Struct kvarn::csp::Rule

source · 
pub struct Rule { /* private fields */ }
Expand description

A rule for CSP which covers all directives.

Implementations§

source§

impl Rule

source

pub fn empty() -> Self

Creates a new, empty CSP rule. Consider using Self::default to get sensible defaults, which include default-src 'self'. An empty rule means NO CSP header being sent.

Populate it with the various directive methods.

source

pub fn child_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Fallback for frame-src and worker-src.

Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.

source

pub fn connect_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Restricts the URLs which can be loaded using script interfaces

source

pub fn default_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Serves as a fallback for the other fetch directives.

source

pub fn font_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for fonts loaded using @font-face.

source

pub fn frame_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.

source

pub fn img_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources of images and favicons.

source

pub fn manifest_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources of application manifest files.

source

pub fn media_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for loading media using the <audio>, <video> and <track> elements.

source

pub fn object_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for the <object>, <embed>, and <applet> elements.

Note: Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and are not receiving new standardized features (such as the security attributes sandbox or allow for <iframe>). Therefore it is recommended to restrict this fetch-directive (e.g., explicitly set object-src ‘none’ if possible).

source

pub fn prefetch_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources to be prefetched or prerendered.

source

pub fn script_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Fallback for all script_*.

Specifies valid sources for JavaScript.

source

pub fn script_src_elem(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for JavaScript <script> elements.

source

pub fn script_src_attr(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for JavaScript inline event handlers.

source

pub fn style_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Fallback for all style_*.

Specifies valid sources for stylesheets.

source

pub fn style_src_elem(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for stylesheets <style> elements and <link> elements with rel=“stylesheet”.

source

pub fn style_src_attr(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for inline styles applied to individual DOM elements.

source

pub fn worker_src(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.

source

pub fn base_uri(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Restricts the URLs which can be used in a document’s <base> element.

source

pub fn sandbox(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Enables a sandbox for the requested resource similar to the <iframe> sandbox attribute.

source

pub fn form_action(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Restricts the URLs which can be used as the target of a form submissions from a given context.

source

pub fn frame_ancestors(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.

source

pub fn navigate_to(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Restricts the URLs to which a document can initiate navigation by any means, including <form> (if form-action is not specified), <a>, window.location, window.open, etc.

source

pub fn report(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Use CspValue::Uri as value to supply the path of the violation report endpoint.

source

pub fn require_sri_for(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Requires the use of SRI for scripts or styles on the page.

source

pub fn require_trusted_types_for(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Enforces Trusted Types at the DOM XSS injection sinks.

source

pub fn trusted_types(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Used to specify an allow-list of Trusted Types policies. Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings.

source

pub fn upgrade_insecure_requests(self, values: ValueSet) -> Self

Overrides the directive described below. By default, Kvarn protects against XSS attacks by sending some defaults.

Panics

May panic if CspValue::Uri contains invalid bytes.

Info

Instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.

source

pub fn string( self, csp_directive_name: impl Into<String>, values: ValueSet ) -> Self

Adds a CSP directive with a name not currently tracked by Kvarn. This exists to be able to add new CSP directives before Kvarn adds options for them.

Panics

May panic if CspValue::Uri contians invalid bytes.

source

pub fn to_header(&self) -> Option<HeaderValue>

Returns None if all the directives are empty. Else, returns a list of all directives and their values.

source

pub fn to_header_nonce( &self, nonce: Option<&HeaderValue> ) -> Option<HeaderValue>

Returns None if all the directives are empty. Else, returns a list of all directives and their values.

This also takes an optional nonce to be applied. If it is supplied, a nonce-<random 128-bit value encoded using Base64> is added to Self::script_src, Self::script_src_elem, Self::style_src, and Self::style_src_elem.

Warnings

Warns (log) if nonce is not valid UTF-8. It should be encoded in Base64!

Trait Implementations§

source§

impl Clone for Rule

source§

fn clone(&self) -> Rule

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for Rule

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl Default for Rule

Gives content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'.

source§

fn default() -> Self

Returns the “default value” for a type. Read more
source§

impl From<Rule> for ComputedRule

source§

fn from(value: Rule) -> Self

Converts to this type from the input type.

Auto Trait Implementations§

§

impl RefUnwindSafe for Rule

§

impl Send for Rule

§

impl Sync for Rule

§

impl Unpin for Rule

§

impl UnwindSafe for Rule

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
§

impl<'a, T, E> AsTaggedExplicit<'a, E> for Twhere T: 'a,

§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

§

impl<'a, T, E> AsTaggedImplicit<'a, E> for Twhere T: 'a,

§

fn implicit( self, class: Class, constructed: bool, tag: u32 ) -> TaggedParser<'a, Implicit, Self, E>

source§

impl<T> Borrow<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

const: unstable · source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided [Span], returning an Instrumented wrapper. Read more
§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for Twhere U: From<T>,

const: unstable · source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T> Pointable for T

§

const ALIGN: usize = mem::align_of::<T>()

The alignment of pointer.
§

type Init = T

The type for initializers.
§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
source§

impl<T> Same<T> for T

§

type Output = T

Should always be Self
source§

impl<T> ToOwned for Twhere T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
const: unstable · source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
const: unstable · source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for Twhere V: MultiLane<T>,

§

fn vzip(self) -> V

§

impl<T> WithSubscriber for T

§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self> where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a [WithDispatch] wrapper. Read more
§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a [WithDispatch] wrapper. Read more