   // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'

From 4064b943605116e23eba5aa191f672e94a61c7d8 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:30:19 -0400
Subject: [PATCH 173/239] Convert backticks to double quotes

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index d7bea293f6b..455eda18c4f 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -22,7 +22,7 @@ const
 , medias   = defaults   // media-src
 , frames   = defaults   // frame-src // *DEPRECATED* child-src fallback
 , connects = defaults   // connect-src
-, objects  = [`'none'`] // object-src
+, objects  = ["'none'"] // object-src
 
 , workers // worker-src
     // script-src fallback

From 969adc54ac9e388352e957f70a3c3c2854e556a1 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:30:44 -0400
Subject: [PATCH 174/239] Fix whitespace and comments

---
 middleware/policy.es | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 455eda18c4f..96c9aea9a40 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,5 +1,4 @@
-// Can actually charge for this feature
-// https://report-uri.com/#prices
+// Can actually charge for this feature // https://report-uri.com/#prices
 
 const
 //schemes = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']

From c2117a6b561257bb0314da6169551ce478296218 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:31:01 -0400
Subject: [PATCH 175/239] Update bases uri

---
 middleware/policy.es | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 96c9aea9a40..2200cd9ea1c 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -27,9 +27,7 @@ const
     // script-src fallback
     = scripts
 
-, bases // base-uri
-    // default-src fallback
-    = defaults
+, bases = defaults // base-uri
 
 , plugins // plugin-types
     // default-src fallback

From 8bb7e55aa5743c89c32195e6251b27dfd8f13b67 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:31:29 -0400
Subject: [PATCH 176/239] Update plugin types for security policy

---
 middleware/policy.es | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 2200cd9ea1c..e230dc542f8 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -27,11 +27,8 @@ const
     // script-src fallback
     = scripts
 
-, bases = defaults // base-uri
-
-, plugins // plugin-types
-    // default-src fallback
-    = ['audio/*', 'video/*']
+, bases   = defaults // base-uri
+, plugins = ['audio/*', 'video/*'] // plugin-types
 
 , forms // form-action
     // default-src fallback

From 3996f961ed65de8f429521600036ea3f51ea09f9 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:31:52 -0400
Subject: [PATCH 177/239] Update forms action for security policy

---
 middleware/policy.es | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index e230dc542f8..8ec7cde84b2 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -28,12 +28,9 @@ const
     = scripts
 
 , bases   = defaults // base-uri
+, forms   = defaults // form-action
 , plugins = ['audio/*', 'video/*'] // plugin-types
 
-, forms // form-action
-    // default-src fallback
-    = defaults
-
 , ancestors // frame-ancestors
     // default-src fallback
     = defaults

From f60cdbc7dc34d03d24b16b12532975892078ce52 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:32:21 -0400
Subject: [PATCH 178/239] Update frame-ancestors directive for Content Security
 Policy

---
 middleware/policy.es | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 8ec7cde84b2..5a335cb62a2 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -27,13 +27,10 @@ const
     // script-src fallback
     = scripts
 
-, bases   = defaults // base-uri
-, forms   = defaults // form-action
-, plugins = ['audio/*', 'video/*'] // plugin-types
-
-, ancestors // frame-ancestors
-    // default-src fallback
-    = defaults
+, bases     = defaults // base-uri
+, forms     = defaults // form-action
+, plugins   = ['audio/*', 'video/*'] // plugin-types
+, ancestors = defaults // frame-ancestors
 
 , sandboxes // sandbox
     // default-src fallback

From d48cad10629d16bbeb97cae16990a9d248750f37 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:33:13 -0400
Subject: [PATCH 179/239] Update worker-src for Content security policy

---
 middleware/policy.es | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 5a335cb62a2..eb2b98b6160 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -23,10 +23,7 @@ const
 , connects = defaults   // connect-src
 , objects  = ["'none'"] // object-src
 
-, workers // worker-src
-    // script-src fallback
-    = scripts
-
+, workers   = scripts // worker-src // script-src fallback
 , bases     = defaults // base-uri
 , forms     = defaults // form-action
 , plugins   = ['audio/*', 'video/*'] // plugin-types

From af3c327ddb1b1ebc1a3479857b1f6884018fc415 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:33:48 -0400
Subject: [PATCH 180/239] REorganize variables for Security policy

---
 middleware/policy.es | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index eb2b98b6160..9e46dc1dee6 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -21,13 +21,13 @@ const
 , medias   = defaults   // media-src
 , frames   = defaults   // frame-src // *DEPRECATED* child-src fallback
 , connects = defaults   // connect-src
-, objects  = ["'none'"] // object-src
-
-, workers   = scripts // worker-src // script-src fallback
 , bases     = defaults // base-uri
 , forms     = defaults // form-action
-, plugins   = ['audio/*', 'video/*'] // plugin-types
 , ancestors = defaults // frame-ancestors
+, workers   = scripts // worker-src // script-src fallback
+
+, objects  = ["'none'"] // object-src
+, plugins   = ['audio/*', 'video/*'] // plugin-types
 
 , sandboxes // sandbox
     // default-src fallback

From 0444664e184d26fbd425d3e385bd6bc29c9eecf2 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:35:01 -0400
Subject: [PATCH 181/239] Fix formatting of Content Security Policy constant
 variables

---
 middleware/policy.es | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 9e46dc1dee6..1b93f4e6e05 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -7,26 +7,25 @@ const
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
-, reports  = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
-, defaults = ["'self'"] // default-src
-, images   = defaults   // img-src
-, styles   = defaults   // style-src
+, reports   = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
+, defaults  = ["'self'"] // default-src
+, images    = defaults   // img-src
+, styles    = defaults   // style-src
   // nonce-${nonce} ** MUST BE UNIQUE **
   //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
   // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
   // **THAT BEING SAID...For Safari 😢
   // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
-, scripts  = defaults   // script-src Script Nonce for inline <script>
-, fonts    = defaults   // font-src
-, medias   = defaults   // media-src
-, frames   = defaults   // frame-src // *DEPRECATED* child-src fallback
-, connects = defaults   // connect-src
-, bases     = defaults // base-uri
-, forms     = defaults // form-action
-, ancestors = defaults // frame-ancestors
-, workers   = scripts // worker-src // script-src fallback
-
-, objects  = ["'none'"] // object-src
+, scripts   = defaults   // script-src Script Nonce for inline <script>
+, fonts     = defaults   // font-src
+, medias    = defaults   // media-src
+, frames    = defaults   // frame-src // *DEPRECATED* child-src fallback
+, connects  = defaults   // connect-src
+, bases     = defaults   // base-uri
+, forms     = defaults   // form-action
+, ancestors = defaults   // frame-ancestors
+, workers   = scripts    // worker-src // script-src fallback
+, objects   = ["'none'"] // object-src
 , plugins   = ['audio/*', 'video/*'] // plugin-types
 
 , sandboxes // sandbox

From a3c49b3b9999797750144995c1c72cef1bc638cc Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:37:31 -0400
Subject: [PATCH 182/239] Update sandbox directives for content security policy

---
 middleware/policy.es | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 1b93f4e6e05..8102f813f68 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -28,9 +28,8 @@ const
 , objects   = ["'none'"] // object-src
 , plugins   = ['audio/*', 'video/*'] // plugin-types
 
-, sandboxes // sandbox
-    // default-src fallback
-    = [/*
+, sandboxes = defaults ||// sandbox
+  [/*
       allow-forms
     , allow-popups
     , allow-modals
@@ -41,7 +40,7 @@ const
     , allow-top-navigation
     , allow-orientation-lock
     , allow-popups-to-escape-sandbox
-    */]
+  */]
 
