helmet_core

Struct ContentSecurityPolicy

Source 
pub struct ContentSecurityPolicy<'a> { /* private fields */ }
Expand description

Manages Content-Security-Policy header

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

§Examples

use helmet_core::ContentSecurityPolicy;

let content_security_policy = ContentSecurityPolicy::default()
   .child_src(vec!["'self'", "https://youtube.com"])
   .connect_src(vec!["'self'", "https://youtube.com"])
   .default_src(vec!["'self'", "https://youtube.com"])
   .font_src(vec!["'self'", "https://youtube.com"]);

§Report only

In report only mode, the browser will not block the request, but will send a report to the specified URI.

Make sure to set the report-to directive.

use helmet_core::ContentSecurityPolicy;

let content_security_policy = ContentSecurityPolicy::default()
   .child_src(vec!["'self'", "https://youtube.com"])
   .report_to(vec!["https://example.com/report"])
   .report_only();

Implementations§

Source§

impl<'a> ContentSecurityPolicy<'a>

Source

pub fn new() -> Self

Source

pub fn child_src(self, values: Vec<&'a str>) -> Self

child-src: Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.

Source

pub fn connect_src(self, values: Vec<&'a str>) -> Self

connect-src: Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.

Source

pub fn default_src(self, values: Vec<&'a str>) -> Self

default-src: The default-src is the default policy for loading content such as JavaScript, Images, CSS, Font’s, AJAX requests, Frames, HTML5 Media. See the list of directives to see which values are allowed as default.

Source

pub fn font_src(self, values: Vec<&'a str>) -> Self

font-src: Defines valid sources for fonts loaded using @font-face.

Source

pub fn frame_src(self, values: Vec<&'a str>) -> Self

frame-src: Defines valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.

Source

pub fn img_src(self, values: Vec<&'a str>) -> Self

img-src: Defines valid sources of images and favicons.

Source

pub fn manifest_src(self, values: Vec<&'a str>) -> Self

manifest-src: Specifies which manifest can be applied to the resource.

Source

pub fn media_src(self, values: Vec<&'a str>) -> Self

media-src: Defines valid sources for loading media using the <audio> and <video> elements.

Source

pub fn object_src(self, values: Vec<&'a str>) -> Self

object-src: Defines valid sources for the <object>, <embed>, and <applet> elements.

Source

pub fn prefetch_src(self, values: Vec<&'a str>) -> Self

prefetch-src: Specifies which referrer to use when fetching the resource.

Source

pub fn script_src(self, values: Vec<&'a str>) -> Self

script-src: Defines valid sources for JavaScript.

Source

pub fn script_src_elem(self, values: Vec<&'a str>) -> Self

script-src-elem: Defines valid sources for JavaScript inline event handlers.

Source

pub fn script_src_attr(self, values: Vec<&'a str>) -> Self

script-src-attr: Defines valid sources for JavaScript inline event handlers.

Source

pub fn style_src(self, values: Vec<&'a str>) -> Self

style-src: Defines valid sources for stylesheets.

Source

pub fn style_src_elem(self, values: Vec<&'a str>) -> Self

style-src-elem: Defines valid sources for stylesheets inline event handlers.

Source

pub fn style_src_attr(self, values: Vec<&'a str>) -> Self

style-src-attr: Defines valid sources for stylesheets inline event handlers.

Source

pub fn worker_src(self, values: Vec<&'a str>) -> Self

worker-src: Defines valid sources for Worker, SharedWorker, or ServiceWorker scripts.

Source

pub fn base_uri(self, values: Vec<&'a str>) -> Self

base-uri: Restricts the URLs which can be used in a document’s <base> element.

Source

pub fn sandbox(self, values: Vec<&'a str>) -> Self

sandbox: Enables a sandbox for the requested resource similar to the iframe sandbox attribute. The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked. You can keep the sandbox value empty to keep all restrictions in place, or add values: allow-forms allow-same-origin allow-scripts allow-popups, allow-modals, allow-orientation-lock, allow-pointer-lock, allow-presentation, allow-popups-to-escape-sandbox, allow-top-navigation, allow-top-navigation-by-user-activation.

Source

pub fn form_action(self, values: Vec<&'a str>) -> Self

form-action: Restricts the URLs which can be used as the target of a form submissions from a given context.

Source

pub fn frame_ancestors(self, values: Vec<&'a str>) -> Self

frame-ancestors: Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.

Source

pub fn report_to(self, values: Vec<&'a str>) -> Self

report-to: Enables reporting of violations.

Source

pub fn require_trusted_types_for(self, values: Vec<&'a str>) -> Self

require-trusted-types-for: Specifies which trusted types are required by a resource.

Source

pub fn trusted_types(self, values: Vec<&'a str>) -> Self

trusted-types: Specifies which trusted types are defined by a resource.

Source

pub fn upgrade_insecure_requests(self) -> Self

Block HTTP requests on insecure elements.

Source

pub fn report_only(self) -> Self

Enable report only mode

When set to true, the Content-Security-Policy-Report-Only header is set instead of Content-Security-Policy.

Defaults to false.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

Trait Implementations§

Source§

impl<'a> Clone for ContentSecurityPolicy<'a>

Source§

fn clone(&self) -> ContentSecurityPolicy<'a>

Returns a copy of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Default for ContentSecurityPolicy<'_>

Source§

fn default() -> Self

Default policy for the Content-Security-Policy header.

values:

default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
Source§

impl Display for ContentSecurityPolicy<'_>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Into<(&'static str, String)> for ContentSecurityPolicy<'_>

Source§

fn into(self) -> Header

Converts this type into the (usually inferred) input type.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.