HTTP-Promise
6 results

 view release on metacpan or  search on metacpan

lib/HTTP/Promise/Headers.pm  view on Meta::CPAN 

    #                           script-src http://example.com/

Sets or gets the C<Content-Security-Policy> header field value. It takes a string value.

See also L<HTTP::Promise::Headers::ContentSecurityPolicy> to have a more granular control.

See L<Mozilla documentation|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy>

=head2 content_security_policy_report_only

    # Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/

Sets or gets the C<Content-Security-Policy-Report-Only> header field value. It takes a string value of properly formatted header value.

See also L<HTTP::Promise::Headers::ContentSecurityPolicyReportOnly> to have a more granular control.

=head2 content_type

This sets or gets the C<Content-Type> header value. It takes a string value.

If a value is provided, this will set the header value. If no value is provided, this simply return the header field value.

lib/HTTP/Promise/Headers/ContentSecurityPolicy.pm  view on Meta::CPAN 

        die( HTTP::Promise::Headers::ContentSecurityPolicy->error, "\n" );

=head1 VERSION

    v0.1.0

=head1 DESCRIPTION

The following description is taken from Mozilla documentation.

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. Th...

    Content-Security-Policy: default-src 'self'
    Content-Security-Policy: default-src 'self' trusted.com *.trusted.com
    Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
    Content-Security-Policy: default-src https://onlinebanking.example.com
    Content-Security-Policy: default-src 'self'; report-uri http://reportcollector.example.com/collector.cgi

=head1 METHODS

All the methods below follow the same usage. You can pass a value to set it, whatever it is. It is up to you to proceed and set a value according to standards. The value will be added in order. To completely remove a property, simply pass C<undef> as...

lib/HTTP/Promise/Headers/ContentSecurityPolicy.pm  view on Meta::CPAN 

Send a full URL (stripped from parameters) when performing a same-origin or cross-origin request. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.

=back

=head2 report_to

Fires a SecurityPolicyViolationEvent.

Example:

    Report-To: { "group": "csp-endpoint",
                  "max_age": 10886400,
                  "endpoints": [
                    { "url": "https://example.com/csp-reports" }
                  ] },
                { "group": "hpkp-endpoint",
                  "max_age": 10886400,
                  "endpoints": [
                    { "url": "https://example.com/hpkp-reports" }
                  ] }
    Content-Security-Policy: ...; report-to csp-endpoint

=head2 report_uri

Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. 

Example:

    Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/
    Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/ https://dev.example.com/report;

=head2 require_sri_for

Requires the use of SRI for scripts or styles on the page.

Example:

    Content-Security-Policy: require-sri-for script;
    Content-Security-Policy: require-sri-for style;
    Content-Security-Policy: require-sri-for script style;

lib/HTTP/Promise/Headers/ContentSecurityPolicyReportOnly.pm  view on Meta::CPAN 

    v0.1.0

=head1 DESCRIPTION

The following description is taken from Mozilla documentation.

This class inherits all the method from L<HTTP::Promise::Headers::ContentSecurityPolicy> and implements the additional following ones.

The CSP L</report_uri> method should be used with this header, otherwise this class will be an expensive no-op interface.

    Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/

=head1 METHODS

=head2 report_uri

This takes an uri where the report will be sent. See L<this Mozilla documentation|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri> for an example php script to use to get those reports.

=head1 THREAD-SAFETY

This module is thread-safe for all operations, as it operates on per-object state and uses thread-safe external libraries.

t/13.header_fields.t  view on Meta::CPAN 

{
    use ok( 'HTTP::Promise::Headers::ContentSecurityPolicy' );
    my $str = q{default-src 'self'};
    my $h = HTTP::Promise::Headers::ContentSecurityPolicy->new( $str );
    is( "$h", $str );
    is( $h->default_src, "'self'" );
    $str = q{default-src 'self' trusted.com *.trusted.com};
    $h = HTTP::Promise::Headers::ContentSecurityPolicy->new( $str );
    is( "$h", $str );
    is( $h->default_src, q{'self' trusted.com *.trusted.com} );
    $str = q{base-uri https://example.com/; block-all-mixed-content; child-src https://example.com/ https://dev.example.com/; connect-src https://example.com/; default-src 'self'; font-src https://example.com/; form-action https://example.com/ https:...
    $h = HTTP::Promise::Headers::ContentSecurityPolicy->new( $str );
    is( "$h", $str );
    is( $h->base_uri, 'https://example.com/' );
    is( $h->block_all_mixed_content, 1 );
    is( $h->child_src, 'https://example.com/ https://dev.example.com/' );
    is( $h->connect_src, 'https://example.com/' );
    is( $h->default_src, "'self'" );
    is( $h->font_src, 'https://example.com/' );
    is( $h->form_action, 'https://example.com/ https://dev.example.com/' );
    is( $h->frame_ancestors, 'https://example.com/ https://dev.example.com/' );
    is( $h->frame_src, 'https://example.com/' );
    is( $h->img_src, q{'self' img.example.com} );
    is( $h->manifest_src, 'https://example.com/' );
    is( $h->media_src, 'https://example.com/' );
    is( $h->navigate_to, 'https://example.com/ https://dev.example.com/' );
    is( $h->object_src, 'https://example.com/' );
    is( $h->plugin_types, 'application/x-shockwave-flash' );
    is( $h->prefetch_src, 'https://example.com/' );
    is( $h->referrer, '"no-referrer"' );
    is( $h->report_to, 'csp-endpoint' );
    is( $h->report_uri, '/csp-violation-report-endpoint/ https://dev.example.com/report' );
    is( $h->require_sri_for, 'script style' );
    is( $h->require_trusted_types_for, "'script'" );
    is( $h->sandbox, 1 );
    is( $h->script_src, q{'self' js.example.com} );
    is( $h->script_src_elem, 'https://example.com/' );
    is( $h->script_src_attr, 'https://example.com/' );
    is( $h->style_src, 'https://example.com/' );
    is( $h->style_src_attr, 'https://example.com/' );
    is( $h->style_src_elem, 'https://example.com/' );
    is( $h->trusted_types, 1 );