 , directives = [
   // Reporting directives

From 49258cf8c889cb9dd8e714f0374146eb4cfd2990 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:38:03 -0400
Subject: [PATCH 183/239] Fix context.set variable

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 8102f813f68..92a654cded0 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -97,7 +97,7 @@ module.exports = options =>
       // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
       + ( 'report' in context.request.query ? '-Report-Only' : '' )
 
-    context .set ( header, directives.filter (Boolean).join `; ` )
+    context.set ( header, directives.filter (Boolean).join `; ` )
 
     await next ()
   }

From e5716b107fd563f7590f8f952c1101a0b9850926 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:39:16 -0400
Subject: [PATCH 184/239] Migrate header variable

---
 middleware/policy.es | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 92a654cded0..969fd4cf4ce 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -2,8 +2,8 @@
 
 const
 //schemes = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
-  SECURE = true
-
+  SECURE  = true
+, header  = 'Content-Security-Policy'
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
@@ -89,9 +89,6 @@ module.exports = options =>
 
   async (context, next, header) => {
 
-    header
-      = 'Content-Security-Policy'
-
       // Is this a security breach?
       // Will someone be able to disable CSP with this?
       // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

From 45c0040dac6179772a4792f4cc0a3b616d905cab Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:40:20 -0400
Subject: [PATCH 185/239] Remove header variable from method signature

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 969fd4cf4ce..d3882b44ec8 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -87,7 +87,7 @@ const
 
 module.exports = options =>
 
-  async (context, next, header) => {
+  async (context, next) => {
 
       // Is this a security breach?
       // Will someone be able to disable CSP with this?

From 47ef6ee787059ede626c94a67ecd0280bdf82698 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:46:57 -0400
Subject: [PATCH 186/239] Refactor policy to be a middleware signature

---
 middleware/policy.es | 12 +++++-------
 server/index.es      |  2 +-
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index d3882b44ec8..76f64b60f9a 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -85,14 +85,12 @@ const
   ]
 
 
-module.exports = options =>
+module.exports = async (context, next) => {
 
-  async (context, next) => {
-
-      // Is this a security breach?
-      // Will someone be able to disable CSP with this?
-      // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-      + ( 'report' in context.request.query ? '-Report-Only' : '' )
+    // Is this a security breach?
+    // Will someone be able to disable CSP with this?
+    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+    'report' in context.request.query && (header += '-Report-Only')
 
     context.set ( header, directives.filter (Boolean).join `; ` )
 
diff --git a/server/index.es b/server/index.es
index 8c069c89600..585a79691f4 100644
--- a/server/index.es
+++ b/server/index.es
@@ -10,7 +10,7 @@ module.exports = class extends require ('koa') {
     for (let slice of [
       cors        // why is this NOT a function...
     , security `` // and this IS a function?
-    , policy ()   // and this IS a function?
+    , policy
     , ... middleware
     , snuggsi
     ]) this.use (slice)

From 39db5363807e918f15072f4912e0d668658cd89c Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:48:39 -0400
Subject: [PATCH 187/239] Send context to next in policy.es

---
 middleware/policy.es | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 76f64b60f9a..c817d895969 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -87,12 +87,12 @@ const
 
 module.exports = async (context, next) => {
 
-    // Is this a security breach?
-    // Will someone be able to disable CSP with this?
-    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-    'report' in context.request.query && (header += '-Report-Only')
+  // Is this a security breach?
+  // Will someone be able to disable CSP with this?
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+  'report' in context.request.query && (header += '-Report-Only')
 
-    context.set ( header, directives.filter (Boolean).join `; ` )
+  context.set ( header, directives.filter (Boolean).join `; ` )
 
-    await next ()
-  }
+  await next (context)
+}

From 9e72ad453f43484af2735c3c6a7d350783468c60 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:49:18 -0400
Subject: [PATCH 188/239] Updte security breach comment

---
 middleware/policy.es | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index c817d895969..d8072eeeea0 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -87,8 +87,7 @@ const
 
 module.exports = async (context, next) => {
 
-  // Is this a security breach?
-  // Will someone be able to disable CSP with this?
+  // Is this a security breach? Will someone be able to disable CSP with this?
   // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
   'report' in context.request.query && (header += '-Report-Only')
 

From 57b7e3c178765f0f89b619e8958e5a8e8f06d716 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:49:32 -0400
Subject: [PATCH 189/239] Convert to backticks for report

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index d8072eeeea0..f9fc2a50268 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -89,7 +89,7 @@ module.exports = async (context, next) => {
 
   // Is this a security breach? Will someone be able to disable CSP with this?
   // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-  'report' in context.request.query && (header += '-Report-Only')
+  `report` in context.request.query && (header += '-Report-Only')
 
   context.set ( header, directives.filter (Boolean).join `; ` )
 

From 62fc4dc255d59eddb4b94551f7b90636824cf8be Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:51:17 -0400
Subject: [PATCH 190/239] Update report variable for policy.es

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index f9fc2a50268..79f0e8a1e4c 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -7,7 +7,7 @@ const
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
-, reports   = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
+, report    = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
 , defaults  = ["'self'"] // default-src
 , images    = defaults   // img-src
 , styles    = defaults   // style-src
@@ -44,7 +44,7 @@ const
 
 , directives = [
   // Reporting directives
-    `report-to ${ reports.join ` ` }`
+    `report-to ${ report.join ` ` }`
 
   // Fetch directives
   , `default-src ${ defaults.join ` ` }`

From 18792eb737feb24cd59edfa3adbf78852d51e46f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:53:14 -0400
Subject: [PATCH 191/239] Update frames position in variable stack

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 79f0e8a1e4c..3a04ee64792 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -19,11 +19,11 @@ const
 , scripts   = defaults   // script-src Script Nonce for inline <script>
 , fonts     = defaults   // font-src
 , medias    = defaults   // media-src
-, frames    = defaults   // frame-src // *DEPRECATED* child-src fallback
 , connects  = defaults   // connect-src
 , bases     = defaults   // base-uri
 , forms     = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
+, frames    = defaults   // frame-src // *DEPRECATED* child-src fallback
 , workers   = scripts    // worker-src // script-src fallback
 , objects   = ["'none'"] // object-src
 , plugins   = ['audio/*', 'video/*'] // plugin-types

From 3e64d98117155111566488bf389bf3c1e3d40eda Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:53:50 -0400
Subject: [PATCH 192/239] Update img-src variable name for Content Security
 Policy

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 3a04ee64792..deedd5cf03f 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -9,7 +9,7 @@ const
 // with JavaScript and collect more information about the client before reporting.
 , report    = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
 , defaults  = ["'self'"] // default-src
-, images    = defaults   // img-src
+, img       = defaults   // img-src
 , styles    = defaults   // style-src
   // nonce-${nonce} ** MUST BE UNIQUE **
   //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
@@ -50,7 +50,7 @@ const
   , `default-src ${ defaults.join ` ` }`
   , `frame-src ${ frames.join ` ` }`
   , `connect-src ${ connects.join ` ` }`
-  , `img-src ${ images.join ` ` }`
+  , `img-src ${ img.join ` ` }`
   , `font-src ${ fonts.join ` ` }`
   , `object-src ${ objects.join ` ` }`
   , !!! objects.includes (`'none'`)

From 2d84f833fa4ea524929f4a3cfb0d416023548c51 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:56:02 -0400
Subject: [PATCH 193/239] Update style variable

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index deedd5cf03f..9fd2f7504a7 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -10,7 +10,7 @@ const
 , report    = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
 , defaults  = ["'self'"] // default-src
 , img       = defaults   // img-src
-, styles    = defaults   // style-src
+, style     = defaults   // style-src
   // nonce-${nonce} ** MUST BE UNIQUE **
   //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
   // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'

