├── demo-site
    ├── .eslintignore
    ├── static
    │   ├── favicon
    │   │   ├── favicon-16x16.png
    │   │   ├── favicon-32x32.png
    │   │   └── apple-icon-114x114.png
    │   └── index.html
    ├── scripts
    │   └── prepend-licenses.js
    ├── src
    │   ├── icons
    │   │   ├── DashIcon.jsx
    │   │   ├── PlusIcon.jsx
    │   │   └── ShuffleIcon.jsx
    │   ├── index.js
    │   ├── components
    │   │   ├── ErrorToast.jsx
    │   │   ├── Footer.jsx
    │   │   ├── PolicyBreakdown.jsx
    │   │   ├── PolicyBox.jsx
    │   │   ├── OutputPanel.jsx
    │   │   └── CSPValidationForm.jsx
    │   ├── App.jsx
    │   └── csp-list.json
    ├── babel.config.js
    ├── README.md
    ├── webpack.config.js
    ├── package.json
    └── .eslintrc.js
├── .gitignore
├── .github
    └── workflows
    │   ├── demo-build-and-deploy.yml
    │   └── ci.yml
├── src
    ├── main
    │   └── java
    │   │   └── com
    │   │       └── shapesecurity
    │   │           └── salvation2
    │   │               ├── PolicyList.java
    │   │               ├── URLs
    │   │                   ├── GUID.java
    │   │                   ├── URLWithScheme.java
    │   │                   └── URI.java
    │   │               ├── Directives
    │   │                   ├── FrameAncestorsDirective.java
    │   │                   ├── ReportUriDirective.java
    │   │                   ├── PluginTypesDirective.java
    │   │                   ├── HostSourceDirective.java
    │   │                   ├── SourceExpressionDirective.java
    │   │                   └── SandboxDirective.java
    │   │               ├── Values
    │   │                   ├── RFC7230Token.java
    │   │                   ├── Scheme.java
    │   │                   ├── Nonce.java
    │   │                   ├── MediaType.java
    │   │                   ├── Hash.java
    │   │                   └── Host.java
    │   │               ├── Utils.java
    │   │               ├── JSInterface.java
    │   │               ├── PolicyInOrigin.java
    │   │               ├── Directive.java
    │   │               ├── Constants.java
    │   │               └── FetchDirectiveKind.java
    └── test
    │   ├── javascript
    │       └── salvation.test.js
    │   └── java
    │       └── com
    │           └── shapesecurity
    │               └── salvation2
    │                   ├── TestBase.java
    │                   ├── LowLevelPolicyManipulationTest.java
    │                   └── ParserTest.java
├── README.md
├── style.xml
├── LICENSE
└── pom.xml


/demo-site/.eslintignore:
--------------------------------------------------------------------------------
1 | node_modules
2 | dist
3 | logs
4 | deployment
5 | static
6 | public
7 | 


--------------------------------------------------------------------------------
/demo-site/static/favicon/favicon-16x16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shapesecurity/salvation/HEAD/demo-site/static/favicon/favicon-16x16.png


--------------------------------------------------------------------------------
/demo-site/static/favicon/favicon-32x32.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shapesecurity/salvation/HEAD/demo-site/static/favicon/favicon-32x32.png


--------------------------------------------------------------------------------
/demo-site/static/favicon/apple-icon-114x114.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shapesecurity/salvation/HEAD/demo-site/static/favicon/apple-icon-114x114.png


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | *.iml
 2 | *.class
 3 | target
 4 | .idea
 5 | .editorconfig
 6 | node_modules
 7 | demo/dist
 8 | build
 9 | npm-debug.log
10 | key.pem
11 | cert.pem
12 | 
13 | # Eclipse
14 | # -------
15 | *.classpath
16 | *.project
17 | *.settings
18 | 
19 | dist
20 | .vscode
21 | demo-site/public
22 | 


--------------------------------------------------------------------------------
/demo-site/scripts/prepend-licenses.js:
--------------------------------------------------------------------------------
1 | const fs = require('fs');
2 | 
3 | const mainJsPath = __dirname + '/../public/main.js';
4 | const mainJsContent = fs.readFileSync(mainJsPath).toString();
5 | 
6 | fs.writeFileSync(mainJsPath, '// Licenses available at https://cspvalidator.org/licenses.json\n' + mainJsContent);
7 | 


--------------------------------------------------------------------------------
/demo-site/src/icons/DashIcon.jsx:
--------------------------------------------------------------------------------
 1 | // From bootstrap-icons
 2 | import React from 'react';
 3 | const styles = { display: 'flex' };
 4 | const DashIcon = () => (
 5 |   <svg style={styles} xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" className="bi bi-dash-lg" viewBox="0 0 16 16">
 6 |     <path d="M4 8a.5.5 0 0 1 .5-.5h7a.5.5 0 0 1 0 1h-7A.5.5 0 0 1 4 8"/>
 7 |   </svg>
 8 | );
 9 | 
10 | export { DashIcon };
11 | 


--------------------------------------------------------------------------------
/demo-site/src/icons/PlusIcon.jsx:
--------------------------------------------------------------------------------
 1 | // From bootstrap-icons
 2 | import React from 'react';
 3 | const styles = { display: 'flex' };
 4 | const PlusIcon = () => (
 5 |   <svg style={styles} xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" className="bi bi-plus-lg" viewBox="0 0 16 16">
 6 |     <path fillRule="evenodd" d="M8 2a.5.5 0 0 1 .5.5v5h5a.5.5 0 0 1 0 1h-5v5a.5.5 0 0 1-1 0v-5h-5a.5.5 0 0 1 0-1h5v-5A.5.5 0 0 1 8 2"/>
 7 |   </svg>
 8 | );
 9 | 
10 | export { PlusIcon };
11 | 


--------------------------------------------------------------------------------
/demo-site/babel.config.js:
--------------------------------------------------------------------------------
 1 | module.exports = {
 2 |   presets: [
 3 |     '@babel/preset-env',
 4 |     ['@babel/preset-react', {
 5 |       runtime: 'automatic',
 6 |       development: process.env.NODE_ENV === 'development',
 7 |     }],
 8 |   ],
 9 |   targets: {
10 |     browsers: '> 0.5%, last 10 versions',
11 |   },
12 |   plugins: [
13 |     '@babel/plugin-transform-runtime',
14 |     [
15 |       '@babel/plugin-transform-react-jsx',
16 |       {
17 |         runtime: 'automatic',
18 |         importSource: 'preact',
19 |       },
20 |     ],
21 |   ],
22 | };
23 | 


--------------------------------------------------------------------------------
/demo-site/src/index.js:
--------------------------------------------------------------------------------
 1 | import React, { StrictMode } from 'react';
 2 | import { createRoot } from 'react-dom/client';
 3 | import { App } from './App';
 4 | 
 5 | if (process.env.NODE_ENV !== 'production') {
 6 |   (async () => {
 7 |     const ReactDOM = await import('react-dom');
 8 |     const axe = await import('@axe-core/react');
 9 |     axe.default(React, ReactDOM);
10 |   })();
11 | }
12 | 
13 | const container = document.getElementById('root');
14 | const root = createRoot(container);
15 | root.render(
16 |   <StrictMode>
17 |     <App />
18 |   </StrictMode>,
19 | );
20 | 


--------------------------------------------------------------------------------
/.github/workflows/demo-build-and-deploy.yml:
--------------------------------------------------------------------------------
 1 | # https://shapesecurity.github.io/salvation/index.html
 2 | name: Build and Deploy Demo Site
 3 | on: 
 4 |   push:
 5 |     branches:
 6 |       - main
 7 | jobs:
 8 |   build-and-deploy:
 9 |     runs-on: ubuntu-latest
10 |     steps:
11 |     - name: Checkout 🛎️
12 |       uses: actions/checkout@v4
13 |     - name: Install and Build 🔧 
14 |       working-directory: ./demo-site
15 |       run: |
16 |         npm install
17 |         npm run build
18 |     - name: Deploy 🚀
19 |       if: |
20 |         !cancelled() && !failure()
21 |       uses: JamesIves/github-pages-deploy-action@v4
22 |       with:
23 |         branch: gh-pages
24 |         folder: demo-site/public
25 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/PolicyList.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2;
 2 | 
 3 | import java.util.List;
 4 | 
 5 | public class PolicyList {
 6 | 	public final List<Policy> policies;
 7 | 
 8 | 	public PolicyList(List<Policy> policies) {
 9 | 		this.policies = policies;
10 | 	}
11 | 
12 | 	@Override
13 | 	public String toString() {
14 | 		StringBuilder out = new StringBuilder();
15 | 		boolean first = true;
16 | 		for (Policy policy : this.policies) {
17 | 			if (!first) {
18 | 				out.append(", "); // The whitespace is not strictly necessary but is probably valuable
19 | 			}
20 | 			first = false;
21 | 			out.append(policy.toString());
22 | 		}
23 | 		return out.toString();
24 | 	}
25 | }
26 | 


