Package

play.filters

csp

Permalink

package csp

Visibility
  1. Public
  2. All

Type Members

  1. trait CSPActionBuilder extends ActionBuilder[Request, AnyContent]

    Permalink

    This trait is used to give a CSP header to the result for a single action.

    This trait is used to give a CSP header to the result for a single action.

    To use this in a controller, add something like the following:

    class CSPActionController @Inject()(cspAction: CSPActionBuilder, cc: ControllerComponents)
     extends AbstractController(cc) {
      def index = cspAction { implicit request =>
        Ok("result containing CSP")
      }
    }
  2. trait CSPComponents extends api.BuiltInComponents

    Permalink

    The content security policy components, for compile time dependency injection.

  3. case class CSPConfig(reportOnly: Boolean = false, shouldFilterRequest: (RequestHeader) ⇒ Boolean = _ => true, nonce: CSPNonceConfig = CSPNonceConfig(), hashes: Seq[CSPHashConfig] = Seq.empty, directives: Seq[CSPDirective] = Seq.empty) extends Product with Serializable

    Permalink

    CSP Configuration.

    CSP Configuration.

    reportOnly

    true if the header should be Content-Security-Policy-Report-Only.

    shouldFilterRequest

    A function that decides based on the headers of the request if a check is needed.

    nonce

    the CSP nonce configuration

    hashes

    a list of CSP hashes that can be added to the header

    directives

    the CSP directives configuration

    See also

    Content Security Policy Level 3

  4. class CSPConfigProvider extends Provider[CSPConfig]

    Permalink

    Provider for Content Security Policy configuration.

    Provider for Content Security Policy configuration.

    Annotations
    @Singleton()
  5. case class CSPDirective(name: String, value: String) extends Product with Serializable

    Permalink
  6. class CSPFilter extends EssentialFilter

    Permalink

    This filter enables the Content-Security-Policy header in Play for all requests.

    This filter enables the Content-Security-Policy header in Play for all requests.

    Please see the documentation for more information.

    Annotations
    @Singleton()
  7. case class CSPHashConfig(algorithm: String, hash: String, pattern: String) extends Product with Serializable

    Permalink

    CSP Hash Configuration.

    CSP Hash Configuration.

    algorithm

    the algorithm from https://www.w3.org/TR/CSP3/#grammardef-hash-algorithm

    hash

    set to the hash value in configuration

    pattern

    the pattern in directives to substitute with hash.

  8. class CSPModule extends SimpleModule

    Permalink

    The content security policy module.

  9. case class CSPNonceConfig(enabled: Boolean = true, pattern: String = ..., header: Boolean = true) extends Product with Serializable

    Permalink

    CSP Nonce Configuration.

    CSP Nonce Configuration.

    enabled

    if true, a nonce is generated in processing

    pattern

    the pattern in directives to substitute with nonce, DEFAULT_CSP_NONCE_PATTERN by default.

    header

    if true, renders HeaderNames.X_CONTENT_SECURITY_POLICY_NONCE_HEADER

  10. trait CSPProcessor extends AnyRef

    Permalink

    This trait processes a request header for CSP related logic.

  11. trait CSPReportActionBuilder extends ActionBuilder[Request, ScalaCSPReport]

    Permalink

    CSPReportAction exposes CSP content violations according to the CSP reporting spec

    CSPReportAction exposes CSP content violations according to the CSP reporting spec

    Be warned that Firefox and Chrome handle CSP reports very differently, and Firefox omits fields which are in the specification. As such, many fields are optional to ensure browser compatibility.

    To use this in a controller, add something like the following:

    class CSPReportController @Inject()(cc: ControllerComponents, cspReportAction: CSPReportActionBuilder) extends AbstractController(cc) {
    
      private val logger = org.slf4j.LoggerFactory.getLogger(getClass)
    
      private def logReport(report: ScalaCSPReport): Unit = {
        logger.warn(s"violated-directive: ${report.violatedDirective}, blocked = ${report.blockedUri}, policy = ${report.originalPolicy}")
      }
    
      val report: Action[ScalaCSPReport] = cspReportAction { request =>
        logReport(request.body)
        Ok("{}").as(JSON)
      }
    }
  12. trait CSPReportBodyParser extends BodyParser[ScalaCSPReport] with BodyParser[JavaCSPReport]

    Permalink
  13. case class CSPResult(nonce: Option[String], directives: String, reportOnly: Boolean, nonceHeader: Boolean) extends Product with Serializable

    Permalink
  14. trait CSPResultProcessor extends AnyRef

    Permalink

    A result processor that applies a CSPResult to a play request pipeline -- either an ActionBuilder or a Filter.

  15. class DefaultCSPActionBuilder extends CSPActionBuilder

    Permalink

    The default CSPActionBuilder.

    The default CSPActionBuilder.

    This is useful for runtime dependency injection.

    Annotations
    @Singleton()
  16. class DefaultCSPProcessor extends CSPProcessor

    Permalink

    The default CSP processor.

    The default CSP processor. This handles processing of a CSP Nonce and hashes into a Content-Security-Policy series of directives, based off the CSPConfig.

    If a request has the attribute RequestAttrKey.CSPNonce, then that nonce is used. Otherwise, a nonce is generated from 16 bytes of SecureRandom.

  17. class DefaultCSPReportActionBuilder extends ActionBuilderImpl[ScalaCSPReport] with CSPReportActionBuilder

    Permalink
  18. class DefaultCSPReportBodyParser extends CSPReportBodyParser

    Permalink
  19. class DefaultCSPResultProcessor extends CSPResultProcessor

    Permalink

    This trait is used by CSPActionBuilder and CSPFilter to apply the CSPResult to a Play HTTP result as headers.

    This trait is used by CSPActionBuilder and CSPFilter to apply the CSPResult to a Play HTTP result as headers.

    Appends as play.api.http.HeaderNames.CONTENT_SECURITY_POLICY or play.api.http.HeaderNames.CONTENT_SECURITY_POLICY_REPORT_ONLY, depending on config.reportOnly.

    If cspResult.nonceHeader is defined then play.api.http.HeaderNames.X_CONTENT_SECURITY_POLICY_NONCE_HEADER is set as an additional header.

  20. class JavaCSPReport extends AnyRef

    Permalink
  21. case class ScalaCSPReport(documentUri: String, violatedDirective: String, blockedUri: Option[String] = None, originalPolicy: Option[String] = None, effectiveDirective: Option[String] = None, referrer: Option[String] = None, disposition: Option[String] = None, scriptSample: Option[String] = None, statusCode: Option[Int] = None, sourceFile: Option[String] = None, lineNumber: Option[String] = None, columnNumber: Option[String] = None) extends Product with Serializable

    Permalink

    Result of parsing a CSP report.

Value Members

  1. object CPSNonceConfig

    Permalink
  2. object CSPActionBuilder

    Permalink

    This singleton object contains factory methods for creating new CSPActionBuilders.

    This singleton object contains factory methods for creating new CSPActionBuilders.

    Useful in compile time dependency injection.

  3. object CSPConfig extends Serializable

    Permalink

    This singleton object contains factory methods to create a CSPConfig instance from configuration.

  4. object CSPFilter

    Permalink
  5. object CSPProcessor

    Permalink
  6. object CSPResultProcessor

    Permalink
  7. object ScalaCSPReport extends Serializable

    Permalink

Ungrouped