Content Security Policy (CSP).
Content Security Policy (CSP). See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.
(header-name)
(header-name report-only)
Returns CSP header name, normal one or report-only if report-only
is true.
Without argument returns normal header name.
Returns CSP header name, normal one or report-only if `report-only` is true. Without argument returns normal header name.
(header-value-fn policy)
The returned function takes a policy
map and returns a content policy
header value. If the policy map contains :nonce
in directive values, the
returned function is a 1-arity function (fn [nonce] policy-header)
,
otherwise it is a 0-arity function.
The keys in the policy map represent directive names, and can be:
name
as-directive-name
of csp-impl/PolicyRender
protocolThe values in the policy map represent directive values, and can be:
:nonce
keyword is a placeholder for the value of noncename
write-directive-value
of
csp-impl/PolicyRender
protocolExample:
(def nonce-policy
(csp/header-value-fn {"script-src" :nonce
"img-src" "*"}))
(nonce-policy "MY-NONCE")
:=> "script-src 'nonce-MY-NONCE'; img-src *"
(def static-policy
(csp/header-value-fn {:default-src ["https:"
:unsafe-eval
:unsafe-inline]
:object-src :none})
(static-policy)
:=> "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
CSP header values can be tested online:
The returned function takes a `policy` map and returns a content policy header value. If the policy map contains `:nonce` in directive values, the returned function is a 1-arity function `(fn [nonce] policy-header)`, otherwise it is a 0-arity function. The keys in the policy map represent directive names, and can be: - string, which is taken as is - keyword, which are converted to string using `name` - other type which implements `as-directive-name` of [[csp-impl/PolicyRender]] protocol The values in the policy map represent directive values, and can be: - string, which is taken as is - keyword - the special `:nonce` keyword is a placeholder for the value of nonce - other keywords are converted to single quoted string using `name` - collection, where elements are rendered as directive values and separated with space. - other type which implements `write-directive-value` of [[csp-impl/PolicyRender]] protocol Example: (def nonce-policy (csp/header-value-fn {"script-src" :nonce "img-src" "*"})) (nonce-policy "MY-NONCE") :=> "script-src 'nonce-MY-NONCE'; img-src *" (def static-policy (csp/header-value-fn {:default-src ["https:" :unsafe-eval :unsafe-inline] :object-src :none}) (static-policy) :=> "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'" CSP header values can be tested online: - [CSP Evaluator](https://csp-evaluator.withgoogle.com/). - [The Mozilla Observatory](https://observatory.mozilla.org/).
(random-nonce-fn)
(random-nonce-fn random)
Returns unique random 144 bit string (24 chars) to be used as CSP nonce in
HTTP response. Uses java.security SecureRandom
or provided optional instance
of java.util.Random
to generate random bytes.
Example:
(def random-nonce (csp/random-nonce-fn))
(random-nonce) :=> "iqkOHbaBPnGT6vC73ph89/G3"
; Execution time mean : 1.042166 µs
; Execution time std-deviation : 30.633099 ns
; Execution time lower quantile : 1.009274 µs ( 2.5%)
; Execution time upper quantile : 1.087203 µs (97.5%)
See also Using a nonce with CSP.
Returns unique random 144 bit string (24 chars) to be used as CSP nonce in HTTP response. Uses `java.security SecureRandom` or provided optional instance of `java.util.Random` to generate random bytes. Example: (def random-nonce (csp/random-nonce-fn)) (random-nonce) :=> "iqkOHbaBPnGT6vC73ph89/G3" ; Execution time mean : 1.042166 µs ; Execution time std-deviation : 30.633099 ns ; Execution time lower quantile : 1.009274 µs ( 2.5%) ; Execution time upper quantile : 1.087203 µs (97.5%) See also [Using a nonce with CSP](https://content-security-policy.com/nonce/).
(requires-nonce? f)
True if result of the header-value-fn
requires nonce argument.
True if result of the [[header-value-fn]] requires nonce argument.
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close