--------------------------------------------------------------------------------
/demo-site/README.md:
--------------------------------------------------------------------------------
 1 | # Installation
 2 | ```sh
 3 | npm install
 4 | ```
 5 | 
 6 | ## Development Build
 7 | ```sh
 8 | npm run dev
 9 | ```
10 | 
11 | ## Production Build
12 | ```sh
13 | npm run build
14 | ```
15 | 
16 | # Note on salvation.min.js
17 | 
18 | This comes from [Salvation](https://github.com/shapesecurity/salvation). It is automatically generated at compile time using [TeaVM](https://teavm.org/docs/intro/getting-started.html). And needs to be manually copied to `demo-site/static/`.
19 | 
20 | To update the version of Salvation used in this demo website, follow the instructions provided in the README located at the root of this repo. Copy the generated file to `demo-site/static/`, then rename it to `salvation.min.js`.
21 | 


--------------------------------------------------------------------------------
/demo-site/src/components/ErrorToast.jsx:
--------------------------------------------------------------------------------
 1 | import React, { useState } from 'react';
 2 | import { Toast } from 'react-bootstrap';
 3 | import { string, func, number } from 'prop-types';
 4 | 
 5 | const ErrorToast = ({ stack, dismiss, id }) => {
 6 |   const [show, setShow] = useState(true);
 7 | 
 8 |   const removeError = () => {
 9 |     setShow(false);
10 |     dismiss({ stack, id });
11 |   };
12 | 
13 |   return (
14 |     <Toast bg="danger" onClose={removeError} onExit={removeError} show={show} delay={15000} autohide={true}>
15 |       <Toast.Header>
16 |         <strong className="me-auto">Error</strong>
17 |       </Toast.Header>
18 |       <Toast.Body>
19 |         <pre>{stack}</pre>
20 |       </Toast.Body>
21 |     </Toast>
22 |   );
23 | };
24 | 
25 | ErrorToast.propTypes = {
26 |   stack: string.isRequired,
27 |   id: number.isRequired,
28 |   dismiss: func.isRequired,
29 | };
30 | 
31 | export { ErrorToast };
32 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/URLs/GUID.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.URLs;
 2 | 
 3 | import com.shapesecurity.salvation2.Constants;
 4 | 
 5 | import javax.annotation.Nonnull;
 6 | import java.util.Optional;
 7 | import java.util.regex.Matcher;
 8 | 
 9 | public class GUID extends URLWithScheme {
10 | 	// See https://url.spec.whatwg.org/#example-url-components
11 | 	public GUID(@Nonnull String scheme, @Nonnull String value) {
12 | 		super(scheme, null, null, value);
13 | 	}
14 | 
15 | 	public static Optional<GUID> parseGUID(String value) {
16 | 		Matcher matcher = Constants.schemePattern.matcher(value);
17 | 		if (!matcher.find()) {
18 | 			return Optional.empty();
19 | 		}
20 | 		String scheme = matcher.group(1);
21 | 		scheme = scheme.substring(0, scheme.length() - 1);  // + 1 for the trailing ":"
22 | 		return Optional.of(new GUID(scheme, value.substring(scheme.length() + 1)));
23 | 	}
24 | }
25 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Directives/FrameAncestorsDirective.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.Directives;
 2 | 
 3 | import com.shapesecurity.salvation2.Policy;
 4 | 
 5 | import java.util.List;
 6 | import java.util.Locale;
 7 | 
 8 | public class FrameAncestorsDirective extends HostSourceDirective {
 9 | 	public FrameAncestorsDirective(List<String> values, DirectiveErrorConsumer errors) {
10 | 		super(values);
11 | 
12 | 		int index = 0;
13 | 		for (String token : values) {
14 | 			String lowcaseToken = token.toLowerCase(Locale.ENGLISH);
15 | 			this._addHostOrSchemeDuringConstruction(token, lowcaseToken, "ancestor-source", index, errors);
16 | 		}
17 | 
18 | 		if (this.none != null && values.size() > 1) {
19 | 			errors.add(Policy.Severity.Error, "'none' must not be combined with any other ancestor-source", index);
20 | 		}
21 | 
22 | 		if (values.isEmpty()) {
23 | 			errors.add(Policy.Severity.Error, "Ancestor-source lists cannot be empty (use 'none' instead)", -1);
24 | 		}
25 | 	}
26 | }
27 | 


--------------------------------------------------------------------------------
/demo-site/src/components/Footer.jsx:
--------------------------------------------------------------------------------
 1 | import React from 'react';
 2 | import { Button } from 'react-bootstrap';
 3 | 
 4 | const Footer = () => {
 5 |   const viewLicenses = () => {
 6 |     window.location.pathname = '/licenses.json';
 7 |   };
 8 |   return (
 9 |     <footer role="contentinfo" className="pb-4">
10 |       <p>
11 |         <a href="https://github.com/shapesecurity/salvation/issues">Send your feedback</a>!
12 |       </p>
13 |       <p>
14 |           CSP Validator was built by Sergey Shekyan, Michael Ficarra, Lewis Ellis,
15 |           Ben Vinegar, and the fine folks at{' '}
16 |         <a href="https://f5.com">F5, Inc.</a>.
17 |       </p>
18 |       <p>
19 |           Powered by{' '}
20 |         <a href="https://github.com/shapesecurity/salvation">Salvation</a>{' '}
21 |           v3.0.1, a Java library for working with CSP policies.
22 |       </p>
23 |       <Button variant="link" className="p-0" onClick={viewLicenses}>View Licenses</Button>
24 |     </footer>
25 |   );
26 | };
27 | export { Footer };
28 | 


