helmet_core

Enum ContentSecurityPolicyDirective

Source 
pub enum ContentSecurityPolicyDirective<'a> {

Show 25 variants    ChildSrc(Vec<&'a str>),
    ConnectSrc(Vec<&'a str>),
    DefaultSrc(Vec<&'a str>),
    FontSrc(Vec<&'a str>),
    FrameSrc(Vec<&'a str>),
    ImgSrc(Vec<&'a str>),
    ManifestSrc(Vec<&'a str>),
    MediaSrc(Vec<&'a str>),
    ObjectSrc(Vec<&'a str>),
    PrefetchSrc(Vec<&'a str>),
    ScriptSrc(Vec<&'a str>),
    ScriptSrcElem(Vec<&'a str>),
    ScriptSrcAttr(Vec<&'a str>),
    StyleSrc(Vec<&'a str>),
    StyleSrcElem(Vec<&'a str>),
    StyleSrcAttr(Vec<&'a str>),
    WorkerSrc(Vec<&'a str>),
    BaseUri(Vec<&'a str>),
    Sandbox(Vec<&'a str>),
    FormAction(Vec<&'a str>),
    FrameAncestors(Vec<&'a str>),
    ReportTo(Vec<&'a str>),
    RequireTrustedTypesFor(Vec<&'a str>),
    TrustedTypes(Vec<&'a str>),
    UpgradeInsecureRequests,

}
Expand description

Manages Content-Security-Policy header

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

§Directives

  • child-src: Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.
  • connect-src: Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.
  • default-src: The default-src is the default policy for loading content such as JavaScript, Images, CSS, Font’s, AJAX requests, Frames, HTML5 Media. See the list of directives to see which values are allowed as default.
  • font-src: Defines valid sources for fonts loaded using @font-face.
  • frame-src: Defines valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
  • img-src: Defines valid sources of images and favicons.
  • manifest-src: Specifies which manifest can be applied to the resource.
  • media-src: Defines valid sources for loading media using the <audio> and <video> elements.
  • object-src: Defines valid sources for the <object>, <embed>, and <applet> elements.
  • prefetch-src: Specifies which referrer to use when fetching the resource.
  • script-src: Defines valid sources for JavaScript.
  • script-src-elem: Defines valid sources for JavaScript inline event handlers.
  • script-src-attr: Defines valid sources for JavaScript inline event handlers.
  • style-src: Defines valid sources for stylesheets.
  • style-src-elem: Defines valid sources for stylesheets inline event handlers.
  • style-src-attr: Defines valid sources for stylesheets inline event handlers.
  • worker-src: Defines valid sources for Worker, SharedWorker, or ServiceWorker scripts.
  • base-uri: Restricts the URLs which can be used in a document’s <base> element.
  • sandbox: Enables a sandbox for the requested resource similar to the iframe sandbox attribute. The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked. You can keep the sandbox value empty to keep all restrictions in place, or add values: allow-forms allow-same-origin allow-scripts allow-popups, allow-modals, allow-orientation-lock, allow-pointer-lock, allow-presentation, allow-popups-to-escape-sandbox, allow-top-navigation, allow-top-navigation-by-user-activation.
  • form-action: Restricts the URLs which can be used as the target of a form submissions from a given context.
  • frame-ancestors: Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
  • report-to: Enables reporting of violations.
  • require-trusted-types-for: Specifies which trusted types are required by a resource.
  • trusted-types: Specifies which trusted types are defined by a resource.
  • upgrade-insecure-requests: Block HTTP requests on insecure elements.

§Examples

use helmet_core::ContentSecurityPolicy;

let content_security_policy = ContentSecurityPolicy::default()
   .child_src(vec!["'self'", "https://youtube.com"])
   .connect_src(vec!["'self'", "https://youtube.com"])
   .default_src(vec!["'self'", "https://youtube.com"])
   .font_src(vec!["'self'", "https://youtube.com"]);

Variants§

§

ChildSrc(Vec<&'a str>)

Warning: Instead of child-src, if you want to regulate nested browsing contexts and workers, you should use the frame-src and worker-src directives, respectively.

§

ConnectSrc(Vec<&'a str>)

Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.

§

DefaultSrc(Vec<&'a str>)

The default-src is the default policy for loading content such as JavaScript, Images, CSS, Font’s, AJAX requests, Frames, HTML5 Media. See the list of directives to see which values are allowed as default.

§

FontSrc(Vec<&'a str>)

Defines valid sources for fonts loaded using @font-face.

§

FrameSrc(Vec<&'a str>)

Defines valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.

§

ImgSrc(Vec<&'a str>)

Defines valid sources of images and favicons.

§

ManifestSrc(Vec<&'a str>)

Specifies which manifest can be applied to the resource.

§

MediaSrc(Vec<&'a str>)

Defines valid sources for loading media using the <audio> and <video> elements.

§

ObjectSrc(Vec<&'a str>)

Defines valid sources for the <object>, <embed>, and <applet> elements.

§

PrefetchSrc(Vec<&'a str>)

Specifies which referrer to use when fetching the resource.

§

ScriptSrc(Vec<&'a str>)

Defines valid sources for JavaScript.

§

ScriptSrcElem(Vec<&'a str>)

Defines valid sources for JavaScript inline event handlers.

§

ScriptSrcAttr(Vec<&'a str>)

Defines valid sources for JavaScript inline event handlers.

§

StyleSrc(Vec<&'a str>)

Defines valid sources for stylesheets.

§

StyleSrcElem(Vec<&'a str>)

Defines valid sources for stylesheets inline event handlers.

§

StyleSrcAttr(Vec<&'a str>)

Defines valid sources for stylesheets inline event handlers.

§

WorkerSrc(Vec<&'a str>)

Defines valid sources for Worker, SharedWorker, or ServiceWorker scripts.

§

BaseUri(Vec<&'a str>)

Restricts the URLs which can be used in a document’s <base> element.

§

Sandbox(Vec<&'a str>)

Enables a sandbox for the requested resource similar to the iframe sandbox attribute. The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked. You can keep the sandbox value empty to keep all restrictions in place, or add values: allow-forms allow-same-origin allow-scripts allow-popups, allow-modals, allow-orientation-lock, allow-pointer-lock, allow-presentation, allow-popups-to-escape-sandbox, allow-top-navigation, allow-top-navigation-by-user-activation.

§

FormAction(Vec<&'a str>)

Restricts the URLs which can be used as the target of a form submissions from a given context.

§

FrameAncestors(Vec<&'a str>)

Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.

§

ReportTo(Vec<&'a str>)

Enables reporting of violations.

report-uri is deprecated, however, it is still supported by browsers that don’t yet support report-to. ReportTo will apply both to report-uri and report-to with the same values, to support browsers that support both.

§

RequireTrustedTypesFor(Vec<&'a str>)

Specifies which trusted types are required by a resource.

§

TrustedTypes(Vec<&'a str>)

Specifies which trusted types are defined by a resource.

§

UpgradeInsecureRequests

Block HTTP requests on insecure elements.

Implementations§

Source§

impl<'a> ContentSecurityPolicyDirective<'a>

Source

pub fn child_src(values: Vec<&'a str>) -> Self

child-src: Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame>`` and