From 7b3b338df348a5a4f4aa9c3cdeecfd7e18b0edee Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:56:19 -0400
Subject: [PATCH 194/239] Reorganize directives for content security policy

---
 middleware/policy.es | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 9fd2f7504a7..c68e8778c71 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -26,7 +26,7 @@ const
 , frames    = defaults   // frame-src // *DEPRECATED* child-src fallback
 , workers   = scripts    // worker-src // script-src fallback
 , objects   = ["'none'"] // object-src
-, plugins   = ['audio/*', 'video/*'] // plugin-types
+, plugins   = ['audio/*', 'video/*'] // plugin-types when object != 'none'
 
 , sandboxes = defaults ||// sandbox
   [/*
@@ -48,17 +48,17 @@ const
 
   // Fetch directives
   , `default-src ${ defaults.join ` ` }`
+  , `img-src ${ img.join ` ` }`
+  , `style-src ${ style.join ` ` }`
+  , `script-src ${ scripts.join ` ` }`
   , `frame-src ${ frames.join ` ` }`
   , `connect-src ${ connects.join ` ` }`
-  , `img-src ${ img.join ` ` }`
   , `font-src ${ fonts.join ` ` }`
   , `object-src ${ objects.join ` ` }`
   , !!! objects.includes (`'none'`)
       ? `plugin-types ${ plugins.join ` ` }`
       : ''
   , `media-src ${ medias.join ` ` }`
-  , `style-src ${ styles.join ` ` }`
-  , `script-src ${ scripts.join ` ` }`
   , `worker-src ${ workers.join ` ` }`
 
 // Document directives

From 132f4cbeae2b0a7167d2e6848952b1d09b6bc4e5 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:56:47 -0400
Subject: [PATCH 195/239] Update sandbox directive for content security policy

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index c68e8778c71..7253f30e541 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -62,11 +62,11 @@ const
   , `worker-src ${ workers.join ` ` }`
 
 // Document directives
+  , `sandbox ${ sandboxes.join ` ` }`
   , `base-uri ${ bases.join ` ` }`
   //  `sandbox  ...` is not supported in the <meta> element
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
-  , `sandbox ${ sandboxes.join ` ` }`
 
 //  Navigation Directives
   , `form-action ${ forms.join ` ` }`

From c97ac17026ca4be1fa67d763ac2498365e1e512f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:57:50 -0400
Subject: [PATCH 196/239] Update worker-src for CSP

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 7253f30e541..fac9e28b71e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -24,7 +24,7 @@ const
 , forms     = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
 , frames    = defaults   // frame-src // *DEPRECATED* child-src fallback
-, workers   = scripts    // worker-src // script-src fallback
+, worker    = scripts    // worker-src // script-src fallback
 , objects   = ["'none'"] // object-src
 , plugins   = ['audio/*', 'video/*'] // plugin-types when object != 'none'
 
@@ -54,12 +54,12 @@ const
   , `frame-src ${ frames.join ` ` }`
   , `connect-src ${ connects.join ` ` }`
   , `font-src ${ fonts.join ` ` }`
+  , `worker-src ${ worker.join ` ` }`
   , `object-src ${ objects.join ` ` }`
   , !!! objects.includes (`'none'`)
       ? `plugin-types ${ plugins.join ` ` }`
       : ''
   , `media-src ${ medias.join ` ` }`
-  , `worker-src ${ workers.join ` ` }`
 
 // Document directives
   , `sandbox ${ sandboxes.join ` ` }`

From d543700b20fe4babe723a4020558db97f1db3cf5 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 10:58:22 -0400
Subject: [PATCH 197/239] Update script-src

---
 middleware/policy.es | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index fac9e28b71e..0d2f1ec0c55 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -16,7 +16,7 @@ const
   // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
   // **THAT BEING SAID...For Safari 😢
   // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
-, scripts   = defaults   // script-src Script Nonce for inline <script>
+, script    = defaults   // script-src Script Nonce for inline <script>
 , fonts     = defaults   // font-src
 , medias    = defaults   // media-src
 , connects  = defaults   // connect-src
@@ -24,7 +24,7 @@ const
 , forms     = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
 , frames    = defaults   // frame-src // *DEPRECATED* child-src fallback
-, worker    = scripts    // worker-src // script-src fallback
+, worker    = script     // worker-src // script-src fallback
 , objects   = ["'none'"] // object-src
 , plugins   = ['audio/*', 'video/*'] // plugin-types when object != 'none'
 
@@ -50,7 +50,7 @@ const
   , `default-src ${ defaults.join ` ` }`
   , `img-src ${ img.join ` ` }`
   , `style-src ${ style.join ` ` }`
-  , `script-src ${ scripts.join ` ` }`
+  , `script-src ${ script.join ` ` }`
   , `frame-src ${ frames.join ` ` }`
   , `connect-src ${ connects.join ` ` }`
   , `font-src ${ fonts.join ` ` }`

From 7b76686e44568d18413297e49016cae871a4f660 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:00:10 -0400
Subject: [PATCH 198/239] Update frame-src for CSP

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 0d2f1ec0c55..0e3670e19d6 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -23,7 +23,7 @@ const
 , bases     = defaults   // base-uri
 , forms     = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
-, frames    = defaults   // frame-src // *DEPRECATED* child-src fallback
+, frame     = defaults   // frame-src // *DEPRECATED* child-src fallback
 , worker    = script     // worker-src // script-src fallback
 , objects   = ["'none'"] // object-src
 , plugins   = ['audio/*', 'video/*'] // plugin-types when object != 'none'
@@ -51,7 +51,7 @@ const
   , `img-src ${ img.join ` ` }`
   , `style-src ${ style.join ` ` }`
   , `script-src ${ script.join ` ` }`
-  , `frame-src ${ frames.join ` ` }`
+  , `frame-src ${ frame.join ` ` }`
   , `connect-src ${ connects.join ` ` }`
   , `font-src ${ fonts.join ` ` }`
   , `worker-src ${ worker.join ` ` }`

From 17ccd1a28ce7eef290a79155945252179e40b5fb Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:00:53 -0400
Subject: [PATCH 199/239] Update font-src for content security policy

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 0e3670e19d6..44f4c4f3561 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -17,7 +17,7 @@ const
   // **THAT BEING SAID...For Safari 😢
   // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
 , script    = defaults   // script-src Script Nonce for inline <script>
-, fonts     = defaults   // font-src
+, font      = defaults   // font-src
 , medias    = defaults   // media-src
 , connects  = defaults   // connect-src
 , bases     = defaults   // base-uri
@@ -51,9 +51,9 @@ const
   , `img-src ${ img.join ` ` }`
   , `style-src ${ style.join ` ` }`
   , `script-src ${ script.join ` ` }`
+  , `font-src ${ font.join ` ` }`
   , `frame-src ${ frame.join ` ` }`
   , `connect-src ${ connects.join ` ` }`
-  , `font-src ${ fonts.join ` ` }`
   , `worker-src ${ worker.join ` ` }`
   , `object-src ${ objects.join ` ` }`
   , !!! objects.includes (`'none'`)

From e1d630fd50433f81f388674dd529f7445a948697 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:01:33 -0400
Subject: [PATCH 200/239] Update media-src directive for Content Security
 Policy

