pub struct Rule { /* private fields */ }
Expand description
A rule for CSP which covers all directives.
Implementations§
source§impl Rule
impl Rule
sourcepub fn empty() -> Self
pub fn empty() -> Self
Creates a new, empty CSP rule.
Consider using Self::default
to get sensible defaults, which include
default-src 'self'
.
An empty rule means NO CSP header being sent.
Populate it with the various directive methods.
sourcepub fn child_src(self, values: ValueSet) -> Self
pub fn child_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Fallback for frame-src and worker-src.
Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame>
and <iframe>
.
sourcepub fn connect_src(self, values: ValueSet) -> Self
pub fn connect_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Restricts the URLs which can be loaded using script interfaces
sourcepub fn default_src(self, values: ValueSet) -> Self
pub fn default_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Serves as a fallback for the other fetch directives.
sourcepub fn font_src(self, values: ValueSet) -> Self
pub fn font_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources for fonts loaded using @font-face.
sourcepub fn frame_src(self, values: ValueSet) -> Self
pub fn frame_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources for nested browsing contexts loading using elements such as <frame>
and <iframe>
.
sourcepub fn img_src(self, values: ValueSet) -> Self
pub fn img_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources of images and favicons.
sourcepub fn manifest_src(self, values: ValueSet) -> Self
pub fn manifest_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources of application manifest files.
sourcepub fn media_src(self, values: ValueSet) -> Self
pub fn media_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources for loading media using the <audio>
, <video>
and <track>
elements.
sourcepub fn object_src(self, values: ValueSet) -> Self
pub fn object_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources for the <object>
, <embed>
, and <applet>
elements.
Note: Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and are not receiving new standardized features (such as the security attributes sandbox or allow for
<iframe>
). Therefore it is recommended to restrict this fetch-directive (e.g., explicitly set object-src ‘none’ if possible).
sourcepub fn prefetch_src(self, values: ValueSet) -> Self
pub fn prefetch_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources to be prefetched or prerendered.
sourcepub fn script_src(self, values: ValueSet) -> Self
pub fn script_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Fallback for all script_*.
Specifies valid sources for JavaScript.
sourcepub fn script_src_elem(self, values: ValueSet) -> Self
pub fn script_src_elem(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources for JavaScript <script>
elements.
sourcepub fn script_src_attr(self, values: ValueSet) -> Self
pub fn script_src_attr(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources for JavaScript inline event handlers.
sourcepub fn style_src(self, values: ValueSet) -> Self
pub fn style_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Fallback for all style_*.
Specifies valid sources for stylesheets.
sourcepub fn style_src_elem(self, values: ValueSet) -> Self
pub fn style_src_elem(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources for stylesheets <style>
elements and <link>
elements with rel=“stylesheet”.
sourcepub fn style_src_attr(self, values: ValueSet) -> Self
pub fn style_src_attr(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources for inline styles applied to individual DOM elements.
sourcepub fn worker_src(self, values: ValueSet) -> Self
pub fn worker_src(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
sourcepub fn base_uri(self, values: ValueSet) -> Self
pub fn base_uri(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Restricts the URLs which can be used in a document’s <base>
element.
sourcepub fn sandbox(self, values: ValueSet) -> Self
pub fn sandbox(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Enables a sandbox for the requested resource similar to the <iframe>
sandbox attribute.
sourcepub fn form_action(self, values: ValueSet) -> Self
pub fn form_action(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Restricts the URLs which can be used as the target of a form submissions from a given context.
sourcepub fn frame_ancestors(self, values: ValueSet) -> Self
pub fn frame_ancestors(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Specifies valid parents that may embed a page using <frame>
, <iframe>
, <object>
, <embed>
, or <applet>
.
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Restricts the URLs to which a document can initiate navigation by any means, including <form>
(if form-action is not specified), <a>
, window.location, window.open, etc.
sourcepub fn report(self, values: ValueSet) -> Self
pub fn report(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST
request to the specified URI.
Use CspValue::Uri
as value
to supply the path of the violation report endpoint.
sourcepub fn require_sri_for(self, values: ValueSet) -> Self
pub fn require_sri_for(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Requires the use of SRI for scripts or styles on the page.
sourcepub fn require_trusted_types_for(self, values: ValueSet) -> Self
pub fn require_trusted_types_for(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Enforces Trusted Types at the DOM XSS injection sinks.
sourcepub fn trusted_types(self, values: ValueSet) -> Self
pub fn trusted_types(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Used to specify an allow-list of Trusted Types policies. Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings.
sourcepub fn upgrade_insecure_requests(self, values: ValueSet) -> Self
pub fn upgrade_insecure_requests(self, values: ValueSet) -> Self
Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.
Panics
May panic if CspValue::Uri
contains invalid bytes.
Info
Instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
sourcepub fn string(
self,
csp_directive_name: impl Into<String>,
values: ValueSet
) -> Self
pub fn string( self, csp_directive_name: impl Into<String>, values: ValueSet ) -> Self
Adds a CSP directive with a name not currently tracked by Kvarn. This exists to be able to add new CSP directives before Kvarn adds options for them.
Panics
May panic if CspValue::Uri
contians invalid bytes.
sourcepub fn to_header(&self) -> Option<HeaderValue>
pub fn to_header(&self) -> Option<HeaderValue>
Returns None
if all the directives are empty.
Else, returns a list of all directives and their values.
sourcepub fn to_header_nonce(
&self,
nonce: Option<&HeaderValue>
) -> Option<HeaderValue>
pub fn to_header_nonce( &self, nonce: Option<&HeaderValue> ) -> Option<HeaderValue>
Returns None
if all the directives are empty.
Else, returns a list of all directives and their values.
This also takes an optional nonce
to be applied.
If it is supplied, a nonce-<random 128-bit value encoded using Base64>
is added to Self::script_src
, Self::script_src_elem
, Self::style_src
,
and Self::style_src_elem
.
Warnings
Warns (log) if nonce
is not valid UTF-8. It should be encoded in Base64!