#security-policy #security #csp #http

content-security-policy

Will parse and validate Content-Security-Policy level 3

10 releases (5 breaking)

0.5.1 May 22, 2023
0.5.0 Feb 25, 2023
0.4.2 Jul 8, 2020
0.4.1 Mar 24, 2020
0.0.0 Oct 2, 2017

#173 in Network programming

Download history 482/week @ 2023-11-25 524/week @ 2023-12-02 433/week @ 2023-12-09 439/week @ 2023-12-16 589/week @ 2023-12-23 685/week @ 2023-12-30 718/week @ 2024-01-06 848/week @ 2024-01-13 1035/week @ 2024-01-20 925/week @ 2024-01-27 963/week @ 2024-02-03 1095/week @ 2024-02-10 1078/week @ 2024-02-17 1250/week @ 2024-02-24 1736/week @ 2024-03-02 687/week @ 2024-03-09

4,970 downloads per month

MIT/Apache

73KB
1.5K SLoC

Parse and validate Web Content-Security-Policy level 3

Crates.IO Requires rustc 1.60.0

This function parses a CSP string into a data structure, and provides a bunch of functions you can call on it (basically all of the "hooks" defined in the CSP standard). It directly uses the url crate, but it's intentionally agnostic to your HTML parser and your networking stack, so there are a few things it doesn't do:

  • While this library does directly use rust-url, it is intentionally not entangled with any particular networking stack, HTML parser, or DOM implementation.
  • Rather than directly adding events to the event loop, like the spec says, it returns a Vec<> of objects that the library's users should push to the event loop. Just iterate over the vec, convert to your internal event representation, and push them to the event loop after calling the rust-content-security-policy function. Since the CSP specification never spins the event loop in the middle of any of its algorithms, that will be spec compliant anyway.
  • Simple algorithms that don't operate on any part of the parsed CSP data structures, like is element nonceable, probably won't ever be implemented by this library. It would take as much effort for a user to convert from the HTML parser's data structure into whatever rust-content-security-policy would accept as it would take for them to just implement the algorithm themselves.

Installation

To use content-security-policy, add it to your project's Cargo.toml file:

[dependencies]
content-security-policy = "0.5.1"

Example

extern crate content_security_policy;
use content_security_policy::*;
fn main() {
    let csp_list = CspList::parse("script-src *.notriddle.com", PolicySource::Header, PolicyDisposition::Enforce);
    let (check_result, _) = csp_list.should_request_be_blocked(&Request {
        url: Url::parse("https://www.notriddle.com/script.js").unwrap(),
        origin: Origin::Tuple("https".to_string(), url::Host::Domain("notriddle.com".to_owned()), 443),
        redirect_count: 0,
        destination: Destination::Script,
        initiator: Initiator::None,
        nonce: String::new(),
        integrity_metadata: String::new(),
        parser_metadata: ParserMetadata::None,
    });
    assert_eq!(check_result, CheckResult::Allowed);
    let (check_result, _) = csp_list.should_request_be_blocked(&Request {
        url: Url::parse("https://www.evil.example/script.js").unwrap(),
        origin: Origin::Tuple("https".to_string(), url::Host::Domain("notriddle.com".to_owned()), 443),
        redirect_count: 0,
        destination: Destination::Script,
        initiator: Initiator::None,
        nonce: String::new(),
        integrity_metadata: String::new(),
        parser_metadata: ParserMetadata::None,
    });
    assert_eq!(check_result, CheckResult::Blocked);
}

Dependencies

~5–7MB
~149K SLoC