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 44f4c4f3561..75d07b6619e 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -18,7 +18,7 @@ const
   // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
 , script    = defaults   // script-src Script Nonce for inline <script>
 , font      = defaults   // font-src
-, medias    = defaults   // media-src
+, media     = defaults   // media-src
 , connects  = defaults   // connect-src
 , bases     = defaults   // base-uri
 , forms     = defaults   // form-action
@@ -52,6 +52,7 @@ const
   , `style-src ${ style.join ` ` }`
   , `script-src ${ script.join ` ` }`
   , `font-src ${ font.join ` ` }`
+  , `media-src ${ media.join ` ` }`
   , `frame-src ${ frame.join ` ` }`
   , `connect-src ${ connects.join ` ` }`
   , `worker-src ${ worker.join ` ` }`
@@ -59,7 +60,6 @@ const
   , !!! objects.includes (`'none'`)
       ? `plugin-types ${ plugins.join ` ` }`
       : ''
-  , `media-src ${ medias.join ` ` }`
 
 // Document directives
   , `sandbox ${ sandboxes.join ` ` }`

From 8849626e092ad3d72c6bfe4ec6e7e66cda813f78 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:02:10 -0400
Subject: [PATCH 201/239] Convert Policy variable from connects to connect for
 CSP directive

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 75d07b6619e..ba3f5b7b108 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -19,7 +19,7 @@ const
 , script    = defaults   // script-src Script Nonce for inline <script>
 , font      = defaults   // font-src
 , media     = defaults   // media-src
-, connects  = defaults   // connect-src
+, connect   = defaults   // connect-src
 , bases     = defaults   // base-uri
 , forms     = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
@@ -53,8 +53,8 @@ const
   , `script-src ${ script.join ` ` }`
   , `font-src ${ font.join ` ` }`
   , `media-src ${ media.join ` ` }`
+  , `connect-src ${ connect.join ` ` }`
   , `frame-src ${ frame.join ` ` }`
-  , `connect-src ${ connects.join ` ` }`
   , `worker-src ${ worker.join ` ` }`
   , `object-src ${ objects.join ` ` }`
   , !!! objects.includes (`'none'`)

From 46dc4708ea08e828b2625c2e4763516c84ababba Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:03:16 -0400
Subject: [PATCH 202/239] Convert Policy variable from bases to base for CSP
 directive

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index ba3f5b7b108..a844422f2db 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -20,7 +20,6 @@ const
 , font      = defaults   // font-src
 , media     = defaults   // media-src
 , connect   = defaults   // connect-src
-, bases     = defaults   // base-uri
 , forms     = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
 , frame     = defaults   // frame-src // *DEPRECATED* child-src fallback
@@ -28,6 +27,7 @@ const
 , objects   = ["'none'"] // object-src
 , plugins   = ['audio/*', 'video/*'] // plugin-types when object != 'none'
 
+, base      = defaults   // base-uri
 , sandboxes = defaults ||// sandbox
   [/*
       allow-forms
@@ -62,8 +62,8 @@ const
       : ''
 
 // Document directives
+  , `base-uri ${ base.join ` ` }`
   , `sandbox ${ sandboxes.join ` ` }`
-  , `base-uri ${ bases.join ` ` }`
   //  `sandbox  ...` is not supported in the <meta> element
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox

From b87ceffd092be5afda43388bf102d2d4faedf4ce Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:04:17 -0400
Subject: [PATCH 203/239] Update Navigation Directives for Content Security
 Policy

---
 middleware/policy.es | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index a844422f2db..4313e2f0504 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -20,7 +20,7 @@ const
 , font      = defaults   // font-src
 , media     = defaults   // media-src
 , connect   = defaults   // connect-src
-, forms     = defaults   // form-action
+, form      = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
 , frame     = defaults   // frame-src // *DEPRECATED* child-src fallback
 , worker    = script     // worker-src // script-src fallback
@@ -61,6 +61,10 @@ const
       ? `plugin-types ${ plugins.join ` ` }`
       : ''
 
+//  Navigation Directives
+  , `form-action ${ form.join ` ` }`
+  , `frame-ancestors ${ ancestors.join ` ` }`
+
 // Document directives
   , `base-uri ${ base.join ` ` }`
   , `sandbox ${ sandboxes.join ` ` }`
@@ -68,10 +72,6 @@ const
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
 
-//  Navigation Directives
-  , `form-action ${ forms.join ` ` }`
-  , `frame-ancestors ${ ancestors.join ` ` }`
-
 //  // Other directives
 //  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
   , (SECURE ? `block-all-mixed-content` : `update-insecure-requests`)

From 2df3ee1a573524c291c4730ad94adfb5c9ef29bf Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:06:21 -0400
Subject: [PATCH 204/239] Reorder variables for CSP

---
 middleware/policy.es | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 4313e2f0504..8d7e97930fa 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -20,13 +20,12 @@ const
 , font      = defaults   // font-src
 , media     = defaults   // media-src
 , connect   = defaults   // connect-src
-, form      = defaults   // form-action
-, ancestors = defaults   // frame-ancestors
 , frame     = defaults   // frame-src // *DEPRECATED* child-src fallback
 , worker    = script     // worker-src // script-src fallback
-, objects   = ["'none'"] // object-src
+, object    = ["'none'"] // object-src
 , plugins   = ['audio/*', 'video/*'] // plugin-types when object != 'none'
-
+, form      = defaults   // form-action
+, ancestors = defaults   // frame-ancestors
 , base      = defaults   // base-uri
 , sandboxes = defaults ||// sandbox
   [/*
@@ -56,7 +55,7 @@ const
   , `connect-src ${ connect.join ` ` }`
   , `frame-src ${ frame.join ` ` }`
   , `worker-src ${ worker.join ` ` }`
-  , `object-src ${ objects.join ` ` }`
+  , `object-src ${ object.join ` ` }`
   , !!! objects.includes (`'none'`)
       ? `plugin-types ${ plugins.join ` ` }`
       : ''

From 272ea628c6997b4a26b1dc420eb0a2166ff7789a Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:06:51 -0400
Subject: [PATCH 205/239] Update plugin-types variable for CSP

---
 middleware/policy.es | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 8d7e97930fa..8b1d3c21816 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -23,7 +23,7 @@ const
 , frame     = defaults   // frame-src // *DEPRECATED* child-src fallback
 , worker    = script     // worker-src // script-src fallback
 , object    = ["'none'"] // object-src
-, plugins   = ['audio/*', 'video/*'] // plugin-types when object != 'none'
+, plugin    = ['audio/*', 'video/*'] // plugin-types when object != 'none'
 , form      = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
 , base      = defaults   // base-uri
@@ -57,7 +57,7 @@ const
   , `worker-src ${ worker.join ` ` }`
   , `object-src ${ object.join ` ` }`
   , !!! objects.includes (`'none'`)
-      ? `plugin-types ${ plugins.join ` ` }`
+      ? `plugin-types ${ plugin.join ` ` }`
       : ''
 
 //  Navigation Directives

From 3f7d80340178bc8cfdfb2ba4966b608cdaddf2da Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:09:15 -0400
Subject: [PATCH 206/239] Fix bug in objects variable

---
 middleware/policy.es | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 8b1d3c21816..31e91c5aa93 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -27,7 +27,7 @@ const
 , form      = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
 , base      = defaults   // base-uri
-, sandboxes = defaults ||// sandbox
+, sandboxe  = defaults ||// sandbox
   [/*
       allow-forms
     , allow-popups
@@ -56,7 +56,7 @@ const
   , `frame-src ${ frame.join ` ` }`
   , `worker-src ${ worker.join ` ` }`
   , `object-src ${ object.join ` ` }`
-  , !!! objects.includes (`'none'`)
+  , !!! object.includes (`'none'`)
       ? `plugin-types ${ plugin.join ` ` }`
       : ''
 
