1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
import { createContext } from "preact";import { useContext } from "preact/hooks";
export const SELF = "'self'";export const UNSAFE_INLINE = "'unsafe-inline'";export const UNSAFE_EVAL = "'unsafe-eval'";export const UNSAFE_HASHES = "'unsafe-hashes'";export const NONE = "'none'";export const STRICT_DYNAMIC = "'strict-dynamic'";
export function nonce(val: string) {  return `'nonce-${val}'`;}
export interface ContentSecurityPolicy {  directives: ContentSecurityPolicyDirectives;  reportOnly: boolean;}
export interface ContentSecurityPolicyDirectives {  // Fetch directives  /**   * Defines the valid sources for web workers and nested browsing contexts   * loaded using elements such as <frame> and <iframe>.   */  childSrc?: string[];  /**   * Restricts the URLs which can be loaded using script interfaces.   */  connectSrc?: string[];  /**   * Serves as a fallback for the other fetch directives.   */  defaultSrc?: string[];  /**   * Specifies valid sources for fonts loaded using @font-face.   */  fontSrc?: string[];  /**   * Specifies valid sources for nested browsing contexts loading using elements   * such as <frame> and <iframe>.   */  frameSrc?: string[];  /**   * Specifies valid sources of images and favicons.   */  imgSrc?: string[];  /**   * Specifies valid sources of application manifest files.   */  manifestSrc?: string[];  /**   * Specifies valid sources for loading media using the <audio> , <video> and   * <track> elements.   */  mediaSrc?: string[];  /**   * Specifies valid sources for the <object>, <embed>, and <applet> elements.   */  objectSrc?: string[];  /**   * Specifies valid sources to be prefetched or prerendered.   */  prefetchSrc?: string[];  /**   * Specifies valid sources for JavaScript.   */  scriptSrc?: string[];  /**   * Specifies valid sources for JavaScript <script> elements.   */  scriptSrcElem?: string[];  /**   * Specifies valid sources for JavaScript inline event handlers.   */  scriptSrcAttr?: string[];  /**   * Specifies valid sources for stylesheets.   */  styleSrc?: string[];  /**   * Specifies valid sources for stylesheets <style> elements and <link>   * elements with rel="stylesheet".   */  styleSrcElem?: string[];  /**   * Specifies valid sources for inline styles applied to individual DOM   * elements.   */  styleSrcAttr?: string[];  /**   * Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.   */  workerSrc?: string[];
  // Document directives  /**   * Restricts the URLs which can be used in a document's <base> element.   */  baseUri?: string[];  /**   * Enables a sandbox for the requested resource similar to the <iframe>   * sandbox attribute.   */  sandbox?: string[];
  // Navigation directives  /**   * Restricts the URLs which can be used as the target of a form submissions   * from a given context.   */  formAction?: string[];  /**   * Specifies valid parents that may embed a page using <frame>, <iframe>,   * <object>, <embed>, or <applet>.   */  frameAncestors?: string[];  /**   * Restricts the URLs to which a document can initiate navigation by any   * means, including <form> (if form-action is not specified), <a>,   * window.location, window.open, etc.   */  navigateTo?: string[];
  /**   * The URI to report CSP violations to.   */  reportUri?: string;}
export const CSP_CONTEXT = createContext<ContentSecurityPolicy | undefined>(  undefined,);
export function useCSP(mutator: (csp: ContentSecurityPolicy) => void) {  const csp = useContext(CSP_CONTEXT);  if (csp) {    mutator(csp);  }}