Package com.helger.http.csp

Class CSPDirective

java.lang.Object
com.helger.http.csp.CSPDirective
All Implemented Interfaces:
com.helger.base.name.IHasName, ICSPDirective
public class CSPDirective extends Object implements ICSPDirective
A single CSP directive. It's a name-value-pair.
Since:
10.4.0
Author:
Philip Helger

  • Constructor Details

    • CSPDirective

      public CSPDirective(@Nonnull @Nonempty String sName, @Nullable AbstractCSPSourceList<?> aValue)

    • CSPDirective

      public CSPDirective(@Nonnull @Nonempty String sName, @Nullable String sValue)

  • Method Details

    • isValidName

      public static boolean isValidName(@Nullable String sName)

    • isValidValue

      public static boolean isValidValue(@Nullable String sValue)

    • getName

      @Nonnull @Nonempty public final String getName()
      Specified by:
      getName in interface ICSPDirective
      Specified by:
      getName in interface com.helger.base.name.IHasName
      Returns:
      The name of this directive.

    • getValue

      @Nullable public final String getValue()
      Specified by:
      getValue in interface ICSPDirective
      Returns:
      The value of this directive. May be null or empty.

    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • createBaseURI

      @Nonnull public static CSPDirective createBaseURI(@Nullable String sValue)
      Restricts the URLs which can be used in a document's <base> element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the <base> element.
      Parameters:
      sValue - value
      Returns:
      new directive
      Since:
      CSP v2

    • createChildSrc

      @Nonnull public static CSPDirective createChildSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v2

    • createConnectSrc

      @Nonnull public static CSPDirective createConnectSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v1

    • createDefaultSrc

      @Nonnull public static CSPDirective createDefaultSrc(@Nullable AbstractCSPSourceList<?> aValue)
      The "default-src" is the default policy for loading content such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v1

    • createFontSrc

      @Nonnull public static CSPDirective createFontSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Defines valid sources of fonts.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v1

    • createFormAction

      @Nonnull public static CSPDirective createFormAction(@Nullable AbstractCSPSourceList<?> aValue)
      Defines valid sources that can be used as a HTML <form> action.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v2

    • createFrameAncestors

      @Nonnull public static CSPDirective createFrameAncestors(@Nullable AbstractCSPSourceList<?> aValue)
      Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>. Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v2

    • createFrameSrc

      @Nonnull public static CSPDirective createFrameSrc(@Nullable AbstractCSPSourceList<?> aValue)
      The HTTP Content-Security-Policy (CSP) "frame-src" directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v1 and v10.4.0

    • createImgSrc

      @Nonnull public static CSPDirective createImgSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Defines valid sources of images.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v1

    • createManifestSrc

      @Nonnull public static CSPDirective createManifestSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Specifies valid sources of application manifest files.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v3, 9.3.5

    • createMediaSrc

      @Nonnull public static CSPDirective createMediaSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v1

    • createObjectSrc

      @Nonnull public static CSPDirective createObjectSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Defines valid sources of plugins, eg <object>, <embed> or <applet>.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v1

    • createPrefetchSrc

      @Nonnull @Deprecated(forRemoval=true, since="10.4.0") public static CSPDirective createPrefetchSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Specifies valid sources to be prefetched or prerendered (draft).
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v3, 9.3.5

    • createReportURI

      @Nonnull public static CSPDirective createReportURI(@Nullable String sValue)
      The report-uri directive specifies a URI to which the user agent sends reports about policy violation.
      Deprecated in favour of createReportTo(String) but browser support is not yet ideal.
      Parameters:
      sValue - Report URI
      Returns:
      new directive
      Since:
      CSP v1

    • createReportTo

      @Nonnull public static CSPDirective createReportTo(@Nullable String sValue)
      The Content-Security-Policy "report-to" directive indicates the name of the endpoint that the browser should use for reporting CSP violations. This is not yet supported by Firefox as per 2025-02
      Parameters:
      sValue - Report endpoint according to Reporting-Endpoints response header
      Returns:
      new directive
      Since:
      CSP v3 and v10.4.0

    • createSandbox

      @Nonnull public static CSPDirective createSandbox(@Nullable String sValue)
      The sandbox directive specifies an HTML sandbox policy that the user agent applies to the protected resource.
      Parameters:
      sValue - value
      Returns:
      new directive
      Since:
      CSP v1

    • createScriptSrc

      @Nonnull public static CSPDirective createScriptSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Defines valid sources of JavaScript.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v1

    • createScriptSrcAttr

      @Nonnull public static CSPDirective createScriptSrcAttr(@Nullable AbstractCSPSourceList<?> aValue)
      The HTTP Content-Security-Policy (CSP) "script-src-attr" directive specifies valid sources for JavaScript inline event handlers.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v3 and v10.4.0

    • createScriptSrcElem

      @Nonnull public static CSPDirective createScriptSrcElem(@Nullable AbstractCSPSourceList<?> aValue)
      The HTTP Content-Security-Policy (CSP) "script-src-elem" directive specifies valid sources for JavaScript <script> elements.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v3 and v10.4.0

    • createStyleSrc

      @Nonnull public static CSPDirective createStyleSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Defines valid sources of stylesheets.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v1

    • createStyleSrcAttr

      @Nonnull public static CSPDirective createStyleSrcAttr(@Nullable AbstractCSPSourceList<?> aValue)
      The HTTP Content-Security-Policy (CSP) "style-src-attr" directive specifies valid sources for inline styles applied to individual DOM elements.
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v3 and v10.4.0

    • createStyleSrcElem

      @Nonnull public static CSPDirective createStyleSrcElem(@Nullable AbstractCSPSourceList<?> aValue)
      The HTTP Content-Security-Policy (CSP) "style-src-elem" directive specifies valid sources for stylesheet <style> elements and <link> elements with rel="stylesheet".
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v3 and v10.4.0

    • createWorkerSrc

      @Nonnull public static CSPDirective createWorkerSrc(@Nullable AbstractCSPSourceList<?> aValue)
      Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. (draft).
      Parameters:
      aValue - Value list to use. May be be null.
      Returns:
      New CSPDirective
      Since:
      CSP v3, 9.3.5