@@ -66,7 +66,7 @@ const
 
 // Document directives
   , `base-uri ${ base.join ` ` }`
-  , `sandbox ${ sandboxes.join ` ` }`
+  , `sandbox ${ sandboxe.join ` ` }`
   //  `sandbox  ...` is not supported in the <meta> element
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
@@ -74,11 +74,9 @@ const
 //  // Other directives
 //  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
   , (SECURE ? `block-all-mixed-content` : `update-insecure-requests`)
-
 //  // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
 //  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
 //  , `require-sri-for ${ integrities.join ` ` }`
-
 //  // DEPRECATED!! See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 //  , `referrer`
   ]

From 2a933b119e694c6e900fb7e04ebc1e4e1ee0f6fd Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:09:25 -0400
Subject: [PATCH 207/239] Fix bug in sandbox variable

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 31e91c5aa93..ed3701b15b9 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -27,7 +27,7 @@ const
 , form      = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
 , base      = defaults   // base-uri
-, sandboxe  = defaults ||// sandbox
+, sandbox   = defaults ||// sandbox
   [/*
       allow-forms
     , allow-popups

From 28618d81ef5c0045cbcec15eb162b3ba08b14197 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:11:00 -0400
Subject: [PATCH 208/239] Fix indentation level of sandbox defaults

---
 middleware/policy.es | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index ed3701b15b9..48a9e970388 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -29,16 +29,16 @@ const
 , base      = defaults   // base-uri
 , sandbox   = defaults ||// sandbox
   [/*
-      allow-forms
-    , allow-popups
-    , allow-modals
-    , allow-scripts
-    , allow-same-origin
-    , allow-presentation
-    , allow-pointer-lock
-    , allow-top-navigation
-    , allow-orientation-lock
-    , allow-popups-to-escape-sandbox
+    allow-forms
+  , allow-popups
+  , allow-modals
+  , allow-scripts
+  , allow-same-origin
+  , allow-presentation
+  , allow-pointer-lock
+  , allow-top-navigation
+  , allow-orientation-lock
+  , allow-popups-to-escape-sandbox
   */]
 
 , directives = [

From ddb4061665e05f1efdd78fded3097262a01592e3 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:11:26 -0400
Subject: [PATCH 209/239] Fix bug in sandbox variable

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 48a9e970388..b7e2d0f7829 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -66,7 +66,7 @@ const
 
 // Document directives
   , `base-uri ${ base.join ` ` }`
-  , `sandbox ${ sandboxe.join ` ` }`
+  , `sandbox ${ sandbox.join ` ` }`
   //  `sandbox  ...` is not supported in the <meta> element
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox

From 3989fe2dfd4ff756bf19efb537dd57ba134b7109 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:12:30 -0400
Subject: [PATCH 210/239] Fix indentation level of SECURE, header, and scheme
 variables for CSP

---
 middleware/policy.es | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index b7e2d0f7829..72503428ff9 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,9 +1,9 @@
 // Can actually charge for this feature // https://report-uri.com/#prices
 
 const
-//schemes = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
-  SECURE  = true
-, header  = 'Content-Security-Policy'
+//schemes   = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
+  SECURE    = true
+, header    = 'Content-Security-Policy'
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.

From 6ef46d995b2a975d7fd0d9eac63ff2efdda9290f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:29:52 -0400
Subject: [PATCH 211/239] Add whitespace to CSP directive variable declarations

---
 middleware/policy.es | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/middleware/policy.es b/middleware/policy.es
index 72503428ff9..1782e3a3f93 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -8,6 +8,7 @@ const
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
 , report    = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
+
 , defaults  = ["'self'"] // default-src
 , img       = defaults   // img-src
 , style     = defaults   // style-src
@@ -17,6 +18,7 @@ const
   // **THAT BEING SAID...For Safari 😢
   // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
 , script    = defaults   // script-src Script Nonce for inline <script>
+
 , font      = defaults   // font-src
 , media     = defaults   // media-src
 , connect   = defaults   // connect-src
@@ -24,8 +26,10 @@ const
 , worker    = script     // worker-src // script-src fallback
 , object    = ["'none'"] // object-src
 , plugin    = ['audio/*', 'video/*'] // plugin-types when object != 'none'
+
 , form      = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
+
 , base      = defaults   // base-uri
 , sandbox   = defaults ||// sandbox
   [/*
@@ -50,6 +54,7 @@ const
   , `img-src ${ img.join ` ` }`
   , `style-src ${ style.join ` ` }`
   , `script-src ${ script.join ` ` }`
+
   , `font-src ${ font.join ` ` }`
   , `media-src ${ media.join ` ` }`
   , `connect-src ${ connect.join ` ` }`

From 9f3f2b8031c361d3e62bdc2f74dcb80d825e5378 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:31:18 -0400
Subject: [PATCH 212/239] Add comments for Document directives

---
 middleware/policy.es | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 1782e3a3f93..2d3df4842fc 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -71,19 +71,19 @@ const
 
 // Document directives
   , `base-uri ${ base.join ` ` }`
-  , `sandbox ${ sandbox.join ` ` }`
   //  `sandbox  ...` is not supported in the <meta> element
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
+  , `sandbox ${ sandbox.join ` ` }`
 
-//  // Other directives
-//  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
+  // Other directives
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
   , (SECURE ? `block-all-mixed-content` : `update-insecure-requests`)
-//  // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
-//  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
-//  , `require-sri-for ${ integrities.join ` ` }`
-//  // DEPRECATED!! See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
-//  , `referrer`
+  // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
+//, `require-sri-for ${ integrities.join ` ` }`
+  // DEPRECATED!! See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+//, `referrer`
   ]
 
 

From 96079bb9cbb53055a6fa8fcb130112a956fddb1e Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:41:38 -0400
Subject: [PATCH 213/239] Update comments for directive section

---
 middleware/policy.es | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 2d3df4842fc..a7c4e31b16f 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -46,10 +46,10 @@ const
   */]
 
 , directives = [
-  // Reporting directives
+  // Reporting
     `report-to ${ report.join ` ` }`
 
-  // Fetch directives
+  // Fetch
   , `default-src ${ defaults.join ` ` }`
   , `img-src ${ img.join ` ` }`
   , `style-src ${ style.join ` ` }`
@@ -65,18 +65,18 @@ const
       ? `plugin-types ${ plugin.join ` ` }`
       : ''
 
-//  Navigation Directives
+//  Navigation
   , `form-action ${ form.join ` ` }`
   , `frame-ancestors ${ ancestors.join ` ` }`
 
-// Document directives
+// Document
   , `base-uri ${ base.join ` ` }`
   //  `sandbox  ...` is not supported in the <meta> element
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
   , `sandbox ${ sandbox.join ` ` }`
 
-  // Other directives
+  // Other
   // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
   , (SECURE ? `block-all-mixed-content` : `update-insecure-requests`)
   // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

From 2e6a867e06f4075d393a732981dd92c59328228d Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:44:29 -0400
Subject: [PATCH 214/239] Add secure variable to policy.json

---
 middleware/policy.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.json b/middleware/policy.json
index fd4954e7da7..377ad948b29 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -1,5 +1,7 @@
 {
-  "report-uri"
+  "secure" : true
+
+, "report-uri"
     : "https://snuggsi.report-uri.com/r/d/csp/enforce"
 
 , "default-src" : [

From ef090383a066bd731e6f7fc69c0f4d5cfc6967c0 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:45:24 -0400
Subject: [PATCH 215/239] Reorganizee keys within policy.json

---
 middleware/policy.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.json b/middleware/policy.json
index 377ad948b29..5491364c680 100644
--- a/middleware/policy.json
+++ b/middleware/policy.json
@@ -12,11 +12,11 @@
     "'self'"
   ]
 
-, "script-src" : [
+, "style-src" : [
     "'self'"
   ]
 
