Package com.helger.http.csp
Class CSPDirective
java.lang.Object
com.helger.http.csp.CSPDirective
- All Implemented Interfaces:
com.helger.base.name.IHasName,ICSPDirective
A single CSP directive. It's a name-value-pair.
- Since:
- 10.4.0
- Author:
- Philip Helger
-
Constructor Summary
ConstructorsConstructorDescriptionCSPDirective(@NonNull @Nonempty String sName, @Nullable AbstractCSPSourceList<?> aValue) Constructor using a source list as the value.CSPDirective(@NonNull @Nonempty String sName, @Nullable String sValue) Constructor using a string as the value. -
Method Summary
Modifier and TypeMethodDescriptionstatic @NonNull CSPDirectivecreateBaseURI(@Nullable String sValue) Restricts the URLs which can be used in a document's <base> element.static @NonNull CSPDirectivecreateChildSrc(@Nullable AbstractCSPSourceList<?> aValue) Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>static @NonNull CSPDirectivecreateConnectSrc(@Nullable AbstractCSPSourceList<?> aValue) Applies to XMLHttpRequest (AJAX), WebSocket or EventSource.static @NonNull CSPDirectivecreateDefaultSrc(@Nullable AbstractCSPSourceList<?> aValue) The "default-src" is the default policy for loading content such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media.static @NonNull CSPDirectivecreateFontSrc(@Nullable AbstractCSPSourceList<?> aValue) Defines valid sources of fonts.static @NonNull CSPDirectivecreateFormAction(@Nullable AbstractCSPSourceList<?> aValue) Defines valid sources that can be used as a HTML <form> action.static @NonNull CSPDirectivecreateFrameAncestors(@Nullable AbstractCSPSourceList<?> aValue) Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>.static @NonNull CSPDirectivecreateFrameSrc(@Nullable AbstractCSPSourceList<?> aValue) The HTTP Content-Security-Policy (CSP) "frame-src" directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.static @NonNull CSPDirectivecreateImgSrc(@Nullable AbstractCSPSourceList<?> aValue) Defines valid sources of images.static @NonNull CSPDirectivecreateManifestSrc(@Nullable AbstractCSPSourceList<?> aValue) Specifies valid sources of application manifest files.static @NonNull CSPDirectivecreateMediaSrc(@Nullable AbstractCSPSourceList<?> aValue) Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements.static @NonNull CSPDirectivecreateObjectSrc(@Nullable AbstractCSPSourceList<?> aValue) Defines valid sources of plugins, eg <object>, <embed> or <applet>.static @NonNull CSPDirectivecreatePrefetchSrc(@Nullable AbstractCSPSourceList<?> aValue) Deprecated, for removal: This API element is subject to removal in a future version.static @NonNull CSPDirectivecreateReportTo(@Nullable String sValue) The Content-Security-Policy "report-to" directive indicates the name of the endpoint that the browser should use for reporting CSP violations.static @NonNull CSPDirectivecreateReportURI(@Nullable String sValue) The report-uri directive specifies a URI to which the user agent sends reports about policy violation.
Deprecated in favour ofcreateReportTo(String)but browser support is not yet ideal.static @NonNull CSPDirectivecreateSandbox(@Nullable String sValue) The sandbox directive specifies an HTML sandbox policy that the user agent applies to the protected resource.static @NonNull CSPDirectivecreateScriptSrc(@Nullable AbstractCSPSourceList<?> aValue) Defines valid sources of JavaScript.static @NonNull CSPDirectivecreateScriptSrcAttr(@Nullable AbstractCSPSourceList<?> aValue) The HTTP Content-Security-Policy (CSP) "script-src-attr" directive specifies valid sources for JavaScript inline event handlers.static @NonNull CSPDirectivecreateScriptSrcElem(@Nullable AbstractCSPSourceList<?> aValue) The HTTP Content-Security-Policy (CSP) "script-src-elem" directive specifies valid sources for JavaScript <script> elements.static @NonNull CSPDirectivecreateStyleSrc(@Nullable AbstractCSPSourceList<?> aValue) Defines valid sources of stylesheets.static @NonNull CSPDirectivecreateStyleSrcAttr(@Nullable AbstractCSPSourceList<?> aValue) The HTTP Content-Security-Policy (CSP) "style-src-attr" directive specifies valid sources for inline styles applied to individual DOM elements.static @NonNull CSPDirectivecreateStyleSrcElem(@Nullable AbstractCSPSourceList<?> aValue) The HTTP Content-Security-Policy (CSP) "style-src-elem" directive specifies valid sources for stylesheet<style>elements and<link>elements withrel="stylesheet".static @NonNull CSPDirectivecreateWorkerSrc(@Nullable AbstractCSPSourceList<?> aValue) Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.booleanfinal @NonNull @Nonempty StringgetName()final @Nullable StringgetValue()inthashCode()static booleanisValidName(@Nullable String sName) Check if the provided string is a valid CSP directive name.static booleanisValidValue(@Nullable String sValue) Check if the provided string is a valid CSP directive value.toString()Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, waitMethods inherited from interface com.helger.http.csp.ICSPDirective
getAsString, getAsStringIfHasValue, hasValue
-
Constructor Details
-
CSPDirective
public CSPDirective(@Nonempty @NonNull @Nonempty String sName, @Nullable AbstractCSPSourceList<?> aValue) Constructor using a source list as the value.- Parameters:
sName- The directive name. May neither benullnor empty and must be a valid name.aValue- The source list value. May benull.
