Struct kvarn::csp::Rule

source ·
pub struct Rule { /* private fields */ }
Expand description

A rule for CSP which covers all directives.

Implementations§

Creates a new, empty CSP rule. Consider using Self::default to get sensible defaults, which include default-src 'self'. An empty rule means NO CSP header being sent.

Populate it with the various directive methods.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Fallback for frame-src and worker-src.

Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Restricts the URLs which can be loaded using script interfaces

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Serves as a fallback for the other fetch directives.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for fonts loaded using @font-face.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources of images and favicons.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources of application manifest files.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for loading media using the <audio>, <video> and <track> elements.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for the <object>, <embed>, and <applet> elements.

Note: Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and are not receiving new standardized features (such as the security attributes sandbox or allow for <iframe>). Therefore it is recommended to restrict this fetch-directive (e.g., explicitly set object-src ‘none’ if possible).

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources to be prefetched or prerendered.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Fallback for all script_*.

Specifies valid sources for JavaScript.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for JavaScript <script> elements.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for JavaScript inline event handlers.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Fallback for all style_*.

Specifies valid sources for stylesheets.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for stylesheets <style> elements and <link> elements with rel=“stylesheet”.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for inline styles applied to individual DOM elements.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Restricts the URLs which can be used in a document’s <base> element.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Enables a sandbox for the requested resource similar to the <iframe> sandbox attribute.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Restricts the URLs which can be used as the target of a form submissions from a given context.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Restricts the URLs to which a document can initiate navigation by any means, including <form> (if form-action is not specified), <a>, window.location, window.open, etc.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Use CspValue::Uri as value to supply the path of the violation report endpoint.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Requires the use of SRI for scripts or styles on the page.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Enforces Trusted Types at the DOM XSS injection sinks.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Used to specify an allow-list of Trusted Types policies. Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings.

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.

Adds a CSP directive with a name not currently tracked by Kvarn. This exists to be able to add new CSP directives before Kvarn adds options for them.

Panics

May panic if CspValue::Uri contians invalid bytes.

Returns None if all the directives are empty. Else, returns a list of all directives and their values.

Returns None if all the directives are empty. Else, returns a list of all directives and their values.

This also takes an optional nonce to be applied. If it is supplied, a nonce-<random 128-bit value encoded using Base64> is added to Self::script_src, Self::script_src_elem, Self::style_src, and Self::style_src_elem.

Warnings

Warns (log) if nonce is not valid UTF-8. It should be encoded in Base64!

Trait Implementations§

Returns a copy of the value. Read more
Performs copy-assignment from source. Read more
Formats the value using the given formatter. Read more

Gives content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'.

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Gets the TypeId of self. Read more
Immutably borrows from an owned value. Read more
Mutably borrows from an owned value. Read more

Returns the argument unchanged.

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Instruments this type with the current Span, returning an Instrumented wrapper. Read more

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Should always be Self
The resulting type after obtaining ownership.
Creates owned data from borrowed data, usually by cloning. Read more
Uses borrowed data to replace owned data, usually by cloning. Read more
The type returned in the event of a conversion error.
Performs the conversion.
The type returned in the event of a conversion error.
Performs the conversion.
Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more