--------------------------------------------------------------------------------
/demo-site/src/icons/ShuffleIcon.jsx:
--------------------------------------------------------------------------------
 1 | // From bootstrap-icons
 2 | import React from 'react';
 3 | const styles = { display: 'flex' };
 4 | const ShuffleIcon = () => (
 5 |   <svg style={styles} xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" className="bi bi-shuffle-lg" viewBox="0 0 16 16">
 6 |     <path fillRule="evenodd" d="M0 3.5A.5.5 0 0 1 .5 3H1c2.202 0 3.827 1.24 4.874 2.418.49.552.865 1.102 1.126 1.532.26-.43.636-.98 1.126-1.532C9.173 4.24 10.798 3 13 3v1c-1.798 0-3.173 1.01-4.126 2.082A9.6 9.6 0 0 0 7.556 8a9.6 9.6 0 0 0 1.317 1.918C9.828 10.99 11.204 12 13 12v1c-2.202 0-3.827-1.24-4.874-2.418A10.6 10.6 0 0 1 7 9.05c-.26.43-.636.98-1.126 1.532C4.827 11.76 3.202 13 1 13H.5a.5.5 0 0 1 0-1H1c1.798 0 3.173-1.01 4.126-2.082A9.6 9.6 0 0 0 6.444 8a9.6 9.6 0 0 0-1.317-1.918C4.172 5.01 2.796 4 1 4H.5a.5.5 0 0 1-.5-.5"/>
 7 |     <path d="M13 5.466V1.534a.25.25 0 0 1 .41-.192l2.36 1.966c.12.1.12.284 0 .384l-2.36 1.966a.25.25 0 0 1-.41-.192m0 9v-3.932a.25.25 0 0 1 .41-.192l2.36 1.966c.12.1.12.284 0 .384l-2.36 1.966a.25.25 0 0 1-.41-.192"/>
 8 |   </svg>
 9 | );
10 | 
11 | export { ShuffleIcon };
12 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Values/RFC7230Token.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.Values;
 2 | 
 3 | import com.shapesecurity.salvation2.Constants;
 4 | 
 5 | import javax.annotation.Nonnull;
 6 | import java.util.Objects;
 7 | import java.util.Optional;
 8 | import java.util.regex.Matcher;
 9 | 
10 | public class RFC7230Token {
11 | 	@Nonnull
12 | 	public final String value;
13 | 
14 | 	private RFC7230Token(@Nonnull String value) {
15 | 		this.value = value;
16 | 	}
17 | 
18 | 	public static Optional<RFC7230Token> parseRFC7230Token(String value) {
19 | 		Matcher matcher = Constants.rfc7230TokenPattern.matcher(value);
20 | 		if (matcher.find()) {
21 | 			return Optional.of(new RFC7230Token(value));
22 | 		} else {
23 | 			return Optional.empty();
24 | 		}
25 | 	}
26 | 
27 | 	@Override
28 | 	public boolean equals(Object o) {
29 | 		if (this == o) return true;
30 | 		if (!(o instanceof RFC7230Token)) return false;
31 | 		RFC7230Token that = (RFC7230Token) o;
32 | 		return value.equals(that.value);
33 | 	}
34 | 
35 | 	@Override
36 | 	public int hashCode() {
37 | 		return Objects.hash(value);
38 | 	}
39 | 
40 | 	@Override
41 | 	public String toString() {
42 | 		return this.value;
43 | 	}
44 | }
45 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/URLs/URLWithScheme.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.URLs;
 2 | 
 3 | 
 4 | import javax.annotation.Nonnull;
 5 | import javax.annotation.Nullable;
 6 | import java.util.Locale;
 7 | import java.util.Objects;
 8 | 
 9 | public abstract class URLWithScheme {
10 | 	@Nonnull
11 | 	public final String scheme;
12 | 	@Nullable
13 | 	public final String host;
14 | 	@Nullable
15 | 	public final Integer port;
16 | 	@Nonnull
17 | 	public final String path;
18 | 
19 | 
20 | 	protected URLWithScheme(@Nonnull String scheme, @Nullable String host, @Nullable Integer port, @Nonnull String path) {
21 | 		this.scheme = scheme.toLowerCase(Locale.ENGLISH);
22 | 		this.host = host == null ? host : host.toLowerCase(Locale.ENGLISH);
23 | 		this.port = port;
24 | 		this.path = path;
25 | 	}
26 | 
27 | 	@Override
28 | 	public boolean equals(Object o) {
29 | 		if (this == o) return true;
30 | 		if (!(o instanceof URLWithScheme)) return false;
31 | 		URLWithScheme that = (URLWithScheme) o;
32 | 		return scheme.equals(that.scheme) &&
33 | 				Objects.equals(host, that.host) &&
34 | 				Objects.equals(port, that.port) &&
35 | 				path.equals(that.path);
36 | 	}
37 | 
38 | 	@Override
39 | 	public int hashCode() {
40 | 		return Objects.hash(scheme, host, port, path);
41 | 	}
42 | }
43 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Values/Scheme.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.Values;
 2 | 
 3 | import com.shapesecurity.salvation2.Constants;
 4 | 
 5 | import javax.annotation.Nonnull;
 6 | import java.util.Locale;
 7 | import java.util.Objects;
 8 | import java.util.Optional;
 9 | 
10 | public class Scheme {
11 | 	@Nonnull
12 | 	public final String value;
13 | 
14 | 	private Scheme(@Nonnull String value) {
15 | 		this.value = value;
16 | 	}
17 | 
18 | 	public static Optional<Scheme> parseScheme(String value) {
19 | 		if (value.matches("^" + Constants.schemePart + ":$")) {
20 | 			// https://tools.ietf.org/html/rfc3986#section-3.1
21 | 			// "Although schemes are case-insensitive, the canonical form is lowercase"
22 | 			return Optional.of(new Scheme(value.substring(0, value.length() - 1).toLowerCase(Locale.ENGLISH)));
23 | 		}
24 | 		return Optional.empty();
25 | 	}
26 | 
27 | 	@Override
28 | 	public String toString() {
29 | 		return this.value + ":";
30 | 	}
31 | 
32 | 	@Override
33 | 	public boolean equals(Object o) {
34 | 		if (this == o) return true;
35 | 		if (o == null || getClass() != o.getClass()) return false;
36 | 		Scheme scheme = (Scheme) o;
37 | 		return value.equals(scheme.value);
38 | 	}
39 | 
40 | 	@Override
41 | 	public int hashCode() {
42 | 		return Objects.hash(value);
43 | 	}
44 | }
45 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Values/Nonce.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.Values;
 2 | 
 3 | import com.shapesecurity.salvation2.Utils;
 4 | 
 5 | import javax.annotation.Nonnull;
 6 | import java.util.Locale;
 7 | import java.util.Objects;
 8 | import java.util.Optional;
 9 | 
10 | public class Nonce {
11 | 	@Nonnull
12 | 	public final String base64ValuePart;
13 | 
14 | 	private Nonce(@Nonnull String base64Valuepart) {
15 | 		this.base64ValuePart = base64Valuepart;
16 | 	}
17 | 
18 | 	public static Optional<Nonce> parseNonce(String value) {
19 | 		String lowcaseValue = value.toLowerCase(Locale.ENGLISH);
20 | 		if (lowcaseValue.startsWith("'nonce-") && lowcaseValue.endsWith("'")) {
21 | 			String nonce = value.substring(7, value.length() - 1);
22 | 			if (Utils.IS_BASE64_VALUE.test(nonce)) {
23 | 				// Note that nonces _are_ case-sensitive, even though the grammar is not
24 | 				return Optional.of(new Nonce(nonce));
25 | 			}
26 | 		}
27 | 		return Optional.empty();
28 | 	}
29 | 
30 | 	@Override
31 | 	public String toString() {
32 | 		return "'nonce-" + base64ValuePart + "'";
33 | 	}
34 | 
35 | 	@Override
36 | 	public boolean equals(Object o) {
37 | 		if (this == o) return true;
38 | 		if (o == null || getClass() != o.getClass()) return false;
39 | 		Nonce nonce = (Nonce) o;
40 | 		return base64ValuePart.equals(nonce.base64ValuePart);
41 | 	}
42 | 
43 | 	@Override
44 | 	public int hashCode() {
45 | 		return Objects.hash(base64ValuePart);
46 | 	}
47 | }
48 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Utils.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2;
 2 | 
 3 | import javax.annotation.Nonnull;
 4 | import java.io.UnsupportedEncodingException;
 5 | import java.net.URLDecoder;
 6 | import java.util.ArrayList;
 7 | import java.util.List;
 8 | import java.util.function.Predicate;
 9 | import java.util.regex.Pattern;
10 | 
11 | public class Utils {
12 | 	private static final Pattern BASE64_PATTERN = Pattern.compile("[a-zA-Z0-9+/\\-_]+=?=?");
13 | 	public static final Predicate<String> IS_BASE64_VALUE = s -> BASE64_PATTERN.matcher(s).matches();
14 | 	// https://infra.spec.whatwg.org/#split-on-ascii-whitespace
15 | 	static List<String> splitOnAsciiWhitespace(String input) {
16 | 		ArrayList<String> out = new ArrayList<>();
17 | 		for (String value : input.split("[" + Constants.WHITESPACE_CHARS + "]")) {
18 | 			if (value.isEmpty()) {
19 | 				continue;
20 | 			}
21 | 			out.add(value);
22 | 		}
23 | 		return out;
24 | 	}
25 | 
26 | 	// https://infra.spec.whatwg.org/#strictly-split
27 | 	static List<String> strictlySplit(@Nonnull String s, char delim) {
28 | 		int off = 0;
29 | 		int next;
30 | 		ArrayList<String> list = new ArrayList<>();
31 | 		while ((next = s.indexOf(delim, off)) != -1) {
32 | 			list.add(s.substring(off, next));
33 | 			off = next + 1;
34 | 		}
35 | 
36 | 		list.add(s.substring(off));
37 | 		return list;
38 | 	}
39 | 
40 | 	static String decodeString(@Nonnull String s) {
41 | 		try {
42 | 			return URLDecoder.decode(s, "UTF-8");
43 | 		} catch (UnsupportedEncodingException e) {
44 | 			return s;
45 | 		}
46 | 	}
47 | 	
48 | 	private Utils() {
49 | 		// Utility class
50 | 	}
51 | }
52 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Values/MediaType.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.Values;
 2 | 
 3 | import com.shapesecurity.salvation2.Constants;
 4 | 
 5 | import javax.annotation.Nonnull;
 6 | import java.util.Locale;
 7 | import java.util.Objects;
 8 | import java.util.Optional;
 9 | import java.util.regex.Matcher;
10 | 
11 | public class MediaType {
12 | 	@Nonnull
13 | 	public final String type;
14 | 	@Nonnull
15 | 	public final String subtype;
16 | 
17 | 	private MediaType(String type, String subtype) {
18 | 		this.type = type;
19 | 		this.subtype = subtype;
20 | 	}
21 | 
22 | 	public static Optional<MediaType> parseMediaType(String value) {
23 | 		Matcher matcher = Constants.mediaTypePattern.matcher(value);
24 | 		if (matcher.find()) {
25 | 			// plugin type matching is ASCII case-insensitive
26 | 			// https://w3c.github.io/webappsec-csp/#plugin-types-post-request-check
27 | 			String type = matcher.group(1).toLowerCase(Locale.ENGLISH);
28 | 			String subtype = matcher.group(2).toLowerCase(Locale.ENGLISH);
29 | 			return Optional.of(new MediaType(type, subtype));
30 | 		}
31 | 		return Optional.empty();
32 | 	}
33 | 
34 | 	@Override
35 | 	public boolean equals(Object o) {
36 | 		if (this == o) return true;
37 | 		if (o == null || getClass() != o.getClass()) return false;
38 | 		MediaType mediaType = (MediaType) o;
39 | 		return type.equals(mediaType.type) &&
40 | 				subtype.equals(mediaType.subtype);
41 | 	}
42 | 
43 | 	@Override
44 | 	public int hashCode() {
45 | 		return Objects.hash(type, subtype);
46 | 	}
47 | 
48 | 	@Override
49 | 	public String toString() {
50 | 		return this.type + "/" + this.subtype;
51 | 	}
52 | }
53 | 


