-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Ryan Parman edited this page Jun 14, 2024
·
8 revisions
CSP Parser and Evaluator in Go is a CLI tool and library which can evaluate a Content-Security-Policy value, and provide actionable feedback about how to improve it. There is tooling and reporting that we want to be able to do in the future, but having a strong parser/evaluator is the first step.
- Web interface for evaluating a CSP policy?
- CSP generator from a sitemap?
- CSP policy modernizer?
- Receiver of CSP violation reports?
See the sidebar for more detailed information and recommendations.
- Content Security Policy Level 2 (formal recommendation)
- Content Security Policy Level 3 (working draft)
- web.dev: Content security policy
- MDN: Content Security Policy (CSP)
- OWASP: Content security policy (outdated)
- content-security-policy.com
- Can I use: Content Security Policy?
- Mozilla HTTP Observatory
- csp-evaluator
- CSP-0001 — [INFO] currentURL is empty, so validation of 'self' sources is disabled
-
CSP-0002 — [INFO] reportingEndpointsHeader is empty, so validation of
report-tois disabled
-
CSP-0100 — [ERROR] directive
%shas an invalid value%s
-
CSP-0200 — [ERROR] directive
%shas an invalid value%s
-
CSP-0300 — [ERROR] directive
%shas an invalid value%s
-
CSP-0400 — [ERROR] directive
%shas an invalid value%s -
CSP-0401 — [ERROR] directive
%s: could not parse as a URL:%s -
CSP-0402 — [ERROR] directive
%s: URL%sis missing a SCHEME, which is required -
CSP-0403 — [ERROR] directive
%s: URL%sincludes a FRAGMENT, which is disallowed
-
CSP-0501 — [ERROR] directive
report-tomay only have a single value -
CSP-0502 — [ERROR] directive
%srefers to undefined reporting endpoint%s -
CSP-0510 — [ERROR] token-pair
%sdoes not contain an=character -
CSP-0511 — [ERROR]
%sappears to be missing a comma between token-pairs -
CSP-0512 — [ERROR] token-pair
%sis missing either a key or value -
CSP-0513 — [ERROR] token-pair
%sis missing a key -
CSP-0514 — [ERROR] token-pair
%shas a key with invalid characters -
CSP-0515 — [ERROR] token-pair
%sis missing a URL -
CSP-0516 — [ERROR] token-pair
%sURL is not enclosed in double quotes -
CSP-0517 — [ERROR] token-pair
%sURL is not a valid URL
-
CSP-0600 — [ERROR] directive
%shas an invalid value%s -
CSP-0601 — [ERROR] directive
webrtcmay only have a single value
-
CSP-0700 — [ERROR] directive
%shas an invalid value%s
-
CSP-0801 — [ERROR] directive
block-all-mixed-contentis obsolete; useupgrade-insecure-requestsinstead -
CSP-0802 — [ERROR] directive
child-srcis deprecated; useframe-srcand/orworker-srcinstead -
CSP-0803 — [ERROR] directive
%swas experimental in CSP3, but should now be removed from CSP policies -
CSP-0804 — [ERROR] directive
plugin-typesis obsolete; remove this directive from the policy -
CSP-0805 — [WARN] directive
report-uriis valid in CSP2, but will be deprecated in CSP3
-
CSP-0901 — [ERROR] unknown directive
%s
Content licensed under CC BY-SA.
- 🧪 Experimental, with limited support
⚠️ Important notes on usage- 🚫 Deprecated or obsolete
- base-uri
- block-all-mixed-content 🚫
- child-src
- connect-src
- default-src
- fenced-frame-src 🧪
- font-src
- form-action
- frame-ancestors
- frame-src
- img-src
- manifest-src
- media-src
- navigate-to 🚫
- object-src
- plugin-types 🚫
- prefetch-src 🚫
- referrer 🚫
- report-to 🧪
-
report-uri
⚠️ - require-trusted-types-for 🧪
- sandbox
- script-src-attr
- script-src-elem
- script-src
- style-src-attr
- style-src-elem
- style-src
- trusted-types 🧪
- upgrade-insecure-requests
- webrtc
- worker-src