csp

package

v0.0.0-...-0a0b670 Latest Latest Go to latest Published: Feb 15, 2019 License: MIT Imports: 4 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/lpi/fweight

Links

Open Source Insights

Documentation ¶

Overview ¶

Package csp implments Content-Security-Policy, a HTTP header designed to mitigate XSS attacks.

Index ¶

type ContentSecurityPolicy
- func (c ContentSecurityPolicy) Middleware(h http.Handler) http.Handler
- func (c ContentSecurityPolicy) RouteHandler(h http.Handler) route.Handler
type SandboxExceptionList
- func Exceptions(e ...SandboxExceptionList) (eo SandboxExceptionList)
type SourceList
- func Sources(s ...SourceList) (so SourceList)

Examples ¶

ContentSecurityPolicy.Middleware

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ContentSecurityPolicy ¶

type ContentSecurityPolicy struct {
	//General valid rules for matching all loaded content
	Default SourceList "default-src"
	//Rules for loading scripts
	Script SourceList "script-src"
	//Rules for loading styles
	Style SourceList "style-src"
	//Rules for loading images
	Image SourceList "img-src"
	//Rules for AJAX, websockets and EventSource.
	//400 is emulated on failure.
	Connect SourceList "connect-src"
	//Rules for loading fonts
	Font SourceList "font-src"
	//Rules for loading <object>, <embed> and <applet>
	Object SourceList "object-src"
	//Rules for loading <audio> and <video>
	Media SourceList "media-src"
	//Rules for loading frames
	Frame SourceList "frame-src"
	//Rules for frame ancestors
	Ancestors SourceList "frame-ancestors"

	//A series of strings representing what policies to ignore in the sandbox
	//for this resource.
	//To sandbox with no exception, set a non-empty value
	//with length zero.
	Sandbox SandboxExceptionList "sandbox"

	//Instructs the browser to POST reports of policy failures to this URI
	Report string "report-uri"
}

func (ContentSecurityPolicy) Middleware ¶

func (c ContentSecurityPolicy) Middleware(h http.Handler) http.Handler

Applies the Content Security Policy specified by 'c' to the http.Handler h.

Example ¶

csp := ContentSecurityPolicy{
	Default: Self,
	Style: Sources(
		Self,
		"fonts.googleapis.com",
		UnsafeInline,
	),
	Script: Sources(
		Self,
		UnsafeInline,
	),
	Font: Sources(
		Self,
		Data,
		"themes.googleusercontent.com",
	),
	Sandbox: Exceptions(
		AllowForms,
		AllowSameOrigin,
		AllowScripts,
	),
}

h := csp.Middleware(http.HandlerFunc(func(rw http.ResponseWriter, rq *http.Request) {}))

req, err := http.NewRequest("GET", "http://example.com/foo", nil)
if err != nil {
	panic(err)
}

w := httptest.NewRecorder()
h.ServeHTTP(w, req)

fmt.Print(w.Header().Get("Content-Security-Policy"))

Output:

default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' fonts.googleapis.com 'unsafe-inline'; font-src 'self' data: themes.googleusercontent.com; sandbox allow-forms allow-same-origin allow-scripts

func (ContentSecurityPolicy) RouteHandler ¶

func (c ContentSecurityPolicy) RouteHandler(h http.Handler) route.Handler

Returns the Handler that would result from applying .Middleware to the given handler.

type SandboxExceptionList ¶

type SandboxExceptionList string

A SandboxExceptionList is a space-separated list of identifiers specifying which exceptions to make to the sandbox directive.

const (
	//Allow form submission
	AllowForms SandboxExceptionList = "allow-forms"
	//Read raw mouse movement--
	//https://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html
	AllowPointerLock SandboxExceptionList = "allow-pointer-lock"
	//Allow creation of 'auxillary browsing contexts', AKA popups.
	AllowPopups SandboxExceptionList = "allow-popups"
	//Allow scripts to access content on the same origin
	AllowSameOrigin SandboxExceptionList = "allow-same-origin"
	//Allow scripts to run
	AllowScripts SandboxExceptionList = "allow-scripts"
	//Allow this context to manipulate its parent context (window, frame).
	//http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-top-level-navigation-browsing-context-flag
	AllowTopNavigation SandboxExceptionList = "allow-top-navigation"
)

func Exceptions ¶

func Exceptions(e ...SandboxExceptionList) (eo SandboxExceptionList)

Joins the exceptions in 'e' with spaces.

type SourceList ¶

type SourceList string

A sourcelist is a space-separated list of identifiers specifying which sources are acceptible.

const (
	Any SourceList = "*"
	//Specifies that no sources are acceptible
	None SourceList = "'none'"
	//Same origin (same scheme, host, and port)
	Self SourceList = "'self'"
	//Via HTTPS
	HTTPS SourceList = "https:"
	//Via data
	Data SourceList = "data:"
	//Allow use of inline source elements (onclick, attribute, script tag bodies, onload;
	//depends on the directive it is part of).
	UnsafeInline SourceList = "'unsafe-inline'"
	//Allows unsafe dynamic code evaluation such as JavaScript eval()
	UnsafeEval SourceList = "'unsafe-eval'"
)

func Sources ¶

func Sources(s ...SourceList) (so SourceList)

Joins the sources in 's' with spaces.

Source Files ¶

View all Source files

csp.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL