Cross-Domain Policy Configuration API

Summary

Build a Koa application that provides an API for managing cross-domain policy settings for different content types. The application should allow administrators to configure security policies that control whether legacy browser plugins (like Adobe Flash and PDF readers) can load content from the domain.

Requirements

Core Functionality

1. Policy Configuration Endpoint

   • Create a POST endpoint /api/policy/configure that accepts a policy setting
   • The endpoint should accept a JSON body with a policy field
   • Valid policy values are: "none", "master-only", "by-content-type", and "all"
   • Apply the specified policy to all subsequent requests to the application
   • Return a JSON response confirming the policy was set

2. Policy Status Endpoint

   • Create a GET endpoint /api/policy/status that returns the currently active policy
   • Return the policy name as a JSON response

3. Content Delivery Endpoints

   • Create a GET endpoint /content/document that serves a simple text response: "Document content"
   • Create a GET endpoint /content/media that serves a simple text response: "Media content"
   • Both endpoints should respect the configured cross-domain policy

4. Default Security

   • The application should start with the most restrictive cross-domain policy by default
   • All content endpoints should have the appropriate security headers applied

Technical Requirements

• Use Koa framework (version 2.x or 3.x)
• Implement proper error handling for invalid policy values
• The policy configuration should apply dynamically without requiring server restart
• Return appropriate HTTP status codes (200 for success, 400 for invalid input)

Dependencies { .dependencies }

koa { .dependency }

Web framework for Node.js.

koa-helmet { .dependency }

Security header middleware for Koa applications.

@koa/router { .dependency }

Router middleware for Koa.

Test Cases

Test 1: Default Policy @test

File: server.test.js

Description: Verify that the application starts with the most restrictive cross-domain policy.

Steps:

1. Start the server without any configuration
2. Make a GET request to /content/document
3. Check the response headers

Expected: The response should include an X-Permitted-Cross-Domain-Policies header with value none.

Test 2: Policy Configuration @test

File: server.test.js

Description: Verify that the policy can be changed via the configuration endpoint.

Steps:

1. Start the server
2. POST to /api/policy/configure with body {"policy": "master-only"}
3. Make a GET request to /content/document
4. Check the response headers

Expected:

• The POST request should return a 200 status with confirmation message
• The subsequent GET request should include an X-Permitted-Cross-Domain-Policies header with value master-only

Test 3: Invalid Policy Rejection @test

File: server.test.js

Description: Verify that invalid policy values are rejected.

Steps:

1. Start the server
2. POST to /api/policy/configure with body {"policy": "invalid-value"}

Expected: The request should return a 400 status code with an error message.

Test 4: Policy Status Reporting @test

File: server.test.js

Description: Verify that the current policy can be retrieved.

Steps:

1. Start the server
2. POST to /api/policy/configure with body {"policy": "by-content-type"}
3. GET from /api/policy/status

Expected: The status endpoint should return a JSON response containing the current policy: {"policy": "by-content-type"}.