|
|
|
---
|
|
|
|
output: rmarkdown::github_document
|
|
|
|
editor_options:
|
|
|
|
chunk_output_type: console
|
|
|
|
---
|
|
|
|
```{r pkg-knitr-opts, include=FALSE}
|
|
|
|
knitr::opts_chunk$set(collapse=TRUE, fig.retina=2, message=FALSE, warning=FALSE)
|
|
|
|
options(width=120)
|
|
|
|
```
|
|
|
|
|
|
|
|
[![Travis-CI Build Status](https://travis-ci.org/hrbrmstr/cspy.svg?branch=master)](https://travis-ci.org/hrbrmstr/cspy)
|
|
|
|
[![AppVeyor build status](https://ci.appveyor.com/api/projects/status/github/hrbrmstr/cspy?branch=master&svg=true)](https://ci.appveyor.com/project/hrbrmstr/cspy)
|
|
|
|
[![Coverage Status](https://codecov.io/gh/hrbrmstr/cspy/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/cspy)
|
|
|
|
[![CRAN_Status_Badge](https://www.r-pkg.org/badges/version/cspy)](https://cran.r-project.org/package=cspy)
|
|
|
|
|
|
|
|
# cspy
|
|
|
|
|
|
|
|
Content Security Policy Decomposer & Evaluator
|
|
|
|
|
|
|
|
## Description
|
|
|
|
|
|
|
|
Methods are provided to decompose, display, and validate
|
|
|
|
content security policy header values. Wraps the 'Shape Security'
|
|
|
|
'salvation' Java library (<https://github.com/shapesecurity/salvation>).
|
|
|
|
Package version tracks 'salvation' Java archive version.
|
|
|
|
|
|
|
|
## What's Inside The Tin
|
|
|
|
|
|
|
|
The following functions are implemented:
|
|
|
|
|
|
|
|
Core:
|
|
|
|
|
|
|
|
- `fetch_csp`: Fetch and/or parse a content security policy header value
|
|
|
|
- `has_csp`: Does a URL have a content security policy?
|
|
|
|
- `parse_csp`: Fetch and/or parse a content security policy header value
|
|
|
|
- `validate_csp`: Validate a CSP
|
|
|
|
- `as.data.frame.csp`: Convert a parsed CSP into a data frame of directives and values
|
|
|
|
|
|
|
|
Security/Safety Checks:
|
|
|
|
|
|
|
|
- `check_deprecated`: Tests for insecure CSP settings
|
|
|
|
- `check_ip_source`: Tests for insecure CSP settings
|
|
|
|
- `check_missing_directives`: Tests for insecure CSP settings
|
|
|
|
- `check_nonce_length`: Tests for insecure CSP settings
|
|
|
|
- `check_plain_url_schemes`: Tests for insecure CSP settings
|
|
|
|
- `check_script_unsafe_eval`: Tests for insecure CSP settings
|
|
|
|
- `check_script_unsafe_inline`: Tests for insecure CSP settings
|
|
|
|
- `check_src_http`: Tests for insecure CSP settings
|
|
|
|
- `check_wildcards`: Tests for insecure CSP settings
|
|
|
|
|
|
|
|
Testers:
|
|
|
|
|
|
|
|
- `allows_child_from_source`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_connect_to`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_font_from_source`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_form_action`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_frame_ancestor`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_frame_from_source`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_manifest_from_source`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_media_from_source`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_navigation`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_object_from_source`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_prefetch_from_source`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_script_from_source`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_script_with_nonce`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_style_from_source`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_style_with_nonce`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_unsafe_inline_script`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_unsafe_inline_style`: Tests for what a parsed CSP allows
|
|
|
|
- `allows_worker_from_source`: Tests for what a parsed CSP allows
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
```{r install-ex, eval=FALSE}
|
|
|
|
install.packages("cspy", repos = "https://cinc.rud.is/")
|
|
|
|
```
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
|
|
|
```{r lib-ex}
|
|
|
|
library(cspy)
|
|
|
|
library(tibble) # for printing
|
|
|
|
|
|
|
|
# current version
|
|
|
|
packageVersion("cspy")
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
```{r one}
|
|
|
|
has_csp("https://community.rstudio.com")
|
|
|
|
|
|
|
|
csp <- fetch_csp("https://community.rstudio.com")
|
|
|
|
|
|
|
|
csp
|
|
|
|
|
|
|
|
(csp_df <- as.data.frame(csp))
|
|
|
|
|
|
|
|
allows_unsafe_inline_script(csp)
|
|
|
|
|
|
|
|
check_deprecated(csp_df)
|
|
|
|
|
|
|
|
check_ip_source(csp_df)
|
|
|
|
|
|
|
|
check_missing_directives(csp_df)
|
|
|
|
|
|
|
|
check_nonce_length(csp_df)
|
|
|
|
|
|
|
|
check_plain_url_schemes(csp_df)
|
|
|
|
|
|
|
|
check_script_unsafe_eval(csp_df)
|
|
|
|
|
|
|
|
check_script_unsafe_inline(csp_df)
|
|
|
|
|
|
|
|
check_src_http(csp_df)
|
|
|
|
|
|
|
|
check_wildcards(csp_df)
|
|
|
|
```
|
|
|
|
|
|
|
|
## crsspy Metrics
|
|
|
|
|
|
|
|
```{r cloc, echo=FALSE}
|
|
|
|
cloc::cloc_pkg_md()
|
|
|
|
```
|
|
|
|
|
|
|
|
## Code of Conduct
|
|
|
|
|
|
|
|
Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md).
|
|
|
|
By participating in this project you agree to abide by its terms.
|