github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/safehttp/plugins/framing/internalunsafeframing/unsafeframing/unsafeframing.go

github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/safehttp/plugins/framing/internalunsafeframing/unsafeframing/unsafeframing.go (about)

     1  // Copyright 2022 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //	https://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package unsafeframing can be used to disable Framing protections on specific handler registration.
    16  //
    17  // Usage of this package should require a security review.
    18  package unsafeframing
    19  
    20  import (
    21  	"github.com/google/go-safeweb/safehttp/plugins/framing/internalunsafeframing"
    22  )
    23  
    24  // Disable turns framing protections to report-only where supported, otherwise turns them off.
    25  // If skipReports is true, all protections will be turned completely off.
    26  func Disable(reason string, skipReports bool) internalunsafeframing.Disable {
    27  	if reason == "" {
    28  		panic("reason cannot be empty")
    29  	}
    30  	return internalunsafeframing.Disable{SkipReports: skipReports}
    31  }
    32  
    33  // Allow permits to specify a set of hostnames (with potential wildcards) that will be able to frame the site.
    34  //
    35  // Wildcards must follow the CSP specification:
    36  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors.
    37  //
    38  // If reportOnly is true the policy will be set to Report-Only, which provides not security benefit
    39  // but can be used to detect potential breakages.
    40  //
    41  // Please note that this option is only supported by browsers that support CSP: older browsers
    42  // will end up allowing all origins to frame the site.
    43  // See support table here: https://caniuse.com/mdn-http_headers_csp_content-security-policy_frame-ancestors.
    44  func Allow(reason string, reportOnly bool, hostnames ...string) internalunsafeframing.AllowList {
    45  	if reason == "" {
    46  		panic("reason cannot be empty")
    47  	}
    48  	return internalunsafeframing.AllowList{
    49  		ReportOnly: reportOnly,
    50  		Hostnames:  hostnames,
    51  	}
    52  }