I’m working on a Content Security Policy parser. There are a handful of them around the web, but I couldn’t find one that implemented the entirety of the CSP spec and I wanted something I could use to verify structure and validity of CSP directives.
Once I’m happy with my take on a reference implementation I’m hoping to create some tooling with it to do some interesting analysis of CSP abstract syntax trees to identify things like policy anti patterns, reporting on capabilities a policy grants to a domain/resource, and a better mechanism for allowing tools like OPA, SemGrep, etc. to define and enforce rules on a policy.
Neat! What were your experiences with the tech and how did you interface with it? Feel free to respond here or email me via my contact deets in my profile—I’d love to hear about your use-cases.
https://github.com/damien/content-security-policy/tree/main/...
Once I’m happy with my take on a reference implementation I’m hoping to create some tooling with it to do some interesting analysis of CSP abstract syntax trees to identify things like policy anti patterns, reporting on capabilities a policy grants to a domain/resource, and a better mechanism for allowing tools like OPA, SemGrep, etc. to define and enforce rules on a policy.