Fix: Allow CSP headers for scripts.

Fix webhintio#2349

packages/hint-no-html-only-headers/src/hint.ts

@@ -101,7 +101,12 @@ export default class NoHtmlOnlyHeadersHint implements IHint {
             }
 
             if (!willBeTreatedAsHTML(response)) {
-                const headers: string[] = includedHeaders(response.headers, unneededHeaders);
+                let headersToValidate: string[] = unneededHeaders;
+
+                if (response.mediaType === 'text/javascript') {
+                    headersToValidate = mergeIgnoreIncludeArrays(headersToValidate, ['content-security-policy', 'x-content-security-policy'], []);
+                }
+                const headers: string[] = includedHeaders(response.headers, headersToValidate);
                 const numberOfHeaders: number = headers.length;
 
                 if (numberOfHeaders > 0) {

packages/hint-no-html-only-headers/tests/tests.ts

@@ -13,24 +13,6 @@ const generateMessage = (values: string[]): string => {
 const testsForDefaults: HintTest[] = [
     {
         name: `Non HTML resource is served without unneeded headers`,
-        serverConfig: {
-            '/': {
-                content: htmlPage,
-                headers: {
-                    'Content-Type': 'text/html; charset=utf-8',
-                    'X-Frame-Options': 'SAMEORIGIN'
-                }
-            },
-            '/test.js': { headers: { 'Content-Type': 'application/javascript; charset=utf-8' } }
-        }
-    },
-    {
-        name: `Non HTML resource is specified as a data URI`,
-        serverConfig: { '/': generateHTMLPage(undefined, '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==">') }
-    },
-    {
-        name: `Non HTML resource is served with unneeded header`,
-        reports: [{ message: generateMessage(['content-security-policy']) }],
         serverConfig: {
             '/': {
                 content: htmlPage,
@@ -47,14 +29,16 @@ const testsForDefaults: HintTest[] = [
             }
         }
     },
+    {
+        name: `Non HTML resource is specified as a data URI`,
+        serverConfig: { '/': generateHTMLPage(undefined, '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==">') }
+    },
     {
         name: `Non HTML resource is served with multiple unneeded headers`,
         reports: [
             {
                 message: generateMessage([
-                    'content-security-policy',
                     'feature-policy',
-                    'x-content-security-policy',
                     'x-frame-options',
                     'x-ua-compatible',
                     'x-webkit-csp',
@@ -159,7 +143,6 @@ const testsForIncludeConfigs: HintTest[] = [
         reports: [
             {
                 message: generateMessage([
-                    'content-security-policy',
                     'x-test-1',
                     'x-ua-compatible'
                 ])
@@ -193,7 +176,6 @@ const testsForConfigs: HintTest[] = [
         reports: [
             {
                 message: generateMessage([
-                    'content-security-policy',
                     'x-test-1',
                     'x-ua-compatible'
                 ])
@@ -223,8 +205,8 @@ const testsForConfigs: HintTest[] = [
 ];
 
 testHint(hintPath, testsForDefaults);
-testHint(hintPath, testsForIgnoreConfigs, { hintOptions: { ignore: ['Content-Security-Policy', 'X-UA-Compatible', 'X-Test-1'] } });
-testHint(hintPath, testsForIncludeConfigs, { hintOptions: { include: ['Content-Security-Policy', 'X-Test-1', 'X-Test-2'] } });
+testHint(hintPath, testsForIgnoreConfigs, { hintOptions: { ignore: ['X-UA-Compatible', 'X-Test-1'] } });
+testHint(hintPath, testsForIncludeConfigs, { hintOptions: { include: ['X-Test-1', 'X-Test-2'] } });
 testHint(hintPath, testsForConfigs, {
     hintOptions: {
         ignore: ['X-Frame-Options', 'X-Test-2', 'X-Test-3'],