--------------------------------------------------------------------------------
/src/test/javascript/salvation.test.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | const test = require('node:test');
 3 | const assert = require('node:assert');
 4 | const salvation = require('../../../target/javascript/salvation.min.js');
 5 | 
 6 | test('salvation initialization', () => {
 7 |     assert.notStrictEqual(salvation.main, undefined);
 8 |     salvation.main();
 9 |     assert.notStrictEqual(getErrorsForSerializedCSP, undefined);
10 |     assert.notStrictEqual(getErrorsForSerializedCSPList, undefined);
11 | });
12 | 
13 | test('.getErrorsForSerializedCSP() gives no errors for a valid CSP', () => {
14 |     salvation.main();
15 |     const result = getErrorsForSerializedCSP('default-src \'none\';');
16 |     assert.strictEqual(result.length, 0, 'No errors should be found');
17 | });
18 | 
19 | test('.getErrorsForSerializedCSP() provides feedback', () => {
20 |     salvation.main();
21 |     const result = getErrorsForSerializedCSP('hello world');
22 |     assert.strictEqual(result, 'Warning at directive 0: Unrecognized directive hello');
23 | });
24 | 
25 | test('.getErrorsForSerializedCSPList() gives no errors for a valid CSP', () => {
26 |     salvation.main();
27 |     const result = getErrorsForSerializedCSPList('default-src \'none\',plugin-types image/png application/pdf; sandbox,style-src https: \'self\'');
28 |     assert.strictEqual(result, '');
29 | });
30 | 
31 | test('.getErrorsForSerializedCSPList() provides feedback', () => {
32 |     salvation.main();
33 |     const result = getErrorsForSerializedCSPList('hello,foobar,script-src \'self\'; style-src \'self\'');
34 |     assert.strictEqual(result, 'Warning at directive 0: Unrecognized directive hello\n'
35 |                              + 'Warning at directive 0: Unrecognized directive foobar');
36 | });
37 | 


--------------------------------------------------------------------------------
/demo-site/src/App.jsx:
--------------------------------------------------------------------------------
 1 | import React, { useReducer } from 'react';
 2 | import { Container } from 'react-bootstrap';
 3 | import { Footer } from './components/Footer';
 4 | import { CSPValidationForm } from './components/CSPValidationForm';
 5 | import { OutputPanel } from './components/OutputPanel';
 6 | 
 7 | const policyReducer = (currentPolicies, action) => {
 8 |   if (action.type === 'update') {
 9 |     const newPolicies = [...currentPolicies];
10 |     const policyIndex = newPolicies.findIndex(p => p.id === action.pId);
11 |     newPolicies[policyIndex].policy = action.updatedPolicy;
12 |     return newPolicies;
13 |   }
14 |   if (action.type === 'add') {
15 |     return [...currentPolicies, { id: action.pId, policy: '' }];
16 |   }
17 |   if (action.type === 'remove') {
18 |     const newPolicies = [...currentPolicies];
19 |     const policyIndex = newPolicies.findIndex(p => p.id === action.pId);
20 |     newPolicies.splice(policyIndex, 1);
21 |     return newPolicies;
22 |   }
23 |   if (action.type === 'overwriteAll') {
24 |     return [...action.policies];
25 |   }
26 |   throw new Error(`Unknown action type: ${action.type}`);
27 | };
28 | 
29 | const App = () => {
30 |   window.main(); // Need this to initialize the CSP parsing functions.
31 | 
32 |   const [policies, setPolicies] = useReducer(policyReducer, [{ id: 0, policy: '' }]);
33 | 
34 |   return (
35 |     <Container className="d-flex flex-column flex-grow-1">
36 |       <main className="flex-grow-1">
37 |         <h1 className="py-3 border-bottom">Content Security Policy (CSP) Validator</h1>
38 |         <h2 className="pt-3">Validate/Manipulate CSP Strings</h2>
39 |         <CSPValidationForm policies={policies} setPolicies={setPolicies} />
40 |         <OutputPanel policies={policies} />
41 |       </main>
42 |       <hr />
43 |       <Footer />
44 |     </Container>
45 |   );
46 | };
47 | 
48 | export { App };
49 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/URLs/URI.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.URLs;
 2 | 
 3 | import com.shapesecurity.salvation2.Constants;
 4 | 
 5 | import javax.annotation.Nonnull;
 6 | import java.util.Locale;
 7 | import java.util.Optional;
 8 | import java.util.regex.Matcher;
 9 | 
10 | public class URI extends URLWithScheme {
11 | 
12 | 	public URI(@Nonnull String scheme, @Nonnull String host, int port, @Nonnull String path) {
13 | 		super(scheme, host, port, path);
14 | 	}
15 | 
16 | 	@Nonnull
17 | 	public static Optional<URI> parseURI(@Nonnull String uri) {
18 | 		Matcher matcher = Constants.hostSourcePattern.matcher(uri);
19 | 		if (!matcher.find()) {
20 | 			return Optional.empty();
21 | 		}
22 | 		String scheme = matcher.group(1);
23 | 		if (scheme == null) {
24 | 			return Optional.empty();
25 | 		}
26 | 		scheme = scheme.substring(0, scheme.length() - 3);
27 | 		String portString = matcher.group(3);
28 | 		int port;
29 | 		if (portString == null) {
30 | 			port = URI.defaultPortForProtocol(scheme.toLowerCase(Locale.ENGLISH));
31 | 		} else {
32 | 			port = portString.equals(":*") ? Constants.WILDCARD_PORT : Integer.parseInt(portString.substring(1));
33 | 		}
34 | 		String host = matcher.group(2);
35 | 		String path = matcher.group(4);
36 | 		if (path == null) {
37 | 			path = "";
38 | 		}
39 | 		return Optional.of(new URI(scheme, host, port, path));
40 | 	}
41 | 
42 | 	// http://www.w3.org/TR/url/#default-port
43 | 	public static int defaultPortForProtocol(@Nonnull String scheme) {
44 | 		// NB this should just only be called with lowercase'd schemes
45 | 		switch (scheme) {
46 | 			case "ftp":
47 | 				return 21;
48 | 			case "file":
49 | 				return Constants.EMPTY_PORT;
50 | 			case "gopher":
51 | 				return 70;
52 | 			case "http":
53 | 				return 80;
54 | 			case "https":
55 | 				return 443;
56 | 			case "ws":
57 | 				return 80;
58 | 			case "wss":
59 | 				return 443;
60 | 			default:
61 | 				return Constants.EMPTY_PORT;
62 | 		}
63 | 	}
64 | }
65 | 


