Header.ContentSecurityPolicy
Convenience module for creating a Content-Security-Policy header. Note that to set up a reporting endpoint properly, you will need to use ReWeb.Filter.csp
.
type src_list = src list option
type t = private {
child_src : src_list; |
connect_src : src_list; |
default_src : src list; |
font_src : src_list; |
frame_src : src_list; |
img_src : src_list; |
manifest_src : src_list; |
media_src : src_list; |
object_src : src_list; |
prefetch_src : src_list; |
script_src : src_list; |
script_src_elem : src_list; |
script_src_attr : src_list; |
style_src : src_list; |
style_src_elem : src_list; |
style_src_attr : src_list; |
worker_src : src_list; |
base_uri : src_list; |
plugin_types : string list option; |
form_action : src_list; |
navigate_to : src_list; |
report_to : string list option; |
block_all_mixed_content : bool option; |
}
CSP header value data model.
val make : ?child_src:src list -> ?connect_src:src list -> ?font_src:src list ->
?frame_src:src list -> ?img_src:src list -> ?manifest_src:src list -> ?media_src:src list ->
?object_src:src list -> ?prefetch_src:src list -> ?script_src:src list ->
?script_src_elem:src list -> ?script_src_attr:src list -> ?style_src:src list ->
?style_src_elem:src list -> ?style_src_attr:src list -> ?worker_src:src list ->
?base_uri:src list -> ?plugin_types:string list -> ?form_action:src list ->
?navigate_to:src list -> ?report_to:string list -> ?block_all_mixed_content:bool ->
src list -> t
make(..., default_src)
is a content security policy consisting of the given options.
val report_to_header : t -> string * string
report_to_string(directives)
is a valid Report-To
header using the directives
.
val to_header : ?report_only:bool -> t -> string * string
to_header(?report_only, directives)
is a either a content-security-policy
header (if report_only
is false
which is the default), or a content-security-policy-report-only
header if report_only
is true
.
If directives
just contains empty lists, to_header
will output the default-src 'self'
directive under the assumption that you want some protection since you're trying to use CSP.
If directives
contains a non-empty report_to
, will output both report-uri
and report-to
directives to try to target browsers that support either.