Content Security Policy Decomposer & Evaluator
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

129 lines
4.0 KiB

---
output: rmarkdown::github_document
editor_options:
5 years ago
chunk_output_type: console
---
```{r pkg-knitr-opts, include=FALSE}
5 years ago
knitr::opts_chunk$set(collapse=TRUE, fig.retina=2, message=FALSE, warning=FALSE)
options(width=120)
```
5 years ago
[![Travis-CI Build Status](https://travis-ci.org/hrbrmstr/cspy.svg?branch=master)](https://travis-ci.org/hrbrmstr/cspy)
5 years ago
[![AppVeyor build status](https://ci.appveyor.com/api/projects/status/github/hrbrmstr/cspy?branch=master&svg=true)](https://ci.appveyor.com/project/hrbrmstr/cspy)
5 years ago
[![Coverage Status](https://codecov.io/gh/hrbrmstr/cspy/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/cspy)
5 years ago
[![CRAN_Status_Badge](https://www.r-pkg.org/badges/version/cspy)](https://cran.r-project.org/package=cspy)
5 years ago
# cspy
5 years ago
Content Security Policy Decomposer & Evaluator
## Description
5 years ago
Methods are provided to decompose, display, and validate
content security policy header values. Wraps the 'Shape Security'
'salvation' Java library (<https://github.com/shapesecurity/salvation>).
Package version tracks 'salvation' Java archive version.
## What's Inside The Tin
The following functions are implemented:
5 years ago
Core:
5 years ago
- `fetch_csp`: Fetch and/or parse a content security policy header value
- `has_csp`: Does a URL have a content security policy?
- `parse_csp`: Fetch and/or parse a content security policy header value
- `validate_csp`: Validate a CSP
- `as.data.frame.csp`: Convert a parsed CSP into a data frame of directives and values
Security/Safety Checks:
- `check_deprecated`: Tests for insecure CSP settings
- `check_ip_source`: Tests for insecure CSP settings
- `check_missing_directives`: Tests for insecure CSP settings
- `check_nonce_length`: Tests for insecure CSP settings
- `check_plain_url_schemes`: Tests for insecure CSP settings
- `check_script_unsafe_eval`: Tests for insecure CSP settings
- `check_script_unsafe_inline`: Tests for insecure CSP settings
- `check_src_http`: Tests for insecure CSP settings
- `check_wildcards`: Tests for insecure CSP settings
5 years ago
Testers:
5 years ago
- `allows_child_from_source`: Tests for what a parsed CSP allows
- `allows_connect_to`: Tests for what a parsed CSP allows
- `allows_font_from_source`: Tests for what a parsed CSP allows
- `allows_form_action`: Tests for what a parsed CSP allows
- `allows_frame_ancestor`: Tests for what a parsed CSP allows
- `allows_frame_from_source`: Tests for what a parsed CSP allows
- `allows_manifest_from_source`: Tests for what a parsed CSP allows
- `allows_media_from_source`: Tests for what a parsed CSP allows
- `allows_navigation`: Tests for what a parsed CSP allows
- `allows_object_from_source`: Tests for what a parsed CSP allows
- `allows_prefetch_from_source`: Tests for what a parsed CSP allows
- `allows_script_from_source`: Tests for what a parsed CSP allows
- `allows_script_with_nonce`: Tests for what a parsed CSP allows
- `allows_style_from_source`: Tests for what a parsed CSP allows
- `allows_style_with_nonce`: Tests for what a parsed CSP allows
- `allows_unsafe_inline_script`: Tests for what a parsed CSP allows
- `allows_unsafe_inline_style`: Tests for what a parsed CSP allows
- `allows_worker_from_source`: Tests for what a parsed CSP allows
5 years ago
## Installation
```{r install-ex, eval=FALSE}
5 years ago
install.packages("cspy", repos = "https://cinc.rud.is/")
```
## Usage
```{r lib-ex}
5 years ago
library(cspy)
5 years ago
library(tibble) # for printing
# current version
5 years ago
packageVersion("cspy")
```
5 years ago
```{r one}
has_csp("https://community.rstudio.com")
csp <- fetch_csp("https://community.rstudio.com")
csp
(csp_df <- as.data.frame(csp))
allows_unsafe_inline_script(csp)
check_deprecated(csp_df)
check_ip_source(csp_df)
check_missing_directives(csp_df)
check_nonce_length(csp_df)
check_plain_url_schemes(csp_df)
check_script_unsafe_eval(csp_df)
check_script_unsafe_inline(csp_df)
check_src_http(csp_df)
check_wildcards(csp_df)
```
## crsspy Metrics
```{r cloc, echo=FALSE}
cloc::cloc_pkg_md()
```
## Code of Conduct
5 years ago
Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md).
By participating in this project you agree to abide by its terms.