refactor: update type definitions due to @fresh/core update

2025-05-13 13:39:18 +02:00 · 2025-05-13 13:39:18 +02:00 · 84862f05ec
parent d3be31d669
commit 84862f05ec
1 changed files with 116 additions and 5 deletions
--- a/src/csp/mod.ts
+++ b/src/csp/mod.ts
@ -1,10 +1,5 @@
-import type { ContentSecurityPolicyDirectives } from '$fresh/runtime.ts'
 import { getFreshNonce, toSnakeCase } from ':src/utils.ts'

-export type CspRules = ContentSecurityPolicyDirectives & {
-	upgradeInsecureRequests: true
-}
-
 export function applyCspRules(
 	{ headers }: { headers: Headers },
 	rules: CspRules,
@ -50,3 +45,119 @@ export async function applyCspRulesWithNonce(

 	return applyCspRules(response, rules)
 }
+
+export type CspRules = {
+	// Fetch directives
+	/**
+	 * Defines the valid sources for web workers and nested browsing contexts
+	 * loaded using elements such as <frame> and <iframe>.
+	 */
+	childSrc?: string[]
+	/**
+	 * Restricts the URLs which can be loaded using script interfaces.
+	 */
+	connectSrc?: string[]
+	/**
+	 * Serves as a fallback for the other fetch directives.
+	 */
+	defaultSrc?: string[]
+	/**
+	 * Specifies valid sources for fonts loaded using @font-face.
+	 */
+	fontSrc?: string[]
+	/**
+	 * Specifies valid sources for nested browsing contexts loading using elements
+	 * such as <frame> and <iframe>.
+	 */
+	frameSrc?: string[]
+	/**
+	 * Specifies valid sources of images and favicons.
+	 */
+	imgSrc?: string[]
+	/**
+	 * Specifies valid sources of application manifest files.
+	 */
+	manifestSrc?: string[]
+	/**
+	 * Specifies valid sources for loading media using the <audio> , <video> and
+	 * <track> elements.
+	 */
+	mediaSrc?: string[]
+	/**
+	 * Specifies valid sources for the <object>, <embed>, and <applet> elements.
+	 */
+	objectSrc?: string[]
+	/**
+	 * Specifies valid sources to be prefetched or prerendered.
+	 */
+	prefetchSrc?: string[]
+	/**
+	 * Specifies valid sources for JavaScript.
+	 */
+	scriptSrc?: string[]
+	/**
+	 * Specifies valid sources for JavaScript <script> elements.
+	 */
+	scriptSrcElem?: string[]
+	/**
+	 * Specifies valid sources for JavaScript inline event handlers.
+	 */
+	scriptSrcAttr?: string[]
+	/**
+	 * Specifies valid sources for stylesheets.
+	 */
+	styleSrc?: string[]
+	/**
+	 * Specifies valid sources for stylesheets <style> elements and <link>
+	 * elements with rel="stylesheet".
+	 */
+	styleSrcElem?: string[]
+	/**
+	 * Specifies valid sources for inline styles applied to individual DOM
+	 * elements.
+	 */
+	styleSrcAttr?: string[]
+	/**
+	 * Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
+	 */
+	workerSrc?: string[]
+
+	// Document directives
+	/**
+	 * Restricts the URLs which can be used in a document's <base> element.
+	 */
+	baseUri?: string[]
+	/**
+	 * Enables a sandbox for the requested resource similar to the <iframe>
+	 * sandbox attribute.
+	 */
+	sandbox?: string[]
+
+	// Navigation directives
+	/**
+	 * Restricts the URLs which can be used as the target of a form submissions
+	 * from a given context.
+	 */
+	formAction?: string[]
+	/**
+	 * Specifies valid parents that may embed a page using <frame>, <iframe>,
+	 * <object>, <embed>, or <applet>.
+	 */
+	frameAncestors?: string[]
+	/**
+	 * Restricts the URLs to which a document can initiate navigation by any
+	 * means, including <form> (if form-action is not specified), <a>,
+	 * window.location, window.open, etc.
+	 */
+	navigateTo?: string[]
+
+	/**
+	 * The URI to report CSP violations to.
+	 */
+	reportUri?: string
+
+	/**
+	 * Force upgrade request to secure context.
+	 */
+	upgradeInsecureRequests: true
+}