-, "style-src" : [
+, "script-src" : [
     "'self'"
   ]
 }

From b9793b6a9dde31a31985d84e2084a2ba4a1d5655 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:49:01 -0400
Subject: [PATCH 216/239] Update SECURE for update insecure requests and
 blocking mixed content

---
 middleware/policy.es | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index a7c4e31b16f..9a94c19a8a2 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -78,7 +78,9 @@ const
 
   // Other
   // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
-  , (SECURE ? `block-all-mixed-content` : `update-insecure-requests`)
+  , SECURE
+      ? `block-all-mixed-content`
+      : `update-insecure-requests`
   // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
   // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
 //, `require-sri-for ${ integrities.join ` ` }`

From 0749ab69e05d1476294f556d06234b4ed6dca3db Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:50:51 -0400
Subject: [PATCH 217/239] Remove using backticks

---
 middleware/policy.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 9a94c19a8a2..3dd1fda984d 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -93,7 +93,7 @@ module.exports = async (context, next) => {
 
   // Is this a security breach? Will someone be able to disable CSP with this?
   // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-  `report` in context.request.query && (header += '-Report-Only')
+  'report' in context.request.query && (header += '-Report-Only')
 
   context.set ( header, directives.filter (Boolean).join `; ` )
 

From 8741b0c786d9385c3f92a3f0ad47d6727f2e03cc Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:55:29 -0400
Subject: [PATCH 218/239] Fix bug related to
 Content-Security-Policy-Report-Only

---
 middleware/policy.es   | 4 +++-
 middleware/policy.test | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 3dd1fda984d..5c65a578cb5 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,9 +1,11 @@
 // Can actually charge for this feature // https://report-uri.com/#prices
 
+let
+  header    = 'Content-Security-Policy'
+
 const
 //schemes   = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
   SECURE    = true
-, header    = 'Content-Security-Policy'
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
diff --git a/middleware/policy.test b/middleware/policy.test
index de96cca22f5..beaf9648de1 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -11,7 +11,7 @@ const
 test ('calling next middleware')
 
 
-test ('Content-Security-Policy-Report-Only', async t => {
+test.only ('Content-Security-Policy-Report-Only', async t => {
 
   const
     server = (new Server).serve ``
@@ -136,7 +136,7 @@ test ('Content-Security-Policy: font-src', async t => {
 })
 
 
-test.only ("Content-Security-Policy: object-src 'none'", async t => {
+test ("Content-Security-Policy: object-src 'none'", async t => {
 
   const
     server = serve ``

From 6c090aa821503e39b62bbe28ca5493dfc173e927 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 11:59:40 -0400
Subject: [PATCH 219/239] Refactor Content-Security-Policy-Report-Only test

---
 middleware/policy.test | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index beaf9648de1..be22bbb48e8 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -14,18 +14,17 @@ test ('calling next middleware')
 test.only ('Content-Security-Policy-Report-Only', async t => {
 
   const
-    server = (new Server).serve ``
+    server = serve ``
 
-    // notice ?report
-  , response = await
-      fetch ('http://localhost:8181/?report')
+  , { headers }
+      = await fetch ('http://localhost:8181/?report')
 
 
   t.notOk
-    ( response.headers.get ('Content-Security-Policy') )
+    ( headers.get ('Content-Security-Policy') )
 
   t.ok
-    ( response.headers.get ('Content-Security-Policy-Report-Only') )
+    ( headers.get ('Content-Security-Policy-Report-Only') )
 
   server.close ``
   t.end ()

From 7712bee93d98c58beb9609171067d9a41fe8b008 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 12:00:34 -0400
Subject: [PATCH 220/239] Reorder test constants

---
 middleware/policy.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index be22bbb48e8..aca1fef85c3 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -1,5 +1,5 @@
 const
-  { test, fetch, serve }
+  { test, serve, fetch }
     = require ('test')
 
 , { Server }

From ca20bdfb188c39ea22c96c69a6f513879d96311b Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 12:27:08 -0400
Subject: [PATCH 221/239] Rename public/browser-sync.es ->
 public/browser-sync.js

---
 public/{browser-sync.es => browser-sync.js} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename public/{browser-sync.es => browser-sync.js} (100%)

diff --git a/public/browser-sync.es b/public/browser-sync.js
similarity index 100%
rename from public/browser-sync.es
rename to public/browser-sync.js

From c82fb49a4de72d153f88590fc738cc77a0e23734 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Mon, 2 Jul 2018 12:27:41 -0400
Subject: [PATCH 222/239] Rename public/browser-sync.es ->
 public/browser-sync.js

---
 index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.html b/index.html
index c0cc2122078..984c309c010 100644
--- a/index.html
+++ b/index.html
@@ -937,5 +937,5 @@ <h3>Further Learning</h3>
   <em>Copyright &copy; 2018 A <strong>devPunks</strong> project</em>
 </footer>
 
-<script src=/browser-sync.es></script>
+<script src=/browser-sync.js></script>
 

From bb00739cab42ddef575d55b52ed3dfda60053515 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 01:29:42 -0400
Subject: [PATCH 223/239] Refactor test for Content-Security-Policy-Report-Only

---
 middleware/policy.es   | 20 +++++++++++---------
 middleware/policy.test |  9 +++++----
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 5c65a578cb5..b1d4ef41056 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -1,11 +1,9 @@
 // Can actually charge for this feature // https://report-uri.com/#prices
 
-let
-  header    = 'Content-Security-Policy'
-
 const
 //schemes   = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
-  SECURE    = true
+  header    = 'Content-Security-Policy'
+, SECURE    = true
 // Depending on analytics framework,
 // may want to listen for securitypolicyviolation events
 // with JavaScript and collect more information about the client before reporting.
@@ -91,13 +89,17 @@ const
   ]
 
 
-module.exports = async (context, next) => {
+module.exports = async (context, next, policy) => {
+
+  policy = directives.filter (Boolean).join `; `
 
-  // Is this a security breach? Will someone be able to disable CSP with this?
-  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-  'report' in context.request.query && (header += '-Report-Only')
+  context.set ( header, policy)
 
-  context.set ( header, directives.filter (Boolean).join `; ` )
+  'report'
+    // Is this a security breach? Will someone be able to disable CSP with this?
+    in context.request.query
+    && context.set
+     ( `${header}-Report-Only`, policy)
 
   await next (context)
 }
diff --git a/middleware/policy.test b/middleware/policy.test
index aca1fef85c3..3405d67a236 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -19,12 +19,13 @@ test.only ('Content-Security-Policy-Report-Only', async t => {
   , { headers }
       = await fetch ('http://localhost:8181/?report')
 
+  , policy = headers.get ('Content-Security-Policy')
+  , report = headers.get ('Content-Security-Policy-Report-Only')
 
-  t.notOk
-    ( headers.get ('Content-Security-Policy') )
 
-  t.ok
-    ( headers.get ('Content-Security-Policy-Report-Only') )
+  t.ok ( policy )
+  t.ok ( report )
+  t.equals ( policy, report )
 
   server.close ``
   t.end ()

From 6c5d1c1d77824a0cc9cfed75b3822c39b51380b7 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 01:35:14 -0400
Subject: [PATCH 224/239] Assert Content-Security-Policy-Report-Only does not
 exist without querystring parameter ?report

---
 middleware/policy.test | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 3405d67a236..b930ab25aa8 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -16,16 +16,24 @@ test.only ('Content-Security-Policy-Report-Only', async t => {
   const
     server = serve ``
 
-  , { headers }
-      = await fetch ('http://localhost:8181/?report')
-
-  , policy = headers.get ('Content-Security-Policy')
-  , report = headers.get ('Content-Security-Policy-Report-Only')
+  let headers, policy, report
 
