javascript-csp-util

Content-Security-Policy utils, i.e. CSP parser in compliance with the W3C CSP Level 2 and CSP Level 3 specs.

ABNF
see https://www.w3.org/TR/CSP2/#policy-syntax and https://www.w3.org/TR/CSP3/#framework

serialized-policy    = serialized-directive *( OWS ";" [ OWS serialized-directive ] )
serialized-directive = directive-name [ RWS directive-value ]
directive-name       = 1*( ALPHA / DIGIT / "-" )
directive-value      = *( %x09 / %x20-%x2B / %x2D-%x3A / %x3C-%7E )
                       ; Directive values may contain whitespace and VCHAR characters,
                       ; excluding ";" and ","

Usage

npm install github.com/templarbit/javascript-csp-util

let csputil = require('javascript-csp-util')
 
try {
    let directives = csputil.parseDirectives("default-src 'self'; script-src 'self'; object-src 'self'; base-uri 'none'; report-uri https://logs.templarbit.com/csp/xxkey/reports")
} catch (ex) {
    if( ex instanceof csputil.UnknownDirectiveNameError ) {
        // presence of unknown directive detected
    } else if( ex instanceof csputil.DuplicateDirectiveError ) {
        // presence of duplicated directives detected
    } else if( ex instanceof csputil.DeprecatedDirectiveNameError ) {
        // presence of deprecated directive detected
    } else {
        //general error
    }
}

Other languages

• Ruby
• Go

Docs

• Chromium Content Security Policy implementation https://cs.chromium.org/chromium/src/content/common/content_security_policy/?type=cs&sq=package:chromium