Miss any of our Open RFC calls?Watch the recordings here! »

csp-dev

1.0.1 • Public • Published

csp-dev

Spec compliant content security policy builder and parser. 🚨

NPM npm version npm bundle size npm

Install

npm i -D csp-dev

Use

Build Policy

const ContentSecurityPolicy = require('csp-dev')
 
const builder = new ContentSecurityPolicy()
builder.newDirective('script-src', ['self', 'unsafe-inline', 'nonce-2726c7f26c', '*.test.com'])
builder.newDirective('default-src', 'self')
builder.newDirective('style-src', 'data:')
 
// or by loading an object
 
const builder2 = new ContentSecurityPolicy()
builder2.load({
  'default-src': ['self'],
  'script-src': [
    'self', 'unsafe-inline', 'nonce-2726c7f26c', '*.test.com'
  ],
  'style-src': ['data:']
})

Parse Policy Data

const ContentSecurityPolicy = require('csp-dev')
 
const data = `
default-src 'self';
script-src 'self' 'unsafe-inline' 'nonce-2726c7f26c' *.test.com;
style-src data:
`
const parser = new ContentSecurityPolicy(data)
 
parser.valid() // true|false

Share

Share data as json, spec compliant csp string or html meta tag:

parser.share('json')
`
{
  'default-src': ['self'],
  'script-src': [
    'self', 'unsafe-inline', 'nonce-2726c7f26c', '*.test.com'
  ],
  'style-src': ['data:']
}
`
 
parser.share('string')
`
default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-2726c7f26c' *.test.com; style-src data:
`
 
parser.share('html')
`
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-2726c7f26c' *.test.com; style-src data:">
`

Tests

See spec folder for tests. I'll expand the test suite as I update the library. You can run tests by npm run test

Notes

The reporting feature of csp hasn't been implemented. I didn't get fully understand but I think there is no accepted standart for it for now.


Thanks for watching 🐬

ko-fi

Install

npm i csp-dev

DownloadsWeekly Downloads

2

Version

1.0.1

License

MIT

Unpacked Size

13.5 kB

Total Files

12

Last publish

Collaborators

  • avatar