@doyensec/csp-evaluator1.0.3 • Public • Published
CSP Evaluator Core NPM Library
Please note: this is a porting of the original CSP evaluator library.
This is not an official Google product.
CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. It assists with the process of reviewing CSP policies, and helps identify subtle CSP bypasses which undermine the value of a policy. CSP Evaluator checks are based on a large-scale study and are aimed to help developers to harden their CSP and improve the security of their applications. This tool (also available as a Chrome extension) is provided only for the convenience of developers and Google provides no guarantees or warranties for this tool.
CSP Evaluator comes with a built-in list of common CSP whitelist bypasses which reduce the security of a policy. This list only contains popular bypasses and is by no means complete.
The CSP Evaluator library + frontend is deployed here: https://csp-evaluator.withgoogle.com/
const csp =var rawCsp = "script-src data: ;";var parser = rawCsp;var evaluator = parsercsp cspVersionCSP3;var findings = evaluator;console;