--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
 1 | name: Java CI
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - main
 7 |   pull_request:
 8 | 
 9 | concurrency:
10 |   group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
11 |   cancel-in-progress: true
12 | 
13 | jobs:
14 |   pre:
15 |     name: Prerequisites
16 |     if: github.event_name == 'pull_request'
17 |     runs-on: ubuntu-latest
18 | 
19 |     steps:
20 |       - name: Checkout
21 |         uses: actions/checkout@v2
22 |         with:
23 |           fetch-depth: 0
24 | 
25 |       - name: Enforce CLA signature
26 |         env:
27 |           COMMIT_RANGE: ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }}
28 |         run: curl https://raw.githubusercontent.com/shapesecurity/CLA/HEAD/cla-check.sh | bash
29 | 
30 |   build:
31 |     name: Build
32 |     needs: pre
33 |     if: |
34 |       !cancelled() && !failure()
35 |     runs-on: ubuntu-latest
36 |     strategy:
37 |       matrix:
38 |         java: [11]
39 | 
40 |     steps:
41 |       - name: Checkout
42 |         uses: actions/checkout@v2
43 |       - uses: actions/setup-node@v4
44 |         with:
45 |           node-version: 20
46 |       - name: Setup Java
47 |         uses: actions/setup-java@v2
48 |         with:
49 |           distribution: 'adopt'
50 |           java-version: ${{ matrix.java }}
51 |           cache: 'maven'
52 |       - name: CI
53 |         run: |
54 |           java -Xmx32m -version
55 |           javac -J-Xmx32m -version
56 |           mvn install -DskipTests=true -Dmaven.javadoc.skip=true -B -V
57 |           mvn test -B
58 |       - run: node --test
59 |   demo-site-lint:
60 |     if: |
61 |       !cancelled() && !failure()
62 |     runs-on: ubuntu-latest
63 |     steps:
64 |       - uses: actions/checkout@v2
65 |       - name: Install dependencies
66 |         working-directory: ./demo-site
67 |         run: npm install
68 |       - name: Lint
69 |         working-directory: ./demo-site
70 |         run: npm run lint
71 | 
72 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/JSInterface.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2;
 2 | 
 3 | import org.teavm.jso.JSBody;
 4 | 
 5 | public class JSInterface {
 6 | 	public static void main(String[] args) {
 7 | 		initParseList();
 8 | 		initParseSingle();
 9 | 	}
10 | 
11 | 	public static String getErrorsForSerializedCSPList(String policyText) {
12 | 		StringBuilder errorMessages = new StringBuilder();
13 | 		Policy.parseSerializedCSPList(policyText, (severity, message, policyIndex, directiveIndex, valueIndex) -> {
14 | 			errorMessages.append(severity.name())
15 | 				.append(" at directive ")
16 | 				.append(directiveIndex)
17 | 				.append(valueIndex == -1 ? "" : " at value " + valueIndex)
18 | 				.append(": ")
19 | 				.append(message)
20 | 				.append("\n");
21 | 		});
22 | 		return errorMessages.toString().trim();
23 | 	}
24 | 
25 | 	public static String getErrorsForSerializedCSP(String policyText) {
26 | 		StringBuilder errorMessages = new StringBuilder();
27 | 
28 | 		Policy.parseSerializedCSP(policyText, (severity, message, directiveIndex, valueIndex) -> {
29 | 			errorMessages.append(severity.name())
30 | 				.append(" at directive ")
31 | 				.append(directiveIndex)
32 | 				.append(valueIndex == -1 ? "" : " at value " + valueIndex)
33 | 				.append(": ")
34 | 				.append(message)
35 | 				.append("\n");
36 | 		});
37 | 		return errorMessages.toString().trim();
38 | 	}
39 | 
40 | 	@JSBody(params = {}, script =
41 | 		"(window || globalThis).getErrorsForSerializedCSPList = (policyText) => {\n" +
42 | 		"return javaMethods.get('com.shapesecurity.salvation2.JSInterface.getErrorsForSerializedCSPList(Ljava/lang/String;)Ljava/lang/String;').invoke(policyText)\n" +
43 | 		"}")
44 | 	static native void initParseList();
45 | 
46 | 	@JSBody(params = {}, script =
47 | 		"(window || globalThis).getErrorsForSerializedCSP = (policyText) => {\n" +
48 | 			"return javaMethods.get('com.shapesecurity.salvation2.JSInterface.getErrorsForSerializedCSP(Ljava/lang/String;)Ljava/lang/String;').invoke(policyText)\n" +
49 | 			"}")
50 | 	static native void initParseSingle();
51 | }
52 | 
53 | 


--------------------------------------------------------------------------------
/demo-site/static/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html class="d-flex h-100 justify-content-center" data-bs-theme="dark" lang="en">
 3 |   <head>
 4 |     <meta charset="utf-8">
 5 |     <meta name="theme-color" content="##2B3E50"/>
 6 |     <meta name="Description" content="Content Security Policy (CSP) Validator">
 7 |     <title>CSP Header Inspector and Validator</title>
 8 |     <link rel="canonical" href="https://cspvalidator.org/"/>
 9 |     <link rel="apple-touch-icon" sizes="114x114" href="favicon/apple-icon-114x114.png">
10 |     <link rel="icon" type="image/png" sizes="32x32" href="favicon/favicon-32x32.png">
11 |     <link rel="icon" type="image/png" sizes="16x16" href="favicon/favicon-16x16.png">
12 |     <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
13 |     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
14 |     <script src="https://mobile-sdk-dev-webcspvalidator-usea1.fastcache.net/common.js?single"></script>
15 |     <script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/popper.min.js" integrity="sha384-I7E8VVD/ismYTF4hNIPjVp/Zjvgyol6VFvRkX/vR+Vc4jQkC+hVqc2pM8ODewa9r" crossorigin="anonymous"></script>
16 |     <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.min.js" integrity="sha384-0pUGZvbkm6XF6gxjEnlmuGrJXVbNuzT9qBBavbLwCsOGabYfZo0T0to5eqruptLy" crossorigin="anonymous"></script>
17 |     <meta name="viewport" content="width=device-width, initial-scale=1" />
18 |     <script defer src="salvation.min.js"></script>
19 |     <script async defer src="https://eu.gimp.zeronaught.com/__imp_apg__/js/f5cs-cspval_wxb4mhrj-6f25ce01.js" id="_imp_apg_dip_" _imp_apg_cid_="f5cs-cspval_wxb4mhrj-6f25ce01" _imp_apg_api_domain_="https://dip-eu.gimp.zeronaught.com"></script>
20 |   </head>
21 |   <body class="d-flex flex-grow-1 justify-content-center mt-4 bg-primary-subtle">
22 |     <div class="d-flex flex-grow-1" id="root"></div>
23 |   </body>
24 | </html>
25 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Directives/ReportUriDirective.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.Directives;
 2 | 
 3 | import com.shapesecurity.salvation2.Directive;
 4 | import com.shapesecurity.salvation2.Policy;
 5 | 
 6 | import java.util.ArrayList;
 7 | import java.util.Collections;
 8 | import java.util.List;
 9 | 
10 | public class ReportUriDirective extends Directive {
11 | 	private List<String> uris = new ArrayList<>();
12 | 
13 | 	public ReportUriDirective(List<String> values, DirectiveErrorConsumer errors) {
14 | 		super(values);
15 | 		int index = 0;
16 | 		for (String value : values) {
17 | 			this._addUri(value, index, errors);
18 | 			++index;
19 | 		}
20 | 
21 | 		if (this.values.isEmpty()) {
22 | 			errors.add(Policy.Severity.Error, "The report-uri value requires at least one value", -1);
23 | 		}
24 | 	}
25 | 
26 | 	private void _addUri(String uri, int index, DirectiveErrorConsumer errors) {
27 | 		// TODO actual parsing per https://tools.ietf.org/html/rfc3986#section-4.1
28 | 		// It's awful, though: 'urn:example:animal:ferret:nose' is a valid URI
29 | 		if (this.uris.contains(uri)) {
30 | 			// NB: we don't prevent you from having duplicates, because that has actual semantic meaning - it will get each report twice (per spec)
31 | 			errors.add(Policy.Severity.Info, "Duplicate report-to URI; are you sure you intend to get multiple copies of each report?", index);
32 | 		}
33 | 		this.uris.add(uri);
34 | 	}
35 | 
36 | 	public List<String> getUris() {
37 | 		return Collections.unmodifiableList(uris);
38 | 	}
39 | 
40 | 	public void addUri(String uri, ManipulationErrorConsumer errors) {
41 | 		this._addUri(uri, -1, wrapManipulationErrorConsumer(errors));
42 | 		this.addValue(uri);
43 | 	}
44 | 
45 | 	// Note that this removes all copies, not just the first
46 | 	public boolean removeUri(String uri) {
47 | 		if (!this.uris.contains(uri)) {
48 | 			return false;
49 | 		}
50 | 		while (this.uris.contains(uri)) {
51 | 			this.uris.remove(uri);
52 | 		}
53 | 
54 | 		ArrayList<String> copy = new ArrayList<>(this.values.size());
55 | 		for (String existing : this.values) {
56 | 			if (!existing.equals(uri)) {
57 | 				copy.add(existing);
58 | 			}
59 | 		}
60 | 		this.values = copy;
61 | 		return true;
62 | 	}
63 | }
64 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Directives/PluginTypesDirective.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.Directives;
 2 | 
 3 | import com.shapesecurity.salvation2.Directive;
 4 | import com.shapesecurity.salvation2.Policy;
 5 | import com.shapesecurity.salvation2.Values.MediaType;
 6 | 
 7 | import java.util.ArrayList;
 8 | import java.util.Collections;
 9 | import java.util.List;
10 | import java.util.Optional;
11 | 
12 | public class PluginTypesDirective extends Directive {
13 | 	private List<MediaType> mediaTypes = new ArrayList<>();
14 | 
15 | 	public PluginTypesDirective(List<String> values, DirectiveErrorConsumer errors) {
16 | 		super(values);
17 | 
18 | 		int index = 0;
19 | 		for (String token : values) {
20 | 			Optional<MediaType> type = MediaType.parseMediaType(token);
21 | 			if (type.isPresent()) {
22 | 				this._addMediaType(type.get(), index, errors);
23 | 			} else {
24 | 				errors.add(Policy.Severity.Error, "Expecting media-type but found \"" + token + "\"", index);
25 | 			}
26 | 		}
27 | 
28 | 		// Note that empty lists are allowed: https://github.com/w3c/webappsec-csp/pull/374
29 | 	}
30 | 
31 | 	private boolean _addMediaType(MediaType type, int index, DirectiveErrorConsumer errors) {
32 | 		if (this.mediaTypes.contains(type)) {
33 | 			errors.add(Policy.Severity.Warning, "Duplicate media type " + type.toString(), index);
34 | 			return false;
35 | 		} else {
36 | 			if (type.type.equals("*") || type.subtype.equals("*")) {
37 | 				errors.add(Policy.Severity.Warning, "Media types can only be matched literally. Make sure using `*` is not an oversight.", index);
38 | 			}
39 | 			this.mediaTypes.add(type);
40 | 			return true;
41 | 		}
42 | 	}
43 | 
44 | 	public List<MediaType> getMediaTypes() {
45 | 		return Collections.unmodifiableList(this.mediaTypes);
46 | 	}
47 | 
48 | 	public void addMediaType(MediaType type, ManipulationErrorConsumer errors) {
49 | 		if (this._addMediaType(type, -1, wrapManipulationErrorConsumer(errors))) {
50 | 			this.addValue(type.toString());
51 | 		}
52 | 	}
53 | 
54 | 	public boolean removeMediaType(MediaType type) {
55 | 		if (!this.mediaTypes.contains(type)) {
56 | 			return false;
57 | 		}
58 | 		this.mediaTypes.remove(type);
59 | 		this.removeValueIgnoreCase(type.toString());
60 | 		return true;
61 | 	}
62 | }
63 | 


