--- output: rmarkdown::github_document editor_options: chunk_output_type: console --- ```{r pkg-knitr-opts, include=FALSE} knitr::opts_chunk$set(collapse=TRUE, fig.retina=2, message=FALSE, warning=FALSE) options(width=120) ``` [![Travis-CI Build Status](https://travis-ci.org/hrbrmstr/cspy.svg?branch=master)](https://travis-ci.org/hrbrmstr/cspy) [![AppVeyor build status](https://ci.appveyor.com/api/projects/status/github/hrbrmstr/cspy?branch=master&svg=true)](https://ci.appveyor.com/project/hrbrmstr/cspy) [![Coverage Status](https://codecov.io/gh/hrbrmstr/cspy/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/cspy) [![CRAN_Status_Badge](https://www.r-pkg.org/badges/version/cspy)](https://cran.r-project.org/package=cspy) # cspy Content Security Policy Decomposer & Evaluator ## Description Methods are provided to decompose, display, and validate content security policy header values. Wraps the 'Shape Security' 'salvation' Java library (). Package version tracks 'salvation' Java archive version. ## What's Inside The Tin The following functions are implemented: Core: - `fetch_csp`: Fetch and/or parse a content security policy header value - `has_csp`: Does a URL have a content security policy? - `parse_csp`: Fetch and/or parse a content security policy header value - `validate_csp`: Validate a CSP - `as.data.frame.csp`: Convert a parsed CSP into a data frame of directives and values Security/Safety Checks: - `check_deprecated`: Tests for insecure CSP settings - `check_ip_source`: Tests for insecure CSP settings - `check_missing_directives`: Tests for insecure CSP settings - `check_nonce_length`: Tests for insecure CSP settings - `check_plain_url_schemes`: Tests for insecure CSP settings - `check_script_unsafe_eval`: Tests for insecure CSP settings - `check_script_unsafe_inline`: Tests for insecure CSP settings - `check_src_http`: Tests for insecure CSP settings - `check_wildcards`: Tests for insecure CSP settings Testers: - `allows_child_from_source`: Tests for what a parsed CSP allows - `allows_connect_to`: Tests for what a parsed CSP allows - `allows_font_from_source`: Tests for what a parsed CSP allows - `allows_form_action`: Tests for what a parsed CSP allows - `allows_frame_ancestor`: Tests for what a parsed CSP allows - `allows_frame_from_source`: Tests for what a parsed CSP allows - `allows_manifest_from_source`: Tests for what a parsed CSP allows - `allows_media_from_source`: Tests for what a parsed CSP allows - `allows_navigation`: Tests for what a parsed CSP allows - `allows_object_from_source`: Tests for what a parsed CSP allows - `allows_prefetch_from_source`: Tests for what a parsed CSP allows - `allows_script_from_source`: Tests for what a parsed CSP allows - `allows_script_with_nonce`: Tests for what a parsed CSP allows - `allows_style_from_source`: Tests for what a parsed CSP allows - `allows_style_with_nonce`: Tests for what a parsed CSP allows - `allows_unsafe_inline_script`: Tests for what a parsed CSP allows - `allows_unsafe_inline_style`: Tests for what a parsed CSP allows - `allows_worker_from_source`: Tests for what a parsed CSP allows ## Installation ```{r install-ex, eval=FALSE} install.packages("cspy", repos = "https://cinc.rud.is/") ``` ## Usage ```{r lib-ex} library(cspy) library(tibble) # for printing # current version packageVersion("cspy") ``` ```{r one} has_csp("https://community.rstudio.com") csp <- fetch_csp("https://community.rstudio.com") csp (csp_df <- as.data.frame(csp)) allows_unsafe_inline_script(csp) check_deprecated(csp_df) check_ip_source(csp_df) check_missing_directives(csp_df) check_nonce_length(csp_df) check_plain_url_schemes(csp_df) check_script_unsafe_eval(csp_df) check_script_unsafe_inline(csp_df) check_src_http(csp_df) check_wildcards(csp_df) ``` ## crsspy Metrics ```{r cloc, echo=FALSE} cloc::cloc_pkg_md() ``` ## Code of Conduct Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md). By participating in this project you agree to abide by its terms.