Skip to content
Ryan Parman edited this page Jun 14, 2024 · 8 revisions

Overview

CSP Parser and Evaluator in Go is a CLI tool and library which can evaluate a Content-Security-Policy value, and provide actionable feedback about how to improve it. There is tooling and reporting that we want to be able to do in the future, but having a strong parser/evaluator is the first step.

  • Web interface for evaluating a CSP policy?
  • CSP generator from a sitemap?
  • CSP policy modernizer?
  • Receiver of CSP violation reports?

See the sidebar for more detailed information and recommendations.

References

Errors

Parser and evaluator configuration

  • CSP-0001 — [INFO] currentURL is empty, so validation of 'self' sources is disabled
  • CSP-0002 — [INFO] reportingEndpointsHeader is empty, so validation of report-to is disabled

Source expressions

  • CSP-0100 — [ERROR] directive %s has an invalid value %s

Ancestor expressions

  • CSP-0200 — [ERROR] directive %s has an invalid value %s

Plugin types

  • CSP-0300 — [ERROR] directive %s has an invalid value %s

Reporting URLs

  • CSP-0400 — [ERROR] directive %s has an invalid value %s
  • CSP-0401 — [ERROR] directive %s: could not parse as a URL: %s
  • CSP-0402 — [ERROR] directive %s: URL %s is missing a SCHEME, which is required
  • CSP-0403 — [ERROR] directive %s: URL %s includes a FRAGMENT, which is disallowed

Report-To directive and Reporting Endpoints header

  • CSP-0501 — [ERROR] directive report-to may only have a single value
  • CSP-0502 — [ERROR] directive %s refers to undefined reporting endpoint %s
  • CSP-0510 — [ERROR] token-pair %s does not contain an = character
  • CSP-0511 — [ERROR] %s appears to be missing a comma between token-pairs
  • CSP-0512 — [ERROR] token-pair %s is missing either a key or value
  • CSP-0513 — [ERROR] token-pair %s is missing a key
  • CSP-0514 — [ERROR] token-pair %s has a key with invalid characters
  • CSP-0515 — [ERROR] token-pair %s is missing a URL
  • CSP-0516 — [ERROR] token-pair %s URL is not enclosed in double quotes
  • CSP-0517 — [ERROR] token-pair %s URL is not a valid URL

WebRTC

  • CSP-0600 — [ERROR] directive %s has an invalid value %s
  • CSP-0601 — [ERROR] directive webrtc may only have a single value

Sandboxing

  • CSP-0700 — [ERROR] directive %s has an invalid value %s

Deprecations and obsoletions

  • CSP-0801 — [ERROR] directive block-all-mixed-content is obsolete; use upgrade-insecure-requests instead
  • CSP-0802 — [ERROR] directive child-src is deprecated; use frame-src and/or worker-src instead
  • CSP-0803 — [ERROR] directive %s was experimental in CSP3, but should now be removed from CSP policies
  • CSP-0804 — [ERROR] directive plugin-types is obsolete; remove this directive from the policy
  • CSP-0805 — [WARN] directive report-uri is valid in CSP2, but will be deprecated in CSP3

Miscellaneous

  • CSP-0901 — [ERROR] unknown directive %s
Clone this wiki locally