+  headers = (await fetch ('http://localhost:8181/?report')).headers
+  report  = headers.get ('Content-Security-Policy-Report-Only')
+  policy  = headers.get ('Content-Security-Policy')
 
+  t.equals ( policy, report )
   t.ok ( policy )
   t.ok ( report )
-  t.equals ( policy, report )
+
+
+  headers = (await fetch ('http://localhost:8181/')).headers
+  report  = headers.get ('Content-Security-Policy-Report-Only')
+  policy  = headers.get ('Content-Security-Policy')
+
+  t.ok ( policy )
+  t.notOk ( report )
+  t.notEquals ( policy, report )
 
   server.close ``
   t.end ()

From d29db84a2744f7979d4f6a036cffa64dcde7a730 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 01:35:35 -0400
Subject: [PATCH 225/239] Refactor policy.es

---
 middleware/policy.es | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index b1d4ef41056..38fe269d5b2 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -96,10 +96,8 @@ module.exports = async (context, next, policy) => {
   context.set ( header, policy)
 
   'report'
-    // Is this a security breach? Will someone be able to disable CSP with this?
     in context.request.query
-    && context.set
-     ( `${header}-Report-Only`, policy)
+    && context.set ( `${header}-Report-Only`, policy)
 
   await next (context)
 }

From 6428879dddcdd542ec5c59b44ef7399640c75051 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 01:38:25 -0400
Subject: [PATCH 226/239] Refactor Content-Security-Policy-Report-Only test

---
 middleware/policy.test | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index b930ab25aa8..9a54697dcd7 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -16,15 +16,16 @@ test.only ('Content-Security-Policy-Report-Only', async t => {
   const
     server = serve ``
 
-  let headers, policy, report
+  let
+    headers, policy, report
 
   headers = (await fetch ('http://localhost:8181/?report')).headers
   report  = headers.get ('Content-Security-Policy-Report-Only')
   policy  = headers.get ('Content-Security-Policy')
 
-  t.equals ( policy, report )
   t.ok ( policy )
   t.ok ( report )
+  t.equals ( policy, report )
 
 
   headers = (await fetch ('http://localhost:8181/')).headers

From 5415743f994cc57d0ed38f5238672b762eb3bacc Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 21:15:54 -0400
Subject: [PATCH 227/239] Add report/README.md

---
 report/README.md | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 report/README.md

diff --git a/report/README.md b/report/README.md
new file mode 100644
index 00000000000..dc5856315f3
--- /dev/null
+++ b/report/README.md
@@ -0,0 +1,8 @@
+# Report
+
+  Used for violation reporting.
+
+
+## Example JSON Payload
+
+  See [index.json](index.json)

From 53fddfba9be87cc82dda4667397a3f21fd5533f0 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 21:16:51 -0400
Subject: [PATCH 228/239] Add MDN link

---
 report/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/report/README.md b/report/README.md
index dc5856315f3..2278c370179 100644
--- a/report/README.md
+++ b/report/README.md
@@ -2,6 +2,8 @@
 
   Used for violation reporting.
 
+  See [MDN Violation Report Syntax](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Violation_report_syntax) For further details.
+
 
 ## Example JSON Payload
 

From 3199f37af3e70b14b0cd0176c6110167ae070183 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 21:18:19 -0400
Subject: [PATCH 229/239] Add report/index.json

---
 report/index.json | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 report/index.json

diff --git a/report/index.json b/report/index.json
new file mode 100644
index 00000000000..ffcd4415b08
--- /dev/null
+++ b/report/index.json
@@ -0,0 +1 @@
+{ }

From 033e3800219eccc51e76b7cf36727658ae484e1e Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 21:23:20 -0400
Subject: [PATCH 230/239] Add sample csp report for report resource

---
 report/index.json | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/report/index.json b/report/index.json
index ffcd4415b08..8bb9f109f09 100644
--- a/report/index.json
+++ b/report/index.json
@@ -1 +1,9 @@
-{ }
+{
+  "csp-report": {
+    "document-uri": "http://example.com/",
+    "referrer": "",
+    "blocked-uri": "http://example.com/index.css",
+    "violated-directive": "style-src foo.com",
+    "original-policy": "default-src 'none'; style-src foo.com; report-uri /reports/"
+  }
+}

From a33c3b56282e8fa9a60cc4771dcf1b8dbb5a77dd Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 23:41:51 -0400
Subject: [PATCH 231/239] Add Report resource to server

---
 bin/serve.es | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bin/serve.es b/bin/serve.es
index 50942461de4..edf8f80846c 100644
--- a/bin/serve.es
+++ b/bin/serve.es
@@ -6,6 +6,7 @@ const
     = require ('../middleware')
 
 middleware = [
+  route (`/report/`, Resource `/report/`)
   route (`/hello/`, Resource `/resource/fixtures/`)
 , route (`/examples/`, Resource `/examples/`)
 ]

From c4a3610aed75cdb53ce7ccb93d8e230834e633d5 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Tue, 3 Jul 2018 23:42:32 -0400
Subject: [PATCH 232/239] Fix bug with routing system

---
 bin/serve.es | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/serve.es b/bin/serve.es
index edf8f80846c..7c93f26dc35 100644
--- a/bin/serve.es
+++ b/bin/serve.es
@@ -7,7 +7,7 @@ const
 
 middleware = [
   route (`/report/`, Resource `/report/`)
-  route (`/hello/`, Resource `/resource/fixtures/`)
+, route (`/hello/`, Resource `/resource/fixtures/`)
 , route (`/examples/`, Resource `/examples/`)
 ]
 

From ed9da82e1965c82453515c82384cd77157aec04f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 6 Jul 2018 00:10:00 -0400
Subject: [PATCH 233/239] Migrate color palette and style comments to prevent
 CSP error

---
 index.css  | 6 +++++-
 index.html | 2 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/index.css b/index.css
index 9e0acdec87e..946b80710e5 100644
--- a/index.css
+++ b/index.css
@@ -1,3 +1,8 @@
+/*
+  // enough inline styles to paint to fold
+  // Japanese colors - https://en.wikipedia.org/wiki/Traditional_colors_of_Japan#Red.2FViolet_series
+*/
+
 :root {
   --margin: 0 0;
 }
@@ -271,4 +276,3 @@ body > main, body > aside { flex: 1 }
 }
 
 @media (min-width:1300px) { }
-
diff --git a/index.html b/index.html
index 984c309c010..afff2445d70 100644
--- a/index.html
+++ b/index.html
@@ -33,8 +33,6 @@
 
 
 <style>
-// enough inline styles to paint to fold
-// Japanese colors - https://en.wikipedia.org/wiki/Traditional_colors_of_Japan#Red.2FViolet_series
 </style>
 
 <!-- https://www.speedshop.co/2015/10/21/hacking-head-tags-for-speed-and-profit.html -->

From fbfff4474da17f714c0d5114572c0005b9290b30 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 6 Jul 2018 00:11:20 -0400
Subject: [PATCH 234/239] Remove legacy style tag

---
 index.html | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/index.html b/index.html
index afff2445d70..c3fcc8b3b62 100644
--- a/index.html
+++ b/index.html
@@ -16,6 +16,7 @@
   href=/index.css
   rel='preload stylesheet'
 >
+
 <!--
 <link
   as=fetch
@@ -31,10 +32,6 @@
   href=/examples/header-group>
 -->
 
-
-<style>
-</style>
-
 <!-- https://www.speedshop.co/2015/10/21/hacking-head-tags-for-speed-and-profit.html -->
 
