JSPM

csp-dev

1.0.2
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 1087
  • Score
    100M100P100Q106425F
  • License MIT

Spec compliant content security policy builder and parser. 🚨

Package Exports

  • csp-dev

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (csp-dev) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

csp-dev

Spec compliant content security policy builder and parser. 🚨

NPM npm version npm bundle size npm

Install

npm i -D csp-dev

Use

Build Policy

const ContentSecurityPolicy = require('csp-dev')

const builder = new ContentSecurityPolicy()
builder.newDirective('script-src', ['self', 'unsafe-inline', 'nonce-2726c7f26c', '*.test.com'])
builder.newDirective('default-src', 'self')
builder.newDirective('style-src', 'data:')

// or by loading an object

const builder2 = new ContentSecurityPolicy()
builder2.load({
  'default-src': ['self'],
  'script-src': [
    'self', 'unsafe-inline', 'nonce-2726c7f26c', '*.test.com'
  ],
  'style-src': ['data:']
})

Parse Policy Data

const ContentSecurityPolicy = require('csp-dev')

const data = `
default-src 'self';
script-src 'self' 'unsafe-inline' 'nonce-2726c7f26c' *.test.com;
style-src data:
`
const parser = new ContentSecurityPolicy(data)

parser.valid() // true|false

Share

Share data as json, spec compliant csp string or html meta tag:

parser.share('json')
`
{
  'default-src': ['self'],
  'script-src': [
    'self', 'unsafe-inline', 'nonce-2726c7f26c', '*.test.com'
  ],
  'style-src': ['data:']
}
`

parser.share('string')
`
default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-2726c7f26c' *.test.com; style-src data:
`

parser.share('html')
`
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-2726c7f26c' *.test.com; style-src data:">
`

Tests

See spec folder for tests. I'll expand the test suite as I update the library. You can run tests by npm run test

Notes

The reporting feature of csp hasn't been implemented. I haven't get fully understand but I think there is no accepted standart to it for now.

Thanks for watching 🐬

ko-fi

Version management of this repository done by releaser 🚀