csp: Construct settings for the 'Content-Security-Policy' header
In firesafety: A Collection of Security Related Plugins for 'fiery'

View source: R/SecurityHeaders_helpers.R

csp	R Documentation

Construct settings for the `Content-Security-Policy` header

Description

This helper function exists mainly to document the possible values and prevent misspelled directives. It returns a bare list. See the header reference and the CSP section of the MDN security guide for more information on the header

Usage

csp(
  default_src = NULL,
  script_src = NULL,
  script_src_elem = NULL,
  script_src_attr = NULL,
  style_src = NULL,
  style_src_elem = NULL,
  style_src_attr = NULL,
  img_src = NULL,
  font_src = NULL,
  media_src = NULL,
  object_src = NULL,
  child_src = NULL,
  frame_src = NULL,
  worker_src = NULL,
  connect_src = NULL,
  fenced_frame_src = NULL,
  manifest_src = NULL,
  prefetch_src = NULL,
  base_uri = NULL,
  sandbox = FALSE,
  form_action = NULL,
  frame_ancestors = NULL,
  report_to = NULL,
  require_trusted_types_for = FALSE,
  trusted_types = NULL,
  upgrade_insecure_requests = FALSE
)

Arguments

`default_src`	Fallback for all other `⁠*_src⁠` values
`script_src`	Fallback for `⁠script_src_*⁠` values
`script_src_elem`	Valid sources for `⁠<script>⁠` elements
`script_src_attr`	Valid sources for inline event handlers
`style_src`	Fallback for `⁠style_src_*⁠` values
`style_src_elem`	Valid sources for `⁠<style>⁠` elements
`style_src_attr`	Valid sources for inline styling of elements
`img_src`	Valid sources for images and favicons
`font_src`	Valid sources for fonts loaded with `⁠@font-face⁠`
`media_src`	Valid sources for `⁠<audio>⁠`, `⁠<video>⁠`, and `⁠<track>⁠` elements
`object_src`	Valid sources for `⁠<object>⁠` and `⁠<embed>⁠` elements
`child_src`	Fallback for `frame_src` and `worker_src`
`frame_src`	Valid sources for `⁠<frame>⁠` and `⁠<iframe>⁠` elements
`worker_src`	Valid sources for `Worker`, `SharedWorker`, and `ServiceWorker` scripts
`connect_src`	Valid sources for URLs loaded from within scripts
`fenced_frame_src`	Valid sources for `⁠<fencedframe>⁠` elements
`manifest_src`	Valid sources for application manifest files
`prefetch_src`	Valid sources to be prefetched and prerendered
`base_uri`	Valid sources that can be put in a `⁠<base>⁠` element
`sandbox`	Logical. Enable sandboxing of the requested document/ressource
`form_action`	Valid URLs to be targeted by form submissions
`frame_ancestors`	Valid parents that may embed this document in an `⁠<frame>⁠`, `⁠<iframe>⁠`, `⁠<object>⁠`, or `⁠<embed>⁠` element.
`report_to`	A URL to report violations to. Setting this will also add a `report-uri` directive along with a `Reporting-Endpoints` header for maximum compitability.
`require_trusted_types_for`	Logical. Enforces Trusted Types
`trusted_types`	Specifies an allow list of Trusted Types
`upgrade_insecure_requests`	Logical. Automatically treat all HTTP urls in the document as if they were HTTPS

Value

A bare list with the input arguments

Examples

# Default setting
csp(
  default_src = "self",
  script_src = "self",
  script_src_attr = "none",
  style_src = c("self", "https:", "unsafe-inline"),
  img_src = c("self", "data:"),
  font_src = c("self", "https:", "data:"),
  object_src = "none",
  base_uri = "self",
  form_action = "self",
  frame_ancestors = "self",
  upgrade_insecure_requests = TRUE
)

firesafety documentation built on Sept. 10, 2025, 10:27 a.m.