-
CSPDirective
Constructor using a string as the value.- Parameters:
sName- The directive name. May neither benullnor empty and must be a valid name.sValue- The directive value. May benull.
-
-
Method Details
-
isValidName
Check if the provided string is a valid CSP directive name. Valid names consist of alpha, digit and hyphen characters only.- Parameters:
sName- The name to check. May benull.- Returns:
trueif the name is valid,falseotherwise.
-
isValidValue
Check if the provided string is a valid CSP directive value. Empty values are allowed. The value must not contain semicolons or commas.- Parameters:
sValue- The value to check. May benull.- Returns:
trueif the value is valid,falseotherwise.
-
getName
- Specified by:
getNamein interfaceICSPDirective- Specified by:
getNamein interfacecom.helger.base.name.IHasName- Returns:
- The name of this directive.
-
getValue
- Specified by:
getValuein interfaceICSPDirective- Returns:
- The value of this directive. May be
nullor empty.
-
equals
-
hashCode
public int hashCode() -
toString
-
createBaseURI
Restricts the URLs which can be used in a document's <base> element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the <base> element.- Parameters:
sValue- value- Returns:
- new directive
- Since:
- CSP v2
-
createChildSrc
Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v2
-
createConnectSrc
Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v1
-
createDefaultSrc
The "default-src" is the default policy for loading content such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v1
-
createFontSrc
Defines valid sources of fonts.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v1
-
createFormAction
Defines valid sources that can be used as a HTML <form> action.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v2
-
createFrameAncestors
Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>. Setting this directive to'none'should be roughly equivalent toX-Frame-Options: DENY- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v2
-
createFrameSrc
The HTTP Content-Security-Policy (CSP) "frame-src" directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v1 and v10.4.0
-
createImgSrc
Defines valid sources of images.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v1
-
createManifestSrc
Specifies valid sources of application manifest files.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v3, 9.3.5
-
createMediaSrc
Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v1
-
createObjectSrc
Defines valid sources of plugins, eg <object>, <embed> or <applet>.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v1
-
createPrefetchSrc
@Deprecated(forRemoval=true, since="10.4.0") public static @NonNull CSPDirective createPrefetchSrc(@Nullable AbstractCSPSourceList<?> aValue) Deprecated, for removal: This API element is subject to removal in a future version.Specifies valid sources to be prefetched or prerendered (draft).- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v3, 9.3.5
-
createReportURI
The report-uri directive specifies a URI to which the user agent sends reports about policy violation.
Deprecated in favour ofcreateReportTo(String)but browser support is not yet ideal.- Parameters:
sValue- Report URI- Returns:
- new directive
- Since:
- CSP v1
-
createReportTo
The Content-Security-Policy "report-to" directive indicates the name of the endpoint that the browser should use for reporting CSP violations. This is not yet supported by Firefox as per 2025-02- Parameters:
sValue- Report endpoint according to Reporting-Endpoints response header- Returns:
- new directive
- Since:
- CSP v3 and v10.4.0
-
createSandbox
The sandbox directive specifies an HTML sandbox policy that the user agent applies to the protected resource.- Parameters:
sValue- value- Returns:
- new directive
- Since:
- CSP v1
-
createScriptSrc
Defines valid sources of JavaScript.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v1
-
createScriptSrcAttr
The HTTP Content-Security-Policy (CSP) "script-src-attr" directive specifies valid sources for JavaScript inline event handlers.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v3 and v10.4.0
-
createScriptSrcElem
The HTTP Content-Security-Policy (CSP) "script-src-elem" directive specifies valid sources for JavaScript <script> elements.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v3 and v10.4.0
-
createStyleSrc
Defines valid sources of stylesheets.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v1
-
createStyleSrcAttr
The HTTP Content-Security-Policy (CSP) "style-src-attr" directive specifies valid sources for inline styles applied to individual DOM elements.- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v3 and v10.4.0
-
createStyleSrcElem
The HTTP Content-Security-Policy (CSP) "style-src-elem" directive specifies valid sources for stylesheet<style>elements and<link>elements withrel="stylesheet".- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v3 and v10.4.0
-
createWorkerSrc
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. (draft).- Parameters:
aValue- Value list to use. May be benull.- Returns:
- New
CSPDirective - Since:
- CSP v3, 9.3.5
-