The goal of this project is to be able to take a URL and one or more CSP headers, understand them correctly, and ultimately be able to provide education and actionable feedback for ensuring the CSP policy provides the appropriate and intended level of security. This is the underlying library intended to make that ultimate goal possible.
This code is not a web browser, so the parts of the spec about "blocking networking requests" aren't relevant. However, calling this out as what a web browser would do can be helpful.
You should consider web.dev: Content security policy required reading for understanding CSP.
- See the wiki for CSP implementation guidance, errors you might encounter (and why), and other details.
- See the issues for a list of things that are still outstanding.
Implements parsing and evaluation for CSP2 (2016) and the CSP3 working draft (June 2024).
- Make it work.
- Make it right. (In-progress)
- Make it fast.
Caution
The core implementation is in-place, and most CSP directives are being parsed correctly. Both the parser (parses the policy into an tree structure) and the evaluator (looks across the tree nodes for issues) will return errors, although the evaluator has not yet been started. Only a single policy at a time is supported. Parsing multiple policies at a time has not yet been started.
PUBLIC INTERFACES ARE NOT YET STABLE.