final case class ContentSecurityPolicy(defaultSources: List[ContentSourceRestriction] = List(ContentSourceRestriction.Self), connectSources: List[ContentSourceRestriction] = Nil, fontSources: List[ContentSourceRestriction] = Nil, frameSources: List[ContentSourceRestriction] = Nil, imageSources: List[ContentSourceRestriction] = List(ContentSourceRestriction.All), mediaSources: List[ContentSourceRestriction] = Nil, objectSources: List[ContentSourceRestriction] = Nil, scriptSources: List[JavaScriptSourceRestriction] = ..., styleSources: List[StylesheetSourceRestriction] = Nil, reportUri: Option[URI] = ...) extends Product with Serializable
Specifies a Content-Security-Policy
for this site. This will be sent to the client in a Content-Security-Policy
header when responses are returned from Lift.
In development mode, content security policy violations are only reported if the browser supports them, not enforced. In all other modes, content security policy violations are enforced if the browser supports them.
Note that the X-Webkit-CSP
header is NOT specified, due to
potentially-broken behavior in iOS 5 and 5.1. This means iOS 6/6.1 will not
receive a content security policy that it can
understand. See the caniuse
page on content security policy for more.
- defaultSources
A list of default source restrictions; if one of the other sources parameters is empty, the default sources will apply instead.
- connectSources
A list of source restrictions for
XmlHttpRequest
(AJAX) connections.- fontSources
A list of source restrictions for loading fonts (e.g., from CSS
font-face
declarations).- frameSources
A list of source restrictions for loading frames and iframes.
- imageSources
A list of source restrictions for loading images.
- mediaSources
A list of source restrictions for loading media (audio and video).
- objectSources
A list of source restrictions for loading
object
,embed
,applet
, and related elements.- scriptSources
A list of source restrictions for loading scripts. Also accepts the
UnsafeInline
andUnsafeEval
source restrictions, though these are strongly discouraged.- styleSources
A list of source restrictions for loading styles. Also accepts the
UnsafeInline
source, though it is strongly discouraged.- reportUri
The URI where any violation of the security policy will be reported. You can set the function that handles these violations in
LiftRules.contentSecurityPolicyViolationReport
. By default, reported toContentSecurityPolicy.defaultReportUri
. If this isNone
, violations will not be reported.
- Alphabetic
- By Inheritance
- ContentSecurityPolicy
- Serializable
- Serializable
- Product
- Equals
- AnyRef
- Any
- Hide All
- Show All
- Public
- All
Instance Constructors
-
new
ContentSecurityPolicy(defaultSources: List[ContentSourceRestriction] = List(ContentSourceRestriction.Self), connectSources: List[ContentSourceRestriction] = Nil, fontSources: List[ContentSourceRestriction] = Nil, frameSources: List[ContentSourceRestriction] = Nil, imageSources: List[ContentSourceRestriction] = List(ContentSourceRestriction.All), mediaSources: List[ContentSourceRestriction] = Nil, objectSources: List[ContentSourceRestriction] = Nil, scriptSources: List[JavaScriptSourceRestriction] = ..., styleSources: List[StylesheetSourceRestriction] = Nil, reportUri: Option[URI] = ...)
- defaultSources
A list of default source restrictions; if one of the other sources parameters is empty, the default sources will apply instead.
- connectSources
A list of source restrictions for
XmlHttpRequest
(AJAX) connections.- fontSources
A list of source restrictions for loading fonts (e.g., from CSS
font-face
declarations).- frameSources
A list of source restrictions for loading frames and iframes.
- imageSources
A list of source restrictions for loading images.
- mediaSources
A list of source restrictions for loading media (audio and video).
- objectSources
A list of source restrictions for loading
object
,embed
,applet
, and related elements.- scriptSources
A list of source restrictions for loading scripts. Also accepts the
UnsafeInline
andUnsafeEval
source restrictions, though these are strongly discouraged.- styleSources
A list of source restrictions for loading styles. Also accepts the
UnsafeInline
source, though it is strongly discouraged.- reportUri
The URI where any violation of the security policy will be reported. You can set the function that handles these violations in
LiftRules.contentSecurityPolicyViolationReport
. By default, reported toContentSecurityPolicy.defaultReportUri
. If this isNone
, violations will not be reported.
Value Members
-
final
def
!=(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
-
final
def
##(): Int
- Definition Classes
- AnyRef → Any
-
final
def
==(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
-
final
def
asInstanceOf[T0]: T0
- Definition Classes
- Any
-
def
clone(): AnyRef
- Attributes
- protected[java.lang]
- Definition Classes
- AnyRef
- Annotations
- @throws( ... )
- val connectSources: List[ContentSourceRestriction]
-
def
contentSecurityPolicyString: String
The string that describes this content security policy in the syntax expected by the
Content-Security-Policy
header. - val defaultSources: List[ContentSourceRestriction]
-
final
def
eq(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
-
def
finalize(): Unit
- Attributes
- protected[java.lang]
- Definition Classes
- AnyRef
- Annotations
- @throws( classOf[java.lang.Throwable] )
- val fontSources: List[ContentSourceRestriction]
- val frameSources: List[ContentSourceRestriction]
-
final
def
getClass(): Class[_]
- Definition Classes
- AnyRef → Any
-
def
headers(enforce: Boolean = true, logViolations: Boolean = true): List[(String, String)]
Returns the headers implied by this content security policy.
- val imageSources: List[ContentSourceRestriction]
-
final
def
isInstanceOf[T0]: Boolean
- Definition Classes
- Any
- val mediaSources: List[ContentSourceRestriction]
-
final
def
ne(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
-
final
def
notify(): Unit
- Definition Classes
- AnyRef
-
final
def
notifyAll(): Unit
- Definition Classes
- AnyRef
- val objectSources: List[ContentSourceRestriction]
- val reportUri: Option[URI]
- val scriptSources: List[JavaScriptSourceRestriction]
- val styleSources: List[StylesheetSourceRestriction]
-
final
def
synchronized[T0](arg0: ⇒ T0): T0
- Definition Classes
- AnyRef
-
final
def
wait(): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws( ... )
-
final
def
wait(arg0: Long, arg1: Int): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws( ... )
-
final
def
wait(arg0: Long): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws( ... )