plume - v1.0.0

plume/content_security_policy

Content-Security-Policy (CSP)

This response header lets sites declare which resources the browser is allowed to load for a given page, mitigating cross-site scripting (XSS) and data-injection attacks. plume.default() ships a sensible starter policy.

Most directives expect at least one source. Passing an empty list (e.g. DefaultSrc([])) renders an incomplete directive — omit it entirely instead. Sandbox([]) is the exception; an empty token list applies the maximum restrictions.

Examples

Policy([
  DefaultSrc([Self]),
  ScriptSrc([Self]),
  ImgSrc([Self, Scheme("data")]),
  StyleSrc([Self, UnsafeInline]),
])

See the MDN docs.

Types

ContentSecurityPolicy

</>

A Content-Security-Policy header value.

pub type ContentSecurityPolicy {
  Policy(List(Directive))
}

Constructors

Directive

</>

A single Content-Security-Policy directive.

pub type Directive {
  DefaultSrc(List(Source))
  ScriptSrc(List(Source))
  ScriptSrcAttr(List(Source))
  ScriptSrcElem(List(Source))
  StyleSrc(List(Source))
  StyleSrcAttr(List(Source))
  StyleSrcElem(List(Source))
  ImgSrc(List(Source))
  ConnectSrc(List(Source))
  FontSrc(List(Source))
  ObjectSrc(List(Source))
  MediaSrc(List(Source))
  FrameSrc(List(Source))
  FencedFrameSrc(List(Source))
  FrameAncestors(List(Source))
  ChildSrc(List(Source))
  ManifestSrc(List(Source))
  WorkerSrc(List(Source))
  BaseUri(List(Source))
  FormAction(List(Source))
  Sandbox(List(SandboxToken))
  UpgradeInsecureRequests
  RequireTrustedTypesFor(List(TrustedTypesSink))
  TrustedTypes(List(TrustedTypesPolicy))
}

Constructors 

  • DefaultSrc(List(Source))

    Serves as a fallback for the other fetch directives.

  • ScriptSrc(List(Source))

    Valid sources for JavaScript and WebAssembly resources.

  • ScriptSrcAttr(List(Source))

    Valid sources for inline event handlers (e.g. onclick).

  • ScriptSrcElem(List(Source))

    Valid sources for JavaScript <script> elements.

  • StyleSrc(List(Source))

    Valid sources for stylesheets.

  • StyleSrcAttr(List(Source))

    Valid sources for inline styles applied to elements (e.g. style attributes).

  • StyleSrcElem(List(Source))

    Valid sources for stylesheet <style> elements and <link> elements with rel="stylesheet".

  • ImgSrc(List(Source))

    Valid sources of images and favicons.

  • ConnectSrc(List(Source))

    Restricts the URLs which can be loaded using script interfaces.

  • FontSrc(List(Source))

    Valid sources for fonts loaded using @font-face.

  • ObjectSrc(List(Source))

    Valid sources for the <object> and <embed> elements.

  • MediaSrc(List(Source))

    Valid sources for loading media using the <audio>, <video> and <track> elements.

  • FrameSrc(List(Source))

    Valid sources for nested browsing contexts loaded into elements such as <frame> and <iframe>.

  • FencedFrameSrc(List(Source))

    Valid sources for nested browsing contexts loaded into <fencedframe> elements. Does not fall back to default-src or frame-src; if omitted, any URL is allowed.

  • FrameAncestors(List(Source))

    Valid parents that may embed a page using <frame>, <iframe>, <object>, or <embed>.

  • ChildSrc(List(Source))

    Valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>. Falls back to default-src.

  • ManifestSrc(List(Source))

    Valid sources for application manifest files.

  • WorkerSrc(List(Source))

    Valid sources for Worker, SharedWorker, or ServiceWorker scripts.

  • BaseUri(List(Source))

    Restricts the URLs which can be used in a document’s <base> element.

  • FormAction(List(Source))

    Restricts the URLs which can be used as the target of form submissions.

  • Sandbox(List(SandboxToken))

    Enables a sandbox for the requested resource, similar to the <iframe> sandbox attribute. Pass an empty list to apply the maximum restrictions.

  • UpgradeInsecureRequests

    Instructs the browser to upgrade insecure requests (HTTP) to secure requests (HTTPS) before fetching.

  • RequireTrustedTypesFor(List(TrustedTypesSink))

    Controls data passed to DOM XSS sink functions (e.g. Element.innerHTML).

  • TrustedTypes(List(TrustedTypesPolicy))

    Restricts which Trusted Types policies may be created and used by scripts.

SandboxToken

</>

A capability token allowed within the sandbox directive.

pub type SandboxToken {
  AllowDownloads
  AllowForms
  AllowModals
  AllowOrientationLock
  AllowPointerLock
  AllowPopups
  AllowPopupsToEscapeSandbox
  AllowPresentation
  AllowSameOrigin
  AllowScripts
  AllowTopNavigation
  AllowTopNavigationByUserActivation
  AllowTopNavigationToCustomProtocols
  AllowStorageAccessByUserActivation
}

Constructors 

  • AllowDownloads

    Allows downloads to be initiated by the sandboxed content.

