Skip to content

Parser and evaluator for Content Security Policy directives.

License

Notifications You must be signed in to change notification settings

northwood-labs/csp-parser

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CSP Parser and Evaluator in Go

The goal of this project is to be able to take a URL and one or more CSP headers, understand them correctly, and ultimately be able to provide education and actionable feedback for ensuring the CSP policy provides the appropriate and intended level of security. This is the underlying library intended to make that ultimate goal possible.

This code is not a web browser, so the parts of the spec about "blocking networking requests" aren't relevant. However, calling this out as what a web browser would do can be helpful.

You should consider web.dev: Content security policy required reading for understanding CSP.

  • See the wiki for CSP implementation guidance, errors you might encounter (and why), and other details.
  • See the issues for a list of things that are still outstanding.

Maturity

Implements parsing and evaluation for CSP2 (2016) and the CSP3 working draft (June 2024).

  • Make it work.
  • Make it right. (In-progress)
  • Make it fast.

Caution

The core implementation is in-place, and most CSP directives are being parsed correctly. Both the parser (parses the policy into an tree structure) and the evaluator (looks across the tree nodes for issues) will return errors, although the evaluator has not yet been started. Only a single policy at a time is supported. Parsing multiple policies at a time has not yet been started.

PUBLIC INTERFACES ARE NOT YET STABLE.