Documentation
¶
Overview ¶
Package csp implments Content-Security-Policy, a HTTP header designed to mitigate XSS attacks.
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ContentSecurityPolicy ¶
type ContentSecurityPolicy struct {
//General valid rules for matching all loaded content
Default SourceList "default-src"
//Rules for loading scripts
Script SourceList "script-src"
//Rules for loading styles
Style SourceList "style-src"
//Rules for loading images
Image SourceList "img-src"
//Rules for AJAX, websockets and EventSource.
//400 is emulated on failure.
Connect SourceList "connect-src"
//Rules for loading fonts
Font SourceList "font-src"
//Rules for loading <object>, <embed> and <applet>
Object SourceList "object-src"
//Rules for loading <audio> and <video>
Media SourceList "media-src"
//Rules for loading frames
Frame SourceList "frame-src"
//Rules for frame ancestors
Ancestors SourceList "frame-ancestors"
//A series of strings representing what policies to ignore in the sandbox
//for this resource.
//To sandbox with no exception, set a non-empty value
//with length zero.
Sandbox SandboxExceptionList "sandbox"
//Instructs the browser to POST reports of policy failures to this URI
Report string "report-uri"
}
func (ContentSecurityPolicy) Middleware ¶
func (c ContentSecurityPolicy) Middleware(h http.Handler) http.Handler
Applies the Content Security Policy specified by 'c' to the http.Handler h.
Example ¶
csp := ContentSecurityPolicy{
Default: Self,
Style: Sources(
Self,
"fonts.googleapis.com",
UnsafeInline,
),
Script: Sources(
Self,
UnsafeInline,
),
Font: Sources(
Self,
Data,
"themes.googleusercontent.com",
),
Sandbox: Exceptions(
AllowForms,
AllowSameOrigin,
AllowScripts,
),
}
h := csp.Middleware(http.HandlerFunc(func(rw http.ResponseWriter, rq *http.Request) {}))
req, err := http.NewRequest("GET", "http://example.com/foo", nil)
if err != nil {
panic(err)
}
w := httptest.NewRecorder()
h.ServeHTTP(w, req)
fmt.Print(w.Header().Get("Content-Security-Policy"))
Output: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' fonts.googleapis.com 'unsafe-inline'; font-src 'self' data: themes.googleusercontent.com; sandbox allow-forms allow-same-origin allow-scripts
func (ContentSecurityPolicy) RouteHandler ¶
func (c ContentSecurityPolicy) RouteHandler(h http.Handler) route.Handler
Returns the Handler that would result from applying .Middleware to the given handler.
type SandboxExceptionList ¶
type SandboxExceptionList string
A SandboxExceptionList is a space-separated list of identifiers specifying which exceptions to make to the sandbox directive.
const ( //Allow form submission AllowForms SandboxExceptionList = "allow-forms" //Read raw mouse movement-- //https://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html AllowPointerLock SandboxExceptionList = "allow-pointer-lock" //Allow creation of 'auxillary browsing contexts', AKA popups. AllowPopups SandboxExceptionList = "allow-popups" //Allow scripts to access content on the same origin AllowSameOrigin SandboxExceptionList = "allow-same-origin" //Allow scripts to run AllowScripts SandboxExceptionList = "allow-scripts" //http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-top-level-navigation-browsing-context-flag AllowTopNavigation SandboxExceptionList = "allow-top-navigation" )
func Exceptions ¶
func Exceptions(e ...SandboxExceptionList) (eo SandboxExceptionList)
Joins the exceptions in 'e' with spaces.
type SourceList ¶
type SourceList string
A sourcelist is a space-separated list of identifiers specifying which sources are acceptible.
const ( Any SourceList = "*" //Specifies that no sources are acceptible None SourceList = "'none'" //Same origin (same scheme, host, and port) Self SourceList = "'self'" //Via HTTPS HTTPS SourceList = "https:" //Via data Data SourceList = "data:" //Allow use of inline source elements (onclick, attribute, script tag bodies, onload; //depends on the directive it is part of). UnsafeInline SourceList = "'unsafe-inline'" //Allows unsafe dynamic code evaluation such as JavaScript eval() UnsafeEval SourceList = "'unsafe-eval'" )
Source Files
Click to show internal directories.
Click to hide internal directories.