GithubHelp home page GithubHelp logo

0xbharath / csp-evaluator Goto Github PK

View Code? Open in Web Editor NEW

This project forked from google/csp-evaluator

0.0 1.0 0.0 164 KB

Home Page: https://csp-evaluator.withgoogle.com

License: Apache License 2.0

JavaScript 87.93% HTML 4.91% Shell 7.16%

csp-evaluator's Introduction

CSP Evaluator Core Library

Introduction

Please note: this is not an official Google product.

CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. It assists with the process of reviewing CSP policies, and helps identify subtle CSP bypasses which undermine the value of a policy. CSP Evaluator checks are based on a large-scale study and are aimed to help developers to harden their CSP and improve the security of their applications. This tool (also available as a Chrome extension) is provided only for the convenience of developers and Google provides no guarantees or warranties for this tool.

CSP Evaluator comes with a built-in list of common CSP whitelist bypasses which reduce the security of a policy. This list only contains popular bypasses and is by no means complete.

The CSP Evaluator library + frontend is deployed here: https://csp-evaluator.withgoogle.com/

Build Prerequisites

These instructions have been tested with the following software:

  • java >= 1.7 โ€” for running the Closure Compiler
  • ant โ€” for building CSP-Evaluator dependencies
  • git
  • curl
  • a web server
  • a browser with HTML5 support

CSP Evaluator Setup

These instructions assume a working directory of the repository root.

CSP Evaluator includes an easy-to-use setup script called do.sh. It supports the following commands:

  • Setup: ./do.sh {install_deps|check_deps}
  • Build: ./do.sh {build|build_templates} [debug]
  • Cleanup: ./do.sh {clean|clean_deps}

Build

To build CSP Evaluator, run the following commands:

  1. ./do.sh install_deps
  2. ./do.sh build

Local Demo Server

To run the demo locally, you can use the Python SimpleHTTPServer:

  1. cd build
  2. python -m SimpleHTTPServer 9000
  3. Navigate to http://localhost:9000/demo.html in your browser

Example usage

If you don't want to make any customization you can also just embed the compiled JS (build/evaluator_binary.js) and evaluate CSP like this:

<html>
  <div id="csp_widget"></div>
  <script src="/evaluator_binary.js"></script>
  <script>
    var rawCsp = "script-src data: https://www.google.com;";
    var parser = new csp.CspParser(rawCsp);
    var evaluator = new csp.CspEvaluator(parser.csp, csp.Version.CSP3);
    var findings = evaluator.evaluate();
    var widget = new csp.ui.Widget(parser.csp, findings, csp.Version.CSP3);
  </script>
</html>

csp-evaluator's People

Contributors

lweichselbaum avatar rknoll avatar zigoo0 avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.