t/17.serialisation.t  view on Meta::CPAN 

        };
        if( $@ )
        {
            fail( "Failed HTTP::Promise::Headers::ContentSecurityPolicy test for CBOR: $@" );
        }

        # try-catch
        local $@;
        eval
        {
            my $policy = HTTP::Promise::Headers::ContentSecurityPolicyReportOnly->new( q{default-src https:; report-uri /csp-violation-report-endpoint/} );
            $serial = $cbor->encode( $policy );
            my $policy2  = $cbor->decode( $serial );
            isa_ok( $policy2 => ['HTTP::Promise::Headers::ContentSecurityPolicyReportOnly'], 'deserialised element is a HTTP::Promise::Headers::ContentSecurityPolicyReportOnly object' );
            is( "$policy2" => "$policy", 'HTTP::Promise::Headers::ContentSecurityPolicyReportOnly string matches' );
            is( $policy2->default_src => $policy->default_src, 'HTTP::Promise::Headers::ContentSecurityPolicyReportOnly default_src matches' );
            is( $policy2->report_uri => $policy->report_uri, 'HTTP::Promise::Headers::ContentSecurityPolicyReportOnly report_uri matches' );
        };
        if( $@ )
        {
            fail( "Failed HTTP::Promise::Headers::ContentSecurityPolicyReportOnly test for CBOR: $@" );

t/17.serialisation.t  view on Meta::CPAN 

        };
        if( $@ )
        {
            fail( "Failed HTTP::Promise::Headers::ContentSecurityPolicy test for Sereal: $@" );
        }

        # try-catch
        local $@;
        eval
        {
            my $policy = HTTP::Promise::Headers::ContentSecurityPolicyReportOnly->new( q{default-src https:; report-uri /csp-violation-report-endpoint/} );
            $serial = $enc->encode( $policy );
            my $policy2  = $dec->decode( $serial );
            isa_ok( $policy2 => ['HTTP::Promise::Headers::ContentSecurityPolicyReportOnly'], 'deserialised element is a HTTP::Promise::Headers::ContentSecurityPolicyReportOnly object' );
            is( "$policy2" => "$policy", 'HTTP::Promise::Headers::ContentSecurityPolicyReportOnly string matches' );
            is( $policy2->default_src => $policy->default_src, 'HTTP::Promise::Headers::ContentSecurityPolicyReportOnly default_src matches' );
            is( $policy2->report_uri => $policy->report_uri, 'HTTP::Promise::Headers::ContentSecurityPolicyReportOnly report_uri matches' );
        };
        if( $@ )
        {
            fail( "Failed HTTP::Promise::Headers::ContentSecurityPolicyReportOnly test for Sereal: $@" );

t/17.serialisation.t  view on Meta::CPAN 

        };
        if( $@ )
        {
            fail( "Failed HTTP::Promise::Headers::ContentSecurityPolicy test for Storable: $@" );
        }

        # try-catch
        local $@;
        eval
        {
            my $policy = HTTP::Promise::Headers::ContentSecurityPolicyReportOnly->new( q{default-src https:; report-uri /csp-violation-report-endpoint/} );
            $serial = Storable::Improved::freeze( $policy );
            my $policy2  = Storable::Improved::thaw( $serial );
            isa_ok( $policy2 => ['HTTP::Promise::Headers::ContentSecurityPolicyReportOnly'], 'deserialised element is a HTTP::Promise::Headers::ContentSecurityPolicyReportOnly object' );
            is( "$policy2" => "$policy", 'HTTP::Promise::Headers::ContentSecurityPolicyReportOnly string matches' );
            is( $policy2->default_src => $policy->default_src, 'HTTP::Promise::Headers::ContentSecurityPolicyReportOnly default_src matches' );
            is( $policy2->report_uri => $policy->report_uri, 'HTTP::Promise::Headers::ContentSecurityPolicyReportOnly report_uri matches' );
        };
        if( $@ )
        {
            fail( "Failed HTTP::Promise::Headers::ContentSecurityPolicyReportOnly test for Storable: $@" );

t/mime.types  view on Meta::CPAN 

# MIME type (lowercased)			Extensions
# ============================================	==========
# application/1d-interleaved-parityfec
# application/3gpdash-qoe-report+xml
# application/3gpp-ims+xml
# application/a2l
# application/activemessage
# application/alto-costmap+json
# application/alto-costmapfilter+json
# application/alto-directory+json
# application/alto-endpointcost+json
# application/alto-endpointcostparams+json
# application/alto-endpointprop+json
# application/alto-endpointpropparams+json
# application/alto-error+json
# application/alto-networkmap+json
# application/alto-networkmapfilter+json
# application/aml
application/andrew-inset			ez
# application/applefile
application/applixware				aw
# application/atf
# application/atfx
application/atom+xml				atom



( run in 0.692 second using v1.01-cache-2.11-cpan-2b1a40005be )