Giter Club home page Giter Club logo

htmlunit-csp's Introduction

HtmlUnit - CSP

This is a general purpose library for working with Content Security Policy policies.

  • parse CSP policies into an easy-to-use representation
  • ask questions about what a CSP policy allows or restricts
  • warn about nonsensical CSP policies and deprecated or nonstandard features

This is the code repository of the Content Security Policy support used by HtmlUnit.

The library was created by forking the salvation project as it is apparently no longer maintained.
For HtmlUnit, the code has been adapted to the code style rules used, and support for editing policies has been removed.
The code is being expanded, restructured and improved primarily to meet the requirements of this project.

Maven Central

❤️ Sponsor

Project News

HtmlUnit@mastodon | HtmlUnit@Twitter

Latest release Version 4.2.0 / June 05, 2024

Maven

Add to your pom.xml:

<dependency>
    <groupId>org.htmlunit</groupId>
    <artifactId>htmlunit-csp</artifactId>
    <version>4.2.0</version>
</dependency>

Gradle

Add to your build.gradle:

implementation group: 'org.htmlunit', name: 'htmlunit-csp', version: '4.2.0'

A Note on CSP

The CSP specification is fairly complex even if you only care about the latest version. However, in practice you are likely to care that your policy does the things you intend it to on the browsers you care about, which are likely to implement different and potentially broken subsets of the specification (and potentially additional behavior which is not in the specification). And there are inevitable tradeoffs to be made regarding the size of your policy vs the security it provides.

As such, this project does not attempt to provide a one-size-fits-all way to manipulate a policy purely in terms of its effects - the full set of effects across all browsers is too vast to provide an effective API in general. It can help you build up a policy based on the directives and source-expressions you want, but to ensure your policy is correct, for your own definition of correct, there is no alternative to testing it on the real browsers you care about.

Create a Policy

Parse a policy using either Policy.parseSerializedCSP or Policy.parseSerializedCSPList. The second parameter will be called for each warning or error.

String policyText = "script-src 'none'";
Policy policy = Policy.parseSerializedCSP(policyText, (severity, message, directiveIndex, valueIndex) -> {
  System.err.println(severity.name() + " at directive " + directiveIndex + (valueIndex == -1 ? "" : " at value " + valueIndex) + ": " + message);
});

Query a Policy

The high-level querying methods allow you to specify whatever relevant information you have. The missing information will be assumed to be worst-case - that is, these methods will return true only if any object which matches the provided characteristics would be allowed, regardless of its other characteristics.

Policy policy = Policy.parseSerializedCSP("script-src http://a", Policy.PolicyErrorConsumer.ignored);

// true
System.out.println(policy.allowsExternalScript(
  Optional.empty(),
  Optional.empty(),
  Optional.of(URI.parse("http://a")),
  Optional.empty(),
  Optional.empty()
));

// false
System.out.println(policy.allowsExternalScript(
  Optional.empty(),
  Optional.empty(),
  Optional.empty(),
  Optional.empty(),
  Optional.empty()
));

Because the Policy objects are rich structures, you can also ask about the presence or absence of specific directives or expressions:

Policy policy = Policy.parseSerializedCSP("script-src 'strict-dynamic'", Policy.PolicyErrorConsumer.ignored);

// Assumes the policy has a `script-src` directive (or else the `get` would throw), and checks if it contains the `'strict-dynamic'` source expression
System.out.println(policy.getFetchDirective(FetchDirectiveKind.ScriptSrc).get().strictDynamic());

Last CI build

The latest builds are available from our Jenkins CI build server

Build Status

If you use maven please add:

<dependency>
    <groupId>org.htmlunit</groupId>
    <artifactId>htmlunit-csp</artifactId>
    <version>4.3.0-SNAPSHOT</version>
</dependency>

You have to add the sonatype snapshot repository to your pom repositories section also:

<repository>
    <id>OSS Sonatype snapshots</id>
    <url>https://s01.oss.sonatype.org/content/repositories/snapshots/</url>
    <snapshots>
        <enabled>true</enabled>
        <updatePolicy>always</updatePolicy>
    </snapshots>
    <releases>
        <enabled>false</enabled>
    </releases>
</repository>

Start HtmlUnit - CSP Development

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.

Prerequisites

You simply only need a local maven installation.

Building

Create a local clone of the repository and you are ready to start.

Open a command line window from the root folder of the project and call

mvn compile

Running the tests

mvn test

Contributing

Pull Requests and and all other Community Contributions are essential for open source software. Every contribution - from bug reports to feature requests, typos to full new features - are greatly appreciated.

Deployment and Versioning

This part is intended for committer who are packaging a release.

  • Check all your files are checked in
  • Execute these mvn commands to be sure all tests are passing and everything is up to data
   mvn versions:display-plugin-updates
   mvn versions:display-dependency-updates
   mvn -U clean test

  • Update the version number in pom.xml and README.md

  • Commit the changes

  • Build and deploy the artifacts

   mvn -up clean deploy

  • Go to Sonatype staging repositories and process the deploy

    • select the repository and close it - wait until the close is processed
    • release the package and wait until it is processed

  • Create the version on Github

    • login to Github and open project https://github.com/HtmlUnit/htmlunit-csp
    • click Releases > Draft new release
    • fill the tag and title field with the release number (e.g. 4.0.0)
    • append
      • htmlunit-csp-4.x.x.jar
      • htmlunit-csp-4.x.x.jar.asc
      • htmlunit-csp-4.x.x-javadoc.jar
      • htmlunit-csp-4.x.x-javadoc.jar.asc
    • and publish the release

  • Update the version number in pom.xml to start next snapshot development

  • Update the htmlunit pom to use the new release

Authors

License

This project is licensed under the Apache 2.0 License

Acknowledgments

Many thanks to all of you contributing to HtmlUnit/CSSParser/Rhino and salvation in the past.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.