csp-evaluator

by google

150 Stars 23 Forks Last release: Not found Apache License 2.0 12 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

CSP Evaluator Core Library

Introduction


Please note: this is not an official Google product.

CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. It assists with the process of reviewing CSP policies, and helps identify subtle CSP bypasses which undermine the value of a policy. CSP Evaluator checks are based on a large-scale study and are aimed to help developers to harden their CSP and improve the security of their applications. This tool (also available as a Chrome extension) is provided only for the convenience of developers and Google provides no guarantees or warranties for this tool.

CSP Evaluator comes with a built-in list of common CSP whitelist bypasses which reduce the security of a policy. This list only contains popular bypasses and is by no means complete.

The CSP Evaluator library + frontend is deployed here: https://csp-evaluator.withgoogle.com/

Build Prerequisites


These instructions have been tested with the following software:

  • java >= 1.7 — for running the Closure Compiler
  • ant — for building CSP-Evaluator dependencies
  • git
  • curl
  • a web server
  • a browser with HTML5 support

CSP Evaluator Setup


These instructions assume a working directory of the repository root.

CSP Evaluator includes an easy-to-use setup script called

do.sh
. It supports the following commands:
  • Setup:
    ./do.sh {install_deps|check_deps}
  • Build:
    ./do.sh {build|build_templates} [debug]
  • Cleanup:
    ./do.sh {clean|clean_deps}

Build

To build CSP Evaluator, run the following commands:

  1. ./do.sh install_deps
  2. ./do.sh build

Local Demo Server

To run the demo locally, you can use the Python

SimpleHTTPServer
:
  1. cd build
  2. python -m SimpleHTTPServer 9000
  3. Navigate to http://localhost:9000/demo.html in your browser

Example usage

If you don't want to make any customization you can also just embed the compiled JS (

build/evaluator_binary.js
) and evaluate CSP like this:
  

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.