Skip to contents

Construct settings for the Content-Security-Policy header

Source: R/SecurityHeaders_helpers.R
csp.Rd

This helper function exists mainly to document the possible values and prevent misspelled directives. It returns a bare list. See the header reference and the CSP section of the MDN security guide for more information on the header

Usage

csp(
  default_src = NULL,
  script_src = NULL,
  script_src_elem = NULL,
  script_src_attr = NULL,
  style_src = NULL,
  style_src_elem = NULL,
  style_src_attr = NULL,
  img_src = NULL,
  font_src = NULL,
  media_src = NULL,
  object_src = NULL,
  child_src = NULL,
  frame_src = NULL,
  worker_src = NULL,
  connect_src = NULL,
  fenced_frame_src = NULL,
  manifest_src = NULL,
  prefetch_src = NULL,
  base_uri = NULL,
  sandbox = FALSE,
  form_action = NULL,
  frame_ancestors = NULL,
  report_to = NULL,
  require_trusted_types_for = FALSE,
  trusted_types = NULL,
  upgrade_insecure_requests = FALSE
)

Arguments

default_src

Fallback for all other *_src values

script_src

Fallback for script_src_* values

script_src_elem

Valid sources for <script> elements

script_src_attr

Valid sources for inline event handlers

style_src

Fallback for style_src_* values

style_src_elem

Valid sources for <style> elements

style_src_attr

Valid sources for inline styling of elements

img_src

Valid sources for images and favicons

font_src

Valid sources for fonts loaded with @font-face

media_src

Valid sources for <audio>, <video>, and <track> elements

object_src

Valid sources for <object> and <embed> elements

child_src

Fallback for frame_src and worker_src

frame_src

Valid sources for <frame> and <iframe> elements

worker_src

Valid sources for Worker, SharedWorker, and ServiceWorker scripts

connect_src

Valid sources for URLs loaded from within scripts

fenced_frame_src

Valid sources for <fencedframe> elements

manifest_src

Valid sources for application manifest files

prefetch_src

Valid sources to be prefetched and prerendered

base_uri

Valid sources that can be put in a <base> element

sandbox

Logical. Enable sandboxing of the requested document/ressource

form_action

Valid URLs to be targeted by form submissions

frame_ancestors

Valid parents that may embed this document in an <frame>, <iframe>, <object>, or <embed> element.

report_to

A URL to report violations to. Setting this will also add a report-uri directive along with a Reporting-Endpoints header for maximum compitability.

require_trusted_types_for

Logical. Enforces Trusted Types

trusted_types

Specifies an allow list of Trusted Types

upgrade_insecure_requests

Logical. Automatically treat all HTTP urls in the document as if they were HTTPS

Value

A bare list with the input arguments

Examples

# Default setting
csp(
  default_src = "self",
  script_src = "self",
  script_src_attr = "none",
  style_src = c("self", "https:", "unsafe-inline"),
  img_src = c("self", "data:"),
  font_src = c("self", "https:", "data:"),
  object_src = "none",
  base_uri = "self",
  form_action = "self",
  frame_ancestors = "self",
  upgrade_insecure_requests = TRUE
)
#> $child_src
#> NULL
#> 
#> $connect_src
#> NULL
#> 
#> $default_src
#> [1] "self"
#> 
#> $fenced_frame_src
#> NULL
#> 
#> $font_src
#> [1] "self"   "https:" "data:" 
#> 
#> $frame_src
#> NULL
#> 
#> $img_src
#> [1] "self"  "data:"
#> 
#> $manifest_src
#> NULL
#> 
#> $media_src
#> NULL
#> 
#> $object_src
#> [1] "none"
#> 
#> $prefetch_src
#> NULL
#> 
#> $script_src
#> [1] "self"
#> 
#> $script_src_elem
#> NULL
#> 
#> $script_src_attr
#> [1] "none"
#> 
#> $style_src
#> [1] "self"          "https:"        "unsafe-inline"
#> 
#> $style_src_elem
#> NULL
#> 
#> $style_src_attr
#> NULL
#> 
#> $worker_src
#> NULL
#> 
#> $base_uri
#> [1] "self"
#> 
#> $sandbox
#> NULL
#> 
#> $form_action
#> [1] "self"
#> 
#> $frame_ancestors
#> [1] "self"
#> 
#> $report_to
#> NULL
#> 
#> $require_trusted_types_for
#> NULL
#> 
#> $trusted_types
#> NULL
#> 
#> $upgrade_insecure_requests
#> [1] ""
#>