 <!-- https://developer.mozilla.org/en-US/docs/Web/HTML/Element/base -->

From e1b761bf4d1dd12bdd62d6a977a63617aa747e01 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 6 Jul 2018 00:35:18 -0400
Subject: [PATCH 235/239] Create specification for child-src as per Changes in
 CSP3

  References:
    - https://www.w3.org/TR/CSP/#changes-from-level-2
---
 middleware/policy.es   |  4 +++-
 middleware/policy.test | 19 ++++++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 38fe269d5b2..215c73d2d83 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -22,7 +22,8 @@ const
 , font      = defaults   // font-src
 , media     = defaults   // media-src
 , connect   = defaults   // connect-src
-, frame     = defaults   // frame-src // *DEPRECATED* child-src fallback
+, child     = defaults   // child-src
+, frame     = child      // frame-src
 , worker    = script     // worker-src // script-src fallback
 , object    = ["'none'"] // object-src
 , plugin    = ['audio/*', 'video/*'] // plugin-types when object != 'none'
@@ -58,6 +59,7 @@ const
   , `font-src ${ font.join ` ` }`
   , `media-src ${ media.join ` ` }`
   , `connect-src ${ connect.join ` ` }`
+  , `child-src ${ child.join ` ` }`
   , `frame-src ${ frame.join ` ` }`
   , `worker-src ${ worker.join ` ` }`
   , `object-src ${ object.join ` ` }`
diff --git a/middleware/policy.test b/middleware/policy.test
index 9a54697dcd7..90c859f663c 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -11,7 +11,7 @@ const
 test ('calling next middleware')
 
 
-test.only ('Content-Security-Policy-Report-Only', async t => {
+test ('Content-Security-Policy-Report-Only', async t => {
 
   const
     server = serve ``
@@ -77,6 +77,23 @@ test ('Content-Security-Policy: default-src', async t => {
 })
 
 
+test.only ('Content-Security-Policy: child-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`child-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
 test ('Content-Security-Policy: frame-src', async t => {
 
   const

From 33e1ffe9284c3c336718558529593e7d5e1f8f4f Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 6 Jul 2018 00:41:27 -0400
Subject: [PATCH 236/239] Create specification for manifest-src as per Changes
 in CSP3

  References:
    - https://www.w3.org/TR/CSP/#directive-manifest-src
---
 middleware/policy.es   |  2 ++
 middleware/policy.test | 19 ++++++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/middleware/policy.es b/middleware/policy.es
index 215c73d2d83..8e13db8c7c5 100644
--- a/middleware/policy.es
+++ b/middleware/policy.es
@@ -31,6 +31,7 @@ const
 , form      = defaults   // form-action
 , ancestors = defaults   // frame-ancestors
 
+, manifest  = defaults   // manifest-src
 , base      = defaults   // base-uri
 , sandbox   = defaults ||// sandbox
   [/*
@@ -73,6 +74,7 @@ const
 
 // Document
   , `base-uri ${ base.join ` ` }`
+  , `manifest-src ${ manifest.join ` ` }`
   //  `sandbox  ...` is not supported in the <meta> element
   //  or by the Content-Security-policy-Report-Only header field.
   //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
diff --git a/middleware/policy.test b/middleware/policy.test
index 90c859f663c..a68fbae1f05 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -77,7 +77,24 @@ test ('Content-Security-Policy: default-src', async t => {
 })
 
 
-test.only ('Content-Security-Policy: child-src', async t => {
+test.only ('Content-Security-Policy: manifest-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`manifest-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: child-src', async t => {
 
   const
     server = (new Server).serve ``

From 327f404c6963a8b8bbbdc1ffb75e4ee017718755 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 13 Jul 2018 22:53:46 -0400
Subject: [PATCH 237/239] Refactor Content-Security-Policy-Report-Only

---
 middleware/policy.test | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index a68fbae1f05..a2b364ca165 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -11,21 +11,24 @@ const
 test ('calling next middleware')
 
 
-test ('Content-Security-Policy-Report-Only', async t => {
+test.only ('Content-Security-Policy-Report-Only', async t => {
 
   const
     server = serve ``
 
   let
-    headers, policy, report
+    policy, report
 
-  headers = (await fetch ('http://localhost:8181/?report')).headers
-  report  = headers.get ('Content-Security-Policy-Report-Only')
-  policy  = headers.get ('Content-Security-Policy')
+  , { headers }
+      = (await fetch ('http://localhost:8181/?report'))
+
+  report = headers.get ('Content-Security-Policy-Report-Only')
+  policy = headers.get ('Content-Security-Policy')
 
   t.ok ( policy )
   t.ok ( report )
-  t.equals ( policy, report )
+  t.equals ( report, policy )
+
 
 
   headers = (await fetch ('http://localhost:8181/')).headers
@@ -34,7 +37,6 @@ test ('Content-Security-Policy-Report-Only', async t => {
 
   t.ok ( policy )
   t.notOk ( report )
-  t.notEquals ( policy, report )
 
   server.close ``
   t.end ()
@@ -77,10 +79,10 @@ test ('Content-Security-Policy: default-src', async t => {
 })
 
 
-test.only ('Content-Security-Policy: manifest-src', async t => {
+test ('Content-Security-Policy: manifest-src', async t => {
 
   const
-    server = (new Server).serve ``
+    server = serve ``
 
   , policy
       = (await fetch ('http://localhost:8181/'))

From 9a1e9b504ffddb7f0e157460863f38e689f7e207 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 13 Jul 2018 22:57:14 -0400
Subject: [PATCH 238/239] Refactor Content-Security-Policy-Report-Only and
 Content-Security-Policy into separate specs

---
 middleware/policy.test | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index a2b364ca165..1200ac1778d 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -11,29 +11,36 @@ const
 test ('calling next middleware')
 
 
-test.only ('Content-Security-Policy-Report-Only', async t => {
+test ('Content-Security-Policy-Report-Only', async t => {
 
   const
     server = serve ``
 
-  let
-    policy, report
-
   , { headers }
       = (await fetch ('http://localhost:8181/?report'))
 
-  report = headers.get ('Content-Security-Policy-Report-Only')
-  policy = headers.get ('Content-Security-Policy')
+  , report = headers.get ('Content-Security-Policy-Report-Only')
+  , policy = headers.get ('Content-Security-Policy')
 
   t.ok ( policy )
   t.ok ( report )
   t.equals ( report, policy )
 
+  server.close ``
+  t.end ()
+})
+
+
+test.only ('Content-Security-Policy', async t => {
 
+  const
+    server = serve ``
+
+  , { headers }
+      = (await fetch ('http://localhost:8181/'))
 
-  headers = (await fetch ('http://localhost:8181/')).headers
-  report  = headers.get ('Content-Security-Policy-Report-Only')
-  policy  = headers.get ('Content-Security-Policy')
+  , report = headers.get ('Content-Security-Policy-Report-Only')
+  , policy = headers.get ('Content-Security-Policy')
 
   t.ok ( policy )
   t.notOk ( report )

From 2c78d0297c93c690ddc53a10d690b4363617f510 Mon Sep 17 00:00:00 2001
From: Snuggs <rashaunstovall@gmail.com>
Date: Fri, 13 Jul 2018 22:58:06 -0400
Subject: [PATCH 239/239] Remove only test

---
 middleware/policy.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/policy.test b/middleware/policy.test
index 1200ac1778d..917e407707c 100644
--- a/middleware/policy.test
+++ b/middleware/policy.test
@@ -31,7 +31,7 @@ test ('Content-Security-Policy-Report-Only', async t => {
 })
 
 
-test.only ('Content-Security-Policy', async t => {
+test ('Content-Security-Policy', async t => {
 
   const
     server = serve ``