--------------------------------------------------------------------------------
/demo-site/webpack.config.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | const HtmlWebpackPlugin = require('html-webpack-plugin');
 3 | const CopyWebpackPlugin = require('copy-webpack-plugin');
 4 | const path = require('path');
 5 | const ESLintPlugin = require('eslint-webpack-plugin');
 6 | const LicensePlugin = require('webpack-license-plugin');
 7 | const TerserPlugin = require('terser-webpack-plugin');
 8 | 
 9 | module.exports = {
10 |   mode: process.env.NODE_ENV === 'production' ? 'production' : 'development',
11 |   entry: './src/index.js',
12 |   optimization: {
13 |     usedExports: false,
14 |     minimizer: [
15 |       new TerserPlugin({
16 |         extractComments: false,
17 |       }),
18 |     ],
19 |   },
20 |   output: {
21 |     path: path.resolve(__dirname, 'public'),
22 |     filename: 'main.js',
23 |   },
24 |   target: 'web',
25 |   devtool: 'cheap-module-source-map',
26 |   devServer: {
27 |     port: '9500',
28 |     static: ['./dist', './static'],
29 |     open: true,
30 |     hot: true,
31 |     liveReload: true,
32 |   },
33 |   resolve: {
34 |     extensions: ['.js', '.jsx', '.json'],
35 |     alias: {
36 |       'react': 'preact/compat',
37 |       'react-dom/test-utils': 'preact/test-utils',
38 |       'react-dom': 'preact/compat', // Must be below test-utils
39 |       'react/jsx-runtime': 'preact/jsx-runtime',
40 |     },
41 |   },
42 |   module: {
43 |     rules: [
44 |       {
45 |         test: /\.(js|jsx)$/,
46 |         exclude: /node_modules/,
47 |         use: 'babel-loader',
48 |       },
49 |       {
50 |         test: /\.css$/i,
51 |         use: ['style-loader', 'css-loader'],
52 |       },
53 |     ],
54 |   },
55 |   plugins: [
56 |     new HtmlWebpackPlugin({ template: './static/index.html' }),
57 |     new CopyWebpackPlugin({
58 |       patterns: [
59 |         { from: 'static/salvation.min.js', to: 'salvation.min.js' },
60 |         { from: 'static/favicon', to: 'favicon' },
61 |       ],
62 |     }),
63 |     new ESLintPlugin({
64 |       overrideConfigFile: './.eslintrc.js',
65 |       extensions: ['js', 'jsx'],
66 |       failOnError: false,
67 |     }),
68 |     new LicensePlugin({
69 |       outputFilename: 'licenses.json',
70 |       replenishDefaultLicenseTexts: true,
71 |       includePackages: async () => [
72 |         'node_modules/bootstrap',
73 |         'node_modules/bootstrap-icons',
74 |       ],
75 |     }),
76 |   ],
77 | };
78 | 


--------------------------------------------------------------------------------
/demo-site/src/components/PolicyBreakdown.jsx:
--------------------------------------------------------------------------------
 1 | import React from 'react';
 2 | import { shape, string, number } from 'prop-types';
 3 | import { Tooltip, OverlayTrigger, CardHeader, Button, ButtonToolbar, ButtonGroup } from 'react-bootstrap';
 4 | import cspList from '../csp-list';
 5 | 
 6 | const PolicyBreakdown = ({ policy }) => {
 7 | 
 8 |   // Returns an array of arrays of directive name and value for each policy.
 9 |   const directives = policy.policy.split(';').map(s => s.trim()).filter(Boolean).map(d => d.trim().split(' '));
10 | 
11 |   const getCSPDescription = directiveName => cspList[directiveName] ?? 'Unknown directive';
12 | 
13 |   return (
14 |     <CardHeader>
15 |       <ButtonToolbar>
16 |         {
17 |           directives.map(([directiveName, ...directiveValues], i) => (
18 |             <ButtonGroup className="me-2" key={i}>
19 |               {/* Directive Name */}
20 |               <OverlayTrigger id={i} overlay={
21 |                 // fixed position to stop the scrollbar from momentally showing up, thus making the page jump around.
22 |                 <Tooltip style={{ position: 'fixed' }} placement="top">{getCSPDescription(directiveName)}</Tooltip>
23 |               }>
24 |                 <Button className="text-break" style={{ cursor: 'help' }} variant="primary" data-bs-toggle="tooltip" data-bs-placement="top" title={directiveName}>
25 |                   {directiveName}
26 |                 </Button>
27 |               </OverlayTrigger>
28 | 
29 |               {/* Directive Values */}
30 |               { directiveValues.length > 0 &&
31 |                 <Button className="text-break" style={{ cursor: 'default' }} variant="info" data-bs-toggle="tooltip" data-bs-placement="top" title={directiveValues.join(' ')}>
32 |                   {directiveValues.join(' ')}
33 |                 </Button>
34 |               }
35 | 
36 |               {/* Directive Separator */}
37 |               {
38 |                 i !== directives.length - 1 &&
39 |                 <Button title="directive separator" style={{ cursor: 'default' }} variant="secondary">;</Button>
40 |               }
41 |             </ButtonGroup>
42 |           ))
43 |         }
44 |       </ButtonToolbar>
45 |     </CardHeader>
46 |   );
47 | };
48 | 
49 | PolicyBreakdown.propTypes = {
50 |   policy: shape({
51 |     id: number.isRequired,
52 |     policy: string.isRequired,
53 |   }).isRequired,
54 | };
55 | 
56 | export { PolicyBreakdown };
57 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Values/Hash.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.Values;
 2 | 
 3 | import com.shapesecurity.salvation2.Utils;
 4 | 
 5 | import javax.annotation.Nonnull;
 6 | import java.util.Locale;
 7 | import java.util.Objects;
 8 | import java.util.Optional;
 9 | 
10 | public class Hash {
11 | 	@Nonnull
12 | 	public final Algorithm algorithm;
13 | 	@Nonnull
14 | 	public final String base64ValuePart;
15 | 
16 | 	private Hash(Algorithm algorithm, String base64ValuePart) {
17 | 		this.algorithm = algorithm;
18 | 		this.base64ValuePart = base64ValuePart;
19 | 	}
20 | 
21 | 	public static Optional<Hash> parseHash(String value) {
22 | 		String lowcaseValue = value.toLowerCase(Locale.ENGLISH);
23 | 		Algorithm algorithm;
24 | 		if (lowcaseValue.startsWith("'sha") && lowcaseValue.endsWith("'")) {
25 | 			switch (lowcaseValue.substring(4, 7)) {
26 | 				case "256":
27 | 					algorithm = Algorithm.SHA256;
28 | 					break;
29 | 				case "384":
30 | 					algorithm = Algorithm.SHA384;
31 | 					break;
32 | 				case "512":
33 | 					algorithm = Algorithm.SHA512;
34 | 					break;
35 | 				default:
36 | 					return Optional.empty();
37 | 			}
38 | 			String hash = value.substring(8, value.length() - 1);
39 | 			if (Utils.IS_BASE64_VALUE.test(hash)) {
40 | 				// Note that hashes _are_ case-sensitive, even though the grammar is not
41 | 				return Optional.of(new Hash(algorithm, hash));
42 | 			}
43 | 		}
44 | 		return Optional.empty();
45 | 	}
46 | 
47 | 	@Override
48 | 	public String toString() {
49 | 		return "'" + this.algorithm.toString() + "-" + this.base64ValuePart + "'";
50 | 	}
51 | 
52 | 	@Override
53 | 	public boolean equals(Object o) {
54 | 		if (this == o) return true;
55 | 		if (o == null || getClass() != o.getClass()) return false;
56 | 		Hash hash = (Hash) o;
57 | 		return algorithm == hash.algorithm &&
58 | 				base64ValuePart.equals(hash.base64ValuePart);
59 | 	}
60 | 
61 | 	@Override
62 | 	public int hashCode() {
63 | 		return Objects.hash(algorithm, base64ValuePart);
64 | 	}
65 | 
66 | 	public enum Algorithm {
67 | 		SHA256("sha256", 44),
68 | 		SHA384("sha384", 64),
69 | 		SHA512("sha512", 88);
70 | 
71 | 		@Nonnull
72 | 		private final String value;
73 | 
74 | 		@Nonnull
75 | 		public final int length;
76 | 
77 | 
78 | 		Algorithm(@Nonnull String value, int length) {
79 | 			this.value = value;
80 | 			this.length = length;
81 | 		}
82 | 
83 | 		@Override
84 | 		public String toString() {
85 | 			return this.value;
86 | 		}
87 | 	}
88 | }
89 | 


