csp.ts

Declarations
#

29 declarations

view source

COLOR_SCHEME_SCRIPT_HASH
#

create_csp_directives
#

csp.ts view source

(options?: CreateCspDirectivesOptions): CspDirectives

This is designed for compatibility with SvelteKit and maps to the KitConfig directives option. The goal is to provide an ergonomic, modern, and safe API for Content Security Policy (CSP) creation that's simple to write and audit, and isn't error-prone.

Things like validation and rendering to a string are out of scope and left to SvelteKit.

options

type CreateCspDirectivesOptions
default {}

returns

CspDirectives

CreateCspDirectivesOptions
#

csp.ts view source

CreateCspDirectivesOptions

directives

Override or transform specific directives. Returning null or undefined from a transform function will remove the directive.

type { [K in CspDirective]?: | CspDirectiveValue<K> // Static value replacement | null // Removes the directive // Transform function returning one of the previous types | ((value: CspDirectiveValue<K>) => CspDirectiveValue<K> | null); }

trusted_sources

Sources to include based on their trust levels.

type Array<CspSourceSpec>

value_defaults

Override default values for specific directives, merging with value_defaults_base (or replacing if that directive is null in the base).

type Partial<typeof csp_directive_value_defaults>

value_defaults_base

Base values for directive defaults. Set to null or {} to start with no defaults. Defaults to csp_directive_value_defaults.

type Partial<typeof csp_directive_value_defaults> | null

required_trust_defaults

Override trust requirements for specific directives, merging with required_trust_defaults_base (or replacing if that directive is null in the base).

type Partial<typeof csp_directive_required_trust_defaults>

required_trust_defaults_base

Base values for directive trust requirements. Set to null or {} to start with no trust requirements. Defaults to csp_directive_required_trust_defaults.

type Partial<typeof csp_directive_required_trust_defaults> | null

csp_directive_required_trust_defaults
#

csp.ts view source

Record<keyof CspDirectives, "low" | "medium" | "high" | null>

Sources that meet this trust requirement are included for it by default. If null, no trusted sources are added to the directive automatically. Directives that don't support sources or default to ['none'] are null.

Feedback is welcome, please see the issues - https://github.com/ryanatkn/fuz/issues

csp_directive_spec_by_name
#

csp_directive_specs
#

csp_directive_value_defaults
#

csp.ts view source

Record<keyof CspDirectives, boolean | (CspSource | CspActionSource)[] | CspSources | CspFrameSource[] | string[] | "script"[] | ("allow-downloads-without-user-activation" | ... 11 more ... | "allow-top-navigation-by-user-activation")[] | null>

The base CSP directive defaults. Prioritizes safety but loosens around media and styles, relying on defense-in-depth. Customizable via CreateCspDirectivesOptions.defaults.

csp_trust_level_value
#

csp.ts view source

Record<"low" | "medium" | "high", number | undefined>

Numeric values for CSP trust levels, csp_trust_levels. Lower is less trusted. Includes undefined in the type for safety.

csp_trust_levels
#

CspActionSource
#

CspBaseSource
#

CspCryptoSource
#

csp.ts view source

`nonce-${string}` | `sha256-${string}` | `sha384-${string}` | `sha512-${string}`

CspDirective
#

CspDirectives
#

csp.ts view source

CspDirectives

sandbox

type Array< | 'allow-downloads-without-user-activation' | 'allow-forms' | 'allow-modals' | 'allow-orientation-lock' | 'allow-pointer-lock' | 'allow-popups' | 'allow-popups-to-escape-sandbox' | 'allow-presentation' | 'allow-same-origin' | 'allow-scripts' | 'allow-storage-access-by-user-activation' | 'allow-top-navigation' | 'allow-top-navigation-by-user-activation' >

CspDirectiveSpec
#

CspDirectiveValue
#

CspFrameSource
#

CspHostNameScheme
#

CspHostProtocolSchemes
#

CspHostSource
#

csp.ts view source

`${string}.${string}` | "localhost" | `${string}.${string}:${number}` | `${string}.${string}:*` | `localhost:${number}` | "localhost:*" | `${string}://${string}.${string}` | `${string}://${string}.${string}:${number}` | `${string}://${string}.${string}:*` | `${string}://localhost` | `${string}://localhost:${number}`...

CspPortScheme
#

CspSchemeSource
#

CspSource
#

CspSources
#

CspSourceSpec
#

CspTrustLevel
#

csp.ts view source

"low" | "medium" | "high"

Trust levels for CSP sources.

With the base defaults, trust levels roughly correspond to:

- low – Passive resources only (no script execution, no styling or UI control). Examples: img-src, font-src. - medium – Content that may affect layout, styling, or embed external browsing contexts, but cannot directly run code in the page's JS execution environment or perform other high-risk actions. Examples: style-src, frame-src, frame-ancestors. - high – Sources that can execute code in the page's context or open powerful network channels. Examples: script-src, connect-src, child-src. - null – No trust. This is used for directives that don't support sources.

is_csp_trusted
#

csp.ts view source

(required_trust: "low" | "medium" | "high" | null | undefined, granted_trust: "low" | "medium" | "high" | null | undefined): boolean

Determines if a granted trust level is sufficient to satisfy a required trust level.

Trust levels have the following hierarchy: - 'high' sources can be used in high, medium, and low trust directives (highest privilege) - 'medium' sources can be used in medium and low trust directives - 'low' sources can only be used in low trust directives (lowest privilege)

required_trust

type "low" | "medium" | "high" | null | undefined

granted_trust

type "low" | "medium" | "high" | null | undefined

returns

boolean

parse_csp_directive
#

csp.ts view source

(directive: unknown): keyof CspDirectives | null

directive

type unknown

returns

keyof CspDirectives | null

parse_csp_trust_level
#

csp.ts view source

(trust: unknown): "low" | "medium" | "high" | null

Validates and extracts a CSP trust level from an unknown value.

trust

type unknown

returns

"low" | "medium" | "high" | null