mirror of https://git.sr.ht/~hrbrmstr/cspy
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4.0 KiB
4.0 KiB
---
output: rmarkdown::github_document
editor_options:
chunk_output_type: console
---
```{r pkg-knitr-opts, include=FALSE}
knitr::opts_chunk$set(collapse=TRUE, fig.retina=2, message=FALSE, warning=FALSE)
options(width=120)
```
[](https://travis-ci.org/hrbrmstr/cspy)
[](https://ci.appveyor.com/project/hrbrmstr/cspy)
[](https://codecov.io/gh/hrbrmstr/cspy)
[](https://cran.r-project.org/package=cspy)
# cspy
Content Security Policy Decomposer & Evaluator
## Description
Methods are provided to decompose, display, and validate
content security policy header values. Wraps the 'Shape Security'
'salvation' Java library (<https://github.com/shapesecurity/salvation>).
Package version tracks 'salvation' Java archive version.
## What's Inside The Tin
The following functions are implemented:
Core:
- `fetch_csp`: Fetch and/or parse a content security policy header value
- `has_csp`: Does a URL have a content security policy?
- `parse_csp`: Fetch and/or parse a content security policy header value
- `validate_csp`: Validate a CSP
- `as.data.frame.csp`: Convert a parsed CSP into a data frame of directives and values
Security/Safety Checks:
- `check_deprecated`: Tests for insecure CSP settings
- `check_ip_source`: Tests for insecure CSP settings
- `check_missing_directives`: Tests for insecure CSP settings
- `check_nonce_length`: Tests for insecure CSP settings
- `check_plain_url_schemes`: Tests for insecure CSP settings
- `check_script_unsafe_eval`: Tests for insecure CSP settings
- `check_script_unsafe_inline`: Tests for insecure CSP settings
- `check_src_http`: Tests for insecure CSP settings
- `check_wildcards`: Tests for insecure CSP settings
Testers:
- `allows_child_from_source`: Tests for what a parsed CSP allows
- `allows_connect_to`: Tests for what a parsed CSP allows
- `allows_font_from_source`: Tests for what a parsed CSP allows
- `allows_form_action`: Tests for what a parsed CSP allows
- `allows_frame_ancestor`: Tests for what a parsed CSP allows
- `allows_frame_from_source`: Tests for what a parsed CSP allows
- `allows_manifest_from_source`: Tests for what a parsed CSP allows
- `allows_media_from_source`: Tests for what a parsed CSP allows
- `allows_navigation`: Tests for what a parsed CSP allows
- `allows_object_from_source`: Tests for what a parsed CSP allows
- `allows_prefetch_from_source`: Tests for what a parsed CSP allows
- `allows_script_from_source`: Tests for what a parsed CSP allows
- `allows_script_with_nonce`: Tests for what a parsed CSP allows
- `allows_style_from_source`: Tests for what a parsed CSP allows
- `allows_style_with_nonce`: Tests for what a parsed CSP allows
- `allows_unsafe_inline_script`: Tests for what a parsed CSP allows
- `allows_unsafe_inline_style`: Tests for what a parsed CSP allows
- `allows_worker_from_source`: Tests for what a parsed CSP allows
## Installation
```{r install-ex, eval=FALSE}
install.packages("cspy", repos = "https://cinc.rud.is/")
```
## Usage
```{r lib-ex}
library(cspy)
library(tibble) # for printing
# current version
packageVersion("cspy")
```
```{r one}
has_csp("https://community.rstudio.com")
csp <- fetch_csp("https://community.rstudio.com")
csp
(csp_df <- as.data.frame(csp))
allows_unsafe_inline_script(csp)
check_deprecated(csp_df)
check_ip_source(csp_df)
check_missing_directives(csp_df)
check_nonce_length(csp_df)
check_plain_url_schemes(csp_df)
check_script_unsafe_eval(csp_df)
check_script_unsafe_inline(csp_df)
check_src_http(csp_df)
check_wildcards(csp_df)
```
## crsspy Metrics
```{r cloc, echo=FALSE}
cloc::cloc_pkg_md()
```
## Code of Conduct
Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md).
By participating in this project you agree to abide by its terms.