Skip to main content
Module

x/fresh/src/runtime/csp.ts

The next-gen web framework.
denoland/fresh
Extremely Popular
Go to Latest
File
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141
import { createContext } from "preact";import { useContext } from "preact/hooks";
export const SELF = "'self'";export const UNSAFE_INLINE = "'unsafe-inline'";export const UNSAFE_EVAL = "'unsafe-eval'";export const UNSAFE_HASHES = "'unsafe-hashes'";export const NONE = "'none'";export const STRICT_DYNAMIC = "'strict-dynamic'";
export function nonce(val: string) {  return `'nonce-${val}'`;}
export interface ContentSecurityPolicy {  directives: ContentSecurityPolicyDirectives;  reportOnly: boolean;}
export interface ContentSecurityPolicyDirectives {  // Fetch directives  /**   * Defines the valid sources for web workers and nested browsing contexts   * loaded using elements such as <frame> and <iframe>.   */  childSrc?: string[];  /**   * Restricts the URLs which can be loaded using script interfaces.   */  connectSrc?: string[];  /**   * Serves as a fallback for the other fetch directives.   */  defaultSrc?: string[];  /**   * Specifies valid sources for fonts loaded using @font-face.   */  fontSrc?: string[];  /**   * Specifies valid sources for nested browsing contexts loading using elements   * such as <frame> and <iframe>.   */  frameSrc?: string[];  /**   * Specifies valid sources of images and favicons.   */  imgSrc?: string[];  /**   * Specifies valid sources of application manifest files.   */  manifestSrc?: string[];  /**   * Specifies valid sources for loading media using the <audio> , <video> and   * <track> elements.   */  mediaSrc?: string[];  /**   * Specifies valid sources for the <object>, <embed>, and <applet> elements.   */  objectSrc?: string[];  /**   * Specifies valid sources to be prefetched or prerendered.   */  prefetchSrc?: string[];  /**   * Specifies valid sources for JavaScript.   */  scriptSrc?: string[];  /**   * Specifies valid sources for JavaScript <script> elements.   */  scriptSrcElem?: string[];  /**   * Specifies valid sources for JavaScript inline event handlers.   */  scriptSrcAttr?: string[];  /**   * Specifies valid sources for stylesheets.   */  styleSrc?: string[];  /**   * Specifies valid sources for stylesheets <style> elements and <link>   * elements with rel="stylesheet".   */  styleSrcElem?: string[];  /**   * Specifies valid sources for inline styles applied to individual DOM   * elements.   */  styleSrcAttr?: string[];  /**   * Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.   */  workerSrc?: string[];
  // Document directives  /**   * Restricts the URLs which can be used in a document's <base> element.   */  baseUri?: string[];  /**   * Enables a sandbox for the requested resource similar to the <iframe>   * sandbox attribute.   */  sandbox?: string[];
  // Navigation directives  /**   * Restricts the URLs which can be used as the target of a form submissions   * from a given context.   */  formAction?: string[];  /**   * Specifies valid parents that may embed a page using <frame>, <iframe>,   * <object>, <embed>, or <applet>.   */  frameAncestors?: string[];  /**   * Restricts the URLs to which a document can initiate navigation by any   * means, including <form> (if form-action is not specified), <a>,   * window.location, window.open, etc.   */  navigateTo?: string[];
  /**   * The URI to report CSP violations to.   */  reportUri?: string;}
export const CSP_CONTEXT = createContext<ContentSecurityPolicy | undefined>(  undefined,);
export function useCSP(mutator: (csp: ContentSecurityPolicy) => void) {  const csp = useContext(CSP_CONTEXT);  if (csp) {    mutator(csp);  }}