package csp
- Alphabetic
- Public
- All
Type Members
- trait CSPActionBuilder extends ActionBuilder[Request, AnyContent]
This trait is used to give a CSP header to the result for a single action.
This trait is used to give a CSP header to the result for a single action.
To use this in a controller, add something like the following:
class CSPActionController @Inject()(cspAction: CSPActionBuilder, cc: ControllerComponents) extends AbstractController(cc) { def index = cspAction { implicit request => Ok("result containing CSP") } }
- trait CSPComponents extends api.BuiltInComponents
The content security policy components, for compile time dependency injection.
- case class CSPConfig(reportOnly: Boolean = false, shouldFilterRequest: (RequestHeader) => Boolean = _ => true, nonce: CSPNonceConfig = CSPNonceConfig(), hashes: Seq[CSPHashConfig] = Seq.empty, directives: Seq[CSPDirective] = Seq.empty) extends Product with Serializable
CSP Configuration.
CSP Configuration.
- reportOnly
true if the header should be Content-Security-Policy-Report-Only.
- shouldFilterRequest
A function that decides based on the headers of the request if a check is needed.
- nonce
the CSP nonce configuration
- hashes
a list of CSP hashes that can be added to the header
- directives
the CSP directives configuration
- See also
- class CSPConfigProvider extends Provider[CSPConfig]
Provider for Content Security Policy configuration.
Provider for Content Security Policy configuration.
- Annotations
- @Singleton()
- case class CSPDirective(name: String, value: String) extends Product with Serializable
- class CSPFilter extends EssentialFilter
This filter enables the Content-Security-Policy header in Play for all requests.
This filter enables the Content-Security-Policy header in Play for all requests.
Please see the documentation for more information.
- Annotations
- @Singleton()
- case class CSPHashConfig(algorithm: String, hash: String, pattern: String) extends Product with Serializable
CSP Hash Configuration.
CSP Hash Configuration.
- algorithm
the algorithm from https://www.w3.org/TR/CSP3/#grammardef-hash-algorithm
- hash
set to the hash value in configuration
- pattern
the pattern in directives to substitute with hash.
- class CSPModule extends SimpleModule
The content security policy module.
- case class CSPNonceConfig(enabled: Boolean = true, pattern: String = CPSNonceConfig.DEFAULT_CSP_NONCE_PATTERN, header: Boolean = true) extends Product with Serializable
CSP Nonce Configuration.
CSP Nonce Configuration.
- enabled
if true, a nonce is generated in processing
- pattern
the pattern in directives to substitute with nonce, DEFAULT_CSP_NONCE_PATTERN by default.
- header
if true, renders HeaderNames.X_CONTENT_SECURITY_POLICY_NONCE_HEADER
- trait CSPProcessor extends AnyRef
This trait processes a request header for CSP related logic.
- trait CSPReportActionBuilder extends ActionBuilder[Request, ScalaCSPReport]
CSPReportAction exposes CSP content violations according to the CSP reporting spec
CSPReportAction exposes CSP content violations according to the CSP reporting spec
Be warned that Firefox and Chrome handle CSP reports very differently, and Firefox omits fields which are in the specification. As such, many fields are optional to ensure browser compatibility.
To use this in a controller, add something like the following:
class CSPReportController @Inject()(cc: ControllerComponents, cspReportAction: CSPReportActionBuilder) extends AbstractController(cc) { private val logger = org.slf4j.LoggerFactory.getLogger(getClass) private def logReport(report: ScalaCSPReport): Unit = { logger.warn(s"violated-directive: ${report.violatedDirective}, blocked = ${report.blockedUri}, policy = ${report.originalPolicy}") } val report: Action[ScalaCSPReport] = cspReportAction { request => logReport(request.body) Ok("{}").as(JSON) } }
- trait CSPReportBodyParser extends BodyParser[ScalaCSPReport] with BodyParser[JavaCSPReport]
- case class CSPResult(nonce: Option[String], directives: String, reportOnly: Boolean, nonceHeader: Boolean) extends Product with Serializable
- trait CSPResultProcessor extends AnyRef
A result processor that applies a CSPResult to a play request pipeline -- either an ActionBuilder or a Filter.
- class DefaultCSPActionBuilder extends CSPActionBuilder
The default CSPActionBuilder.
The default CSPActionBuilder.
This is useful for runtime dependency injection.
- Annotations
- @Singleton()
- class DefaultCSPProcessor extends CSPProcessor
The default CSP processor.
The default CSP processor. This handles processing of a CSP Nonce and hashes into a Content-Security-Policy series of directives, based off the CSPConfig.
If a request has the attribute RequestAttrKey.CSPNonce, then that nonce is used. Otherwise, a nonce is generated from 16 bytes of SecureRandom.
- class DefaultCSPReportActionBuilder extends ActionBuilderImpl[ScalaCSPReport] with CSPReportActionBuilder
- class DefaultCSPReportBodyParser extends CSPReportBodyParser
- class DefaultCSPResultProcessor extends CSPResultProcessor
This trait is used by CSPActionBuilder and CSPFilter to apply the CSPResult to a Play HTTP result as headers.
This trait is used by CSPActionBuilder and CSPFilter to apply the CSPResult to a Play HTTP result as headers.
Appends as
play.api.http.HeaderNames.CONTENT_SECURITY_POLICY
orplay.api.http.HeaderNames.CONTENT_SECURITY_POLICY_REPORT_ONLY
, depending on config.reportOnly.If
cspResult.nonceHeader
is defined thenplay.api.http.HeaderNames.X_CONTENT_SECURITY_POLICY_NONCE_HEADER
is set as an additional header. - class JavaCSPReport extends AnyRef
- case class ScalaCSPReport(documentUri: String, violatedDirective: String, blockedUri: Option[String] = None, originalPolicy: Option[String] = None, effectiveDirective: Option[String] = None, referrer: Option[String] = None, disposition: Option[String] = None, scriptSample: Option[String] = None, statusCode: Option[Int] = None, sourceFile: Option[String] = None, lineNumber: Option[String] = None, columnNumber: Option[String] = None) extends Product with Serializable
Result of parsing a CSP report.
Value Members
- object CPSNonceConfig
- object CSPActionBuilder
This singleton object contains factory methods for creating new CSPActionBuilders.
This singleton object contains factory methods for creating new CSPActionBuilders.
Useful in compile time dependency injection.
- object CSPConfig extends Serializable
This singleton object contains factory methods to create a CSPConfig instance from configuration.
- object CSPFilter
- object CSPProcessor
- object CSPResultProcessor
- object ScalaCSPReport extends Serializable