  • AllowForms

    Allows the content to submit forms.

  • AllowModals

    Allows the content to open modal dialogs (e.g. alert(), confirm(), prompt(), print()).

  • AllowOrientationLock

    Allows the content to disable the ability to lock the screen orientation.

  • AllowPointerLock

    Allows the content to use the Pointer Lock API.

  • AllowPopups

    Allows the content to open popups (e.g. window.open(), target="_blank").

  • AllowPopupsToEscapeSandbox

    Allows popups opened by the sandboxed content to escape the sandbox.

  • AllowPresentation

    Allows the content to start a presentation session.

  • AllowSameOrigin

    Treats the content as same-origin rather than a unique opaque origin, allowing access to cookies and storage.

  • AllowScripts

    Allows the content to execute scripts.

  • AllowTopNavigation

    Allows the content to navigate the top-level browsing context.

  • AllowTopNavigationByUserActivation

    Allows the content to navigate the top-level browsing context, but only in response to a user gesture.

  • AllowTopNavigationToCustomProtocols

    Allows the content to navigate the top-level browsing context to non-http/https URL schemes.

  • AllowStorageAccessByUserActivation

    Lets the sandboxed content request access to the parent’s storage via the Storage Access API.

Source

</>

A source expression used in fetch directives.

pub type Source {
  Self
  None
  UnsafeInline
  UnsafeEval
  StrictDynamic
  WasmUnsafeEval
  UnsafeHashes
  InlineSpeculationRules
  Wildcard
  Host(String)
  Scheme(String)
  Nonce(String)
  Sha256(String)
  Sha384(String)
  Sha512(String)
}

Constructors 

  • Self

    Same scheme, host, and port as the document. Rendered as 'self'.

  • None

    Matches no URLs. Rendered as 'none'.

  • UnsafeInline

    Allows the use of inline resources such as inline <script> elements, javascript: URLs, and inline event handlers. Rendered as 'unsafe-inline'.

  • UnsafeEval

    Allows the use of eval() and similar methods for creating code from strings. Rendered as 'unsafe-eval'.

  • StrictDynamic

    Propagates trust from a nonced or hashed root script to scripts it loads. Rendered as 'strict-dynamic'.

  • WasmUnsafeEval

    Allows the loading and execution of WebAssembly modules without needing to also allow 'unsafe-eval'. Rendered as 'wasm-unsafe-eval'.

  • UnsafeHashes

    Allows hashes (e.g. 'sha256-...') to match against inline event handlers and style attributes, which are otherwise excluded from hash matching. Rendered as 'unsafe-hashes'.

  • InlineSpeculationRules

    Allows inline <script type="speculationrules"> blocks used by the Speculation Rules API. Rendered as 'inline-speculation-rules'.

  • Wildcard

    Matches any URL, except those with the data:, blob:, or filesystem: schemes. Rendered as *.

  • Host(String)

    A host source, e.g. https://cdn.example.com or *.example.com.

  • Scheme(String)

    A scheme source, e.g. "https" (rendered as https:). Pass the scheme name without the trailing colon.

  • Nonce(String)

    A base64-encoded nonce that matches the nonce attribute on an inline element. Rendered as 'nonce-<value>'.

  • Sha256(String)

    A base64-encoded SHA-256 hash of an inline resource. Rendered as 'sha256-<value>'.

  • Sha384(String)

    A base64-encoded SHA-384 hash of an inline resource. Rendered as 'sha384-<value>'.

  • Sha512(String)

    A base64-encoded SHA-512 hash of an inline resource. Rendered as 'sha512-<value>'.

TrustedTypesPolicy

</>

A policy name or wildcard used in the trusted-types directive.

pub type TrustedTypesPolicy {
  PolicyName(String)
  AllowDuplicates
  NoPolicy
  AnyPolicy
}

Constructors 

  • PolicyName(String)

    A policy name that may be created (e.g. default, dompurify).

  • AllowDuplicates

    Allows the same policy name to be created more than once. Rendered as 'allow-duplicates'.

  • NoPolicy

    Disables Trusted Types policy creation entirely. Rendered as 'none'.

  • AnyPolicy

    Allows any policy name. Rendered as *.

TrustedTypesSink

</>

A DOM XSS injection sink group used with the require-trusted-types-for directive.

pub type TrustedTypesSink {
  Script
}

Constructors 

  • Script

    The DOM XSS injection sink group. The only sink group currently defined by the spec. Rendered as 'script'.

Values

to_string

</> 
pub fn to_string(value: ContentSecurityPolicy) -> String

Encode as the Content-Security-Policy header value.

Search Document