Content Security Policy Decomposer & Evaluator
Methods are provided to decompose, display, and validate content security policy header values. Wraps the ‘Shape Security’ ‘salvation’ Java library (https://github.com/shapesecurity/salvation). Package version tracks ‘salvation’ Java archive version.
The following functions are implemented:
Core:
fetch_csp
: Fetch and/or parse a content security policy header
valuehas_csp
: Does a URL have a content security policy?parse_csp
: Fetch and/or parse a content security policy header
valuevalidate_csp
: Validate a CSPas.data.frame.csp
: Convert a parsed CSP into a data frame of
directives and valuesSecurity/Safety Checks:
check_deprecated
: Tests for insecure CSP settingscheck_ip_source
: Tests for insecure CSP settingscheck_missing_directives
: Tests for insecure CSP settingscheck_nonce_length
: Tests for insecure CSP settingscheck_plain_url_schemes
: Tests for insecure CSP settingscheck_script_unsafe_eval
: Tests for insecure CSP settingscheck_script_unsafe_inline
: Tests for insecure CSP settingscheck_src_http
: Tests for insecure CSP settingscheck_wildcards
: Tests for insecure CSP settingsTesters:
allows_child_from_source
: Tests for what a parsed CSP allowsallows_connect_to
: Tests for what a parsed CSP allowsallows_font_from_source
: Tests for what a parsed CSP allowsallows_form_action
: Tests for what a parsed CSP allowsallows_frame_ancestor
: Tests for what a parsed CSP allowsallows_frame_from_source
: Tests for what a parsed CSP allowsallows_manifest_from_source
: Tests for what a parsed CSP allowsallows_media_from_source
: Tests for what a parsed CSP allowsallows_navigation
: Tests for what a parsed CSP allowsallows_object_from_source
: Tests for what a parsed CSP allowsallows_prefetch_from_source
: Tests for what a parsed CSP allowsallows_script_from_source
: Tests for what a parsed CSP allowsallows_script_with_nonce
: Tests for what a parsed CSP allowsallows_style_from_source
: Tests for what a parsed CSP allowsallows_style_with_nonce
: Tests for what a parsed CSP allowsallows_unsafe_inline_script
: Tests for what a parsed CSP allowsallows_unsafe_inline_style
: Tests for what a parsed CSP allowsallows_worker_from_source
: Tests for what a parsed CSP allowsinstall.packages("cspy", repos = "https://cinc.rud.is/")
library(cspy)
library(tibble) # for printing
# current version
packageVersion("cspy")
## [1] '2.6.0'
has_csp("https://community.rstudio.com")
## [1] TRUE
csp <- fetch_csp("https://community.rstudio.com")
csp
## base-uri
## object-src
## script-src 'unsafe-eval' 'report-sample' https://community.rstudio.com/logs/ https://community.rstudio.com/sidekiq/ https://community.rstudio.com/mini-profiler-resources/ https://community.rstudio.com/assets/ https://community.rstudio.com/brotli_asset/ https://community.rstudio.com/extra-locales/ https://community.rstudio.com/highlight-js/ https://community.rstudio.com/javascripts/ https://community.rstudio.com/plugins/ https://community.rstudio.com/theme-javascripts/ https://community.rstudio.com/svg-sprite/ https://www.google-analytics.com/analytics.js
## worker-src 'self' blob:
(csp_df <- as.data.frame(csp))
## # A tibble: 18 x 3
## directive value origin
## <chr> <chr> <chr>
## 1 base-uri 'none' https://community.rstudio.com
## 2 object-src 'none' https://community.rstudio.com
## 3 script-src 'unsafe-eval' https://community.rstudio.com
## 4 script-src 'report-sample' https://community.rstudio.com
## 5 script-src https://community.rstudio.com/logs/ https://community.rstudio.com
## 6 script-src https://community.rstudio.com/sidekiq/ https://community.rstudio.com
## 7 script-src https://community.rstudio.com/mini-profiler-resources/ https://community.rstudio.com
## 8 script-src https://community.rstudio.com/assets/ https://community.rstudio.com
## 9 script-src https://community.rstudio.com/brotli_asset/ https://community.rstudio.com
## 10 script-src https://community.rstudio.com/extra-locales/ https://community.rstudio.com
## 11 script-src https://community.rstudio.com/highlight-js/ https://community.rstudio.com
## 12 script-src https://community.rstudio.com/javascripts/ https://community.rstudio.com
## 13 script-src https://community.rstudio.com/plugins/ https://community.rstudio.com
## 14 script-src https://community.rstudio.com/theme-javascripts/ https://community.rstudio.com
## 15 script-src https://community.rstudio.com/svg-sprite/ https://community.rstudio.com
## 16 script-src https://www.google-analytics.com/analytics.js https://community.rstudio.com
## 17 worker-src 'self' https://community.rstudio.com
## 18 worker-src blob: https://community.rstudio.com
allows_unsafe_inline_script(csp)
## [1] FALSE
check_deprecated(csp_df)
check_ip_source(csp_df)
check_missing_directives(csp_df)
check_nonce_length(csp_df)
check_plain_url_schemes(csp_df)
check_script_unsafe_eval(csp_df)
## Category: script-unsafe-eval
## Severity: HIGH
## Message: 'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
##
## # A tibble: 1 x 3
## directive value origin
## * <chr> <chr> <chr>
## 1 script-src 'unsafe-eval' https://community.rstudio.com
check_script_unsafe_inline(csp_df)
check_src_http(csp_df)
check_wildcards(csp_df)
| Lang | # Files | (%) | LoC | (%) | Blank lines | (%) | # Lines | (%) | | :---- | -------: | ---: | --: | ---: | ----------: | ---: | -------: | ---: | | R | 11 | 0.65 | 509 | 0.73 | 134 | 0.71 | 221 | 0.73 | | Maven | 1 | 0.06 | 70 | 0.10 | 6 | 0.03 | 5 | 0.02 | | XML | 1 | 0.06 | 65 | 0.09 | 0 | 0.00 | 0 | 0.00 | | Java | 2 | 0.12 | 26 | 0.04 | 8 | 0.04 | 6 | 0.02 | | Rmd | 1 | 0.06 | 21 | 0.03 | 37 | 0.20 | 69 | 0.23 | | make | 1 | 0.06 | 11 | 0.02 | 4 | 0.02 | 0 | 0.00 |
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.