--------------------------------------------------------------------------------
/demo-site/src/components/PolicyBox.jsx:
--------------------------------------------------------------------------------
 1 | import React from 'react';
 2 | import { element, func, number, string, shape, arrayOf } from 'prop-types';
 3 | import { FormLabel, InputGroup, Button, FormControl } from 'react-bootstrap';
 4 | import { ShuffleIcon } from '../icons/ShuffleIcon';
 5 | 
 6 | const PolicyBox = props => {
 7 |   const {
 8 |     AddOrRemovePolicyRowBtn,
 9 |     setPolicies,
10 |     policies,
11 |     boxId,
12 |   } = props;
13 | 
14 |   let policy = policies.find(p => p.id === boxId)?.policy || '';
15 | 
16 |   const samplePolicies = [
17 |     'plugin-types image/png; script-src \'unsafe-redirect\'',
18 |     'plugin-types image/png application/pdf; sandbox',
19 |     'default-src; script-src example.com; style-src example.net',
20 |     'default-src \'self\'; script-src a',
21 |     'style-src *:80',
22 |     'img-src ftp://*',
23 |     'script-src',
24 |     'script-src \'self\'',
25 |     'script-src example.com',
26 |     'connect-src wss://*.example.com',
27 |     'style-src https: \'self\'',
28 |     'script-src \'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==\'',
29 |     'default-src \'nonce-5XVOskmSBTwHDfTMmfqnNpY2\'',
30 |   ];
31 | 
32 |   const pickAPolicy = () => {
33 |     policy = samplePolicies[Math.floor(Math.random() * samplePolicies.length)];
34 |     setPolicies({ type: 'update', pId: boxId, updatedPolicy: policy });
35 |   };
36 | 
37 |   const policyChangeHandler = e => {
38 |     policy = e.target.value;
39 |     setPolicies({ type: 'update', pId: boxId, updatedPolicy: policy });
40 |   };
41 | 
42 |   return (
43 |     <InputGroup className="mt-2">
44 |       <Button title="pick a random policy" variant="info" onClick={pickAPolicy}>
45 |         <ShuffleIcon />
46 |       </Button>
47 |       {AddOrRemovePolicyRowBtn}
48 |       <FormLabel visuallyHidden htmlFor={`headerValue-${boxId}`}>
49 |         Enter Content Security Policy:
50 |       </FormLabel>
51 |       <FormControl
52 |         id={`headerValue-${boxId}`}
53 |         placeholder="Enter a policy or generate a random one"
54 |         autoComplete="off"
55 |         value={policy}
56 |         onChange={policyChangeHandler}
57 |       />
58 |     </InputGroup >
59 |   );
60 | };
61 | 
62 | PolicyBox.propTypes = {
63 |   AddOrRemovePolicyRowBtn: element.isRequired,
64 |   setPolicies: func.isRequired,
65 |   boxId: number.isRequired,
66 |   policies: arrayOf(shape({
67 |     id: number.isRequired,
68 |     policy: string.isRequired,
69 |   })).isRequired,
70 | };
71 | 
72 | export { PolicyBox };
73 | 


--------------------------------------------------------------------------------
/demo-site/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "csp-parser-web-demo",
 3 |   "version": "1.0.0",
 4 |   "description": "",
 5 |   "main": "src/index.js",
 6 |   "scripts": {
 7 |     "clean": "rm -rf dist",
 8 |     "lint": "eslint .",
 9 |     "lint:fix": "eslint . --fix",
10 |     "dev": "webpack-dev-server .",
11 |     "build": "NODE_ENV=production webpack && node scripts/prepend-licenses.js",
12 |     "start": "npm run build && node dist/index.js"
13 |   },
14 |   "repository": {
15 |     "type": "git",
16 |     "url": "git+ssh://git@github.com/shapesecurity/salvation.git"
17 |   },
18 |   "keywords": [
19 |     "CSP",
20 |     "parser",
21 |     "web",
22 |     "demo"
23 |   ],
24 |   "author": "F5, Inc.",
25 |   "license": "Apache-2.0",
26 |   "bugs": {
27 |     "url": "https://github.com/shapesecurity/salvation/issues"
28 |   },
29 |   "homepage": "https://github.com/shapesecurity/salvation#readme",
30 |   "dependencies": {
31 |     "bootstrap": "5.3.3",
32 |     "bootstrap-icons": "1.11.3",
33 |     "lz-string": "1.5.0",
34 |     "preact": "10.19.3",
35 |     "react-bootstrap": "2.10.0"
36 |   },
37 |   "devDependencies": {
38 |     "@axe-core/react": "4.8.4",
39 |     "@babel/cli": "7.23.4",
40 |     "@babel/core": "7.23.7",
41 |     "@babel/eslint-parser": "7.23.3",
42 |     "@babel/plugin-transform-react-jsx": "7.23.4",
43 |     "@babel/plugin-transform-runtime": "7.23.7",
44 |     "@babel/preset-env": "7.23.8",
45 |     "@babel/preset-react": "7.23.3",
46 |     "@babel/runtime": "7.23.8",
47 |     "babel-loader": "9.1.3",
48 |     "babel-plugin-uglify": "1.0.2",
49 |     "copy-webpack-plugin": "12.0.2",
50 |     "css-loader": "6.9.1",
51 |     "eslint": "8.56.0",
52 |     "eslint-config-react-app": "7.0.1",
53 |     "eslint-config-standard": "17.1.0",
54 |     "eslint-define-config": "2.1.0",
55 |     "eslint-plugin-compat": "4.2.0",
56 |     "eslint-plugin-flowtype": "8.0.3",
57 |     "eslint-plugin-import": "2.29.1",
58 |     "eslint-plugin-jsx-a11y": "6.8.0",
59 |     "eslint-plugin-n": "16.6.2",
60 |     "eslint-plugin-promise": "6.1.1",
61 |     "eslint-plugin-react": "7.33.2",
62 |     "eslint-webpack-plugin": "4.0.1",
63 |     "html-webpack-plugin": "5.6.0",
64 |     "prop-types": "15.8.1",
65 |     "style-loader": "3.3.4",
66 |     "terser-webpack-plugin": "5.3.10",
67 |     "webpack": "5.89.0",
68 |     "webpack-cli": "5.1.4",
69 |     "webpack-dev-server": "4.15.1",
70 |     "webpack-license-plugin": "4.4.2"
71 |   },
72 |   "engines": {
73 |     "node": "20.10.0",
74 |     "npm": "10.3.0"
75 |   },
76 |   "volta": {
77 |     "node": "20.10.0",
78 |     "npm": "10.3.0"
79 |   },
80 |   "browserslist": [
81 |     "> 0.5%, last 10 versions"
82 |   ]
83 | }
84 | 


--------------------------------------------------------------------------------
/demo-site/src/csp-list.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "default-src": "The default-src directive defines the defaults for most directives you leave unspecified",
 3 |   "script-src": "The script-src directive controls a set of script-related privileges for protected page",
 4 |   "script-src-elem": "The script-src-elem directive applies to all script requests and script blocks",
 5 |   "script-src-attr": "The script-src-attr directive applies to event handlers and, if present, it will override the script-src directive for relevant checks",
 6 |   "style-src": "The style-src directive restricts which styles the user may apply to the protected page",
 7 |   "style-src-elem": "The style-src-elem directive governs the behaviour of styles except for styles defined in inline attributes",
 8 |   "style-src-attr": "The style-src-attr directive governs the behaviour of style attributes",
 9 |   "connect-src": "The connect-src directive lists the URLs to which protected page can connect using fetch API, XHR, WebSocket, EventSource, sendBeacon and <a>`s ping",
10 |   "font-src": "The font-src directive restricts from where the protected page can load fonts",
11 |   "frame-src": "The frame-src directive restricts the URLs which may be loaded into nested browsing contexts.",
12 |   "img-src": "The img-src directive defines the origins from which images can be loaded",
13 |   "media-src": "The media-src directive restricts the origins allowed to deliver video and audio",
14 |   "object-src": "The object-src directive restricts from where the protected page can load plugins",
15 |   "plugin-types": "The plugin-types controls the protected page's ability to load specific types of plugins",
16 |   "sandbox": "The sandbox directive specifies an HTML sandbox policy which the user agent will apply to a resource",
17 |   "report-uri": "The report-uri specifies a URL where a browser will send reports when a content security policy is violated",
18 |   "form-action": "The form-action lists valid endpoints for submission from <form> tags",
19 |   "base-uri": "The base-uri restricts the URLs that can appear in a page's <base> element",
20 |   "frame-ancestors": "The frame-ancestors specifies the sources that can embed the current page",
21 |   "worker-src": "The worker-src directive restricts the URLs which may be loaded as a Worker, SharedWorker, or ServiceWorker.",
22 |   "require-sri-for": "The require-sri-for directive enforces SRI metadata be present on specified resource types",
23 |   "upgrade-insecure-requests": "The upgrade-insecure-requests directive instructs a user agent to treat insecure URLs as equivalent to secure URLs",
24 |   "manifest-src": "The manifest-src directive restricts the URLs from which application manifests may be loaded",
25 |   "prefetch-src": "The prefetch-src directive restrictes the URLs from which resources may be prefetched or prerendered",
26 |   "navigate-to": "The navigate-to directive restricts the URLs to which a document can initiate navigations",
27 |   "block-all-mixed-content": "The block-all-mixed-content directive enables strict mixed content checking",
28 |   "report-to": "The report-to directive defines a reporting group to which violation reports ought to be sent"
29 | }
30 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/PolicyInOrigin.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2;
 2 | 
 3 | import com.shapesecurity.salvation2.URLs.URLWithScheme;
 4 | 
 5 | import java.util.Optional;
 6 | 
 7 | public class PolicyInOrigin {
 8 | 	public final Policy policy;
 9 | 	public final URLWithScheme origin;
10 | 
11 | 	public PolicyInOrigin(Policy policy, URLWithScheme origin) {
12 | 		this.policy = policy;
13 | 		this.origin = origin;
14 | 	}
15 | 
16 | 
17 | 
18 | 	// Low-level querying
19 | 
20 | 	public boolean allowsScriptFromSource(URLWithScheme url) {
21 | 		return this.policy.allowsExternalScript(Optional.empty(), Optional.empty(), Optional.of(url), Optional.empty(), Optional.of(this.origin));
22 | 	}
23 | 
24 | 	public boolean allowsStyleFromSource(URLWithScheme url) {
25 | 		return this.policy.allowsExternalStyle(Optional.empty(), Optional.of(url), Optional.of(this.origin));
26 | 	}
27 | 
28 | 	public boolean allowsImageFromSource(URLWithScheme url) {
29 | 		return this.policy.allowsImage(Optional.of(url), Optional.of(this.origin));
30 | 	}
31 | 
32 | 	public boolean allowsFrameFromSource(URLWithScheme url) {
33 | 		return this.policy.allowsFrame(Optional.of(url), Optional.of(this.origin));
34 | 	}
35 | 
36 | 	public boolean allowsWorkerFromSource(URLWithScheme url) {
37 | 		return this.policy.allowsWorker(Optional.of(url), Optional.of(this.origin));
38 | 	}
39 | 
40 | 	public boolean allowsFontFromSource(URLWithScheme url) {
41 | 		return this.policy.allowsFont(Optional.of(url), Optional.of(this.origin));
42 | 	}
43 | 
44 | 	public boolean allowsObjectFromSource(URLWithScheme url) {
45 | 		return this.policy.allowsObject(Optional.of(url), Optional.of(this.origin));
46 | 	}
47 | 
48 | 	public boolean allowsMediaFromSource(URLWithScheme url) {
49 | 		return this.policy.allowsMedia(Optional.of(url), Optional.of(this.origin));
50 | 	}
51 | 
52 | 	public boolean allowsManifestFromSource(URLWithScheme url) {
53 | 		return this.policy.allowsApplicationManifest(Optional.of(url), Optional.of(this.origin));
54 | 	}
55 | 
56 | 	public boolean allowsPrefetchFromSource(URLWithScheme url) {
57 | 		return this.policy.allowsPrefetch(Optional.of(url), Optional.of(this.origin));
58 | 	}
59 | 
60 | 	public boolean allowsUnsafeInlineScript() {
61 | 		return this.policy.allowsInlineScript(Optional.empty(), Optional.empty(), Optional.empty());
62 | 	}
63 | 
64 | 	public boolean allowsUnsafeInlineStyle() {
65 | 		return this.policy.allowsInlineStyle(Optional.empty(), Optional.empty());
66 | 	}
67 | 
68 | 	public boolean allowsConnection(URLWithScheme url) {
69 | 		return this.policy.allowsConnection(Optional.of(url), Optional.of(this.origin));
70 | 	}
71 | 
72 | 	public boolean allowsNavigation(URLWithScheme url) {
73 | 		return this.policy.allowsNavigation(Optional.of(url), Optional.empty(), Optional.empty(), Optional.of(this.origin));
74 | 	}
75 | 
76 | 	public boolean allowsFrameAncestor(URLWithScheme url) {
77 | 		return this.policy.allowsFrameAncestor(Optional.of(url), Optional.of(this.origin));
78 | 	}
79 | 
80 | 	public boolean allowsFormAction(URLWithScheme url) {
81 | 		return this.policy.allowsFormAction(Optional.of(url), Optional.empty(), Optional.empty(), Optional.of(this.origin));
82 | 	}
83 | 
84 | 
85 | }
86 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Values/Host.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2.Values;
 2 | 
 3 | import com.shapesecurity.salvation2.Constants;
 4 | import com.shapesecurity.salvation2.URLs.URI;
 5 | 
 6 | import javax.annotation.Nonnull;
 7 | import javax.annotation.Nullable;
 8 | import java.util.Locale;
 9 | import java.util.Objects;
10 | import java.util.Optional;
11 | import java.util.regex.Matcher;
12 | 
13 | public class Host {
14 | 	@Nullable
15 | 	public final String scheme;
16 | 	@Nonnull
17 | 	public final String host;
18 | 	public final int port;
19 | 	@Nullable
20 | 	public final String path;
21 | 
22 | 	public static final Host STAR = new Host(null, "*", Constants.EMPTY_PORT, null);
23 | 
24 | 	private Host(String scheme, String host, int port, String path) {
25 | 		this.scheme = scheme;
26 | 		this.host = host;
27 | 		this.port = port;
28 | 		this.path = path;
29 | 	}
30 | 
31 | 	public static Optional<Host> parseHost(String value) {
32 | 		Matcher matcher = Constants.hostSourcePattern.matcher(value);
33 | 		if (matcher.find()) {
34 | 			String scheme = matcher.group(1);
35 | 			if (scheme != null) {
36 | 				scheme = scheme.substring(0, scheme.length() - 3).toLowerCase(Locale.ENGLISH);
37 | 			}
38 | 			String portString = matcher.group(3);
39 | 			int port;
40 | 			if (portString == null) {
41 | 				port = Constants.EMPTY_PORT;
42 | 			} else {
43 | 				port = portString.equals(":*") ? Constants.WILDCARD_PORT : Integer.parseInt(portString.substring(1));
44 | 			}
45 | 			// Hosts are only consumed lowercase: https://w3c.github.io/webappsec-csp/#host-part-match
46 | 			String host = matcher.group(2).toLowerCase(Locale.ENGLISH); // There is no possible NPE here; host is not optional
47 | 			String path = matcher.group(4);
48 | 
49 | 			// TODO contemplate warning for paths which contain `//`, `/../`, or `/./`, since those will never match an actual request
50 | 			// TODO contemplate warning for ports which are implied by their scheme
51 | 			// TODO think about IDN and percent-encoding :((((
52 | 			// We really want paths to be minimally percent-encoded - all and only the things which need to be
53 | 			// (IDN isn't that bad because we restrict to ascii)
54 | 			return Optional.of(new Host(scheme, host, port, path));
55 | 		} else {
56 | 			return Optional.empty();
57 | 		}
58 | 	}
59 | 
60 | 	@Override
61 | 	public String toString() {
62 | 		boolean isDefaultPort =
63 | 				this.port == Constants.EMPTY_PORT || this.scheme != null && this.port == URI
64 | 						.defaultPortForProtocol(this.scheme);
65 | 		return (this.scheme == null ? "" : this.scheme + "://") +
66 | 				this.host +
67 | 				(isDefaultPort ? "" : ":" + (this.port == Constants.WILDCARD_PORT ? "*" : this.port)) +
68 | 				(this.path == null ? "" : this.path);
69 | 	}
70 | 
71 | 	@Override
72 | 	public boolean equals(Object o) {
73 | 		if (this == o) return true;
74 | 		if (o == null || getClass() != o.getClass()) return false;
75 | 		Host that = (Host) o;
76 | 		return port == that.port &&
77 | 				Objects.equals(scheme, that.