Spec compliant content security policy builder and parser. ๐จ
npm i -D csp-devconst ContentSecurityPolicy = require('csp-dev')
const builder = new ContentSecurityPolicy()
builder.newDirective('script-src', ['self', 'unsafe-inline', 'nonce-2726c7f26c', '*.test.com'])
builder.newDirective('default-src', 'self')
builder.newDirective('style-src', 'data:')
// or by loading an object
const builder2 = new ContentSecurityPolicy()
builder2.load({
'default-src': ['self'],
'script-src': [
'self', 'unsafe-inline', 'nonce-2726c7f26c', '*.test.com'
],
'style-src': ['data:']
})const ContentSecurityPolicy = require('csp-dev')
const data = `
default-src 'self';
script-src 'self' 'unsafe-inline' 'nonce-2726c7f26c' *.test.com;
style-src data:
`
const parser = new ContentSecurityPolicy(data)
parser.valid() // true|falseShare data as json, spec compliant csp string or html meta tag:
parser.share('json')
`
{
'default-src': ['self'],
'script-src': [
'self', 'unsafe-inline', 'nonce-2726c7f26c', '*.test.com'
],
'style-src': ['data:']
}
`
parser.share('string')
`
default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-2726c7f26c' *.test.com; style-src data:
`
parser.share('html')
`
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-2726c7f26c' *.test.com; style-src data:">
`See spec folder for tests. I'll expand the test suite as I update the library. You can run tests by npm run test
The reporting feature of csp hasn't been implemented. I haven't get fully understand but I think there is no accepted standart to it for now.
Thanks for watching ๐ฌ
Version management of this repository done by releaser ๐
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent