const classafSleepSafe::CspGuard
sys::Obj afSleepSafe::CspGuard : afSleepSafe::Guard
Guards against Cross Site Scripting (XSS) by setting an Content-Security-Policy
HTTP response header that tells browsers to restrict where content can be loaded from.
Content-Security-Policy: default-src 'self'; font-src 'self' https://fonts.googleapis.com/; object-src 'none'
See https://content-security-policy.com/ and Content-Security-Policy on MDN for details.
By default, Sleep Safe sets the following content directives:
Content-Security-Policy: default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; report-uri /_sleepSafeCspViolation;
Which essentially locks all content down to that served by the BedSheet server and disables object tags.
SleepSafe also sets up a BedSheet Route (report-uri
) that browsers can report violations to. The default implementation logs a pretty printed version of the report JSON.
The default strategy is a good base to start with. You can then upgrade the directives as and when you need to. Although beware of inline scripts and style tags, as these will also be disabled. See Implementing Content Security Policy for details.
The reporting mechanism is good for development, but you may want to turn it off for production as browser add-ons can cause violations, flooding your server.
Ioc Configuration
afIocConfig Key | Value |
---|---|
| Any config starting with |
| If |
| The reporting function (immutable) that's invoked with the browsers violation JSON. Set to |
Example:
@Contribute { serviceType=ApplicationDefaults# } Void contributeAppDefaults(Configuration config) {// configure CSPconfig["afSleepSafe.cspReportOnly"] = true config["afSleepSafe.cspReportFn"] = |Str:Obj? reportJson| { echo(reportJson) }.toImmutable// set CSP directivesconfig["afSleepSafe.csp.default-src"] = "'none'" config["afSleepSafe.csp.font-src"] = "'self' https://fonts.googleapis.com/" }
To prevent CSP violations from being logged on the server, override the FactoryDefaults by setting either (or both) of the following to null
in ApplicationDefaults:
config["afSleepSafe.csp.report-uri"] = null config["afSleepSafe.cspReportFn"] = null
To disable CSP, remove this class from the SleepSafeMiddleware
configuration:
@Contribute { serviceType=SleepSafeMiddleware# } Void contributeSleepSafeMiddleware(Configuration config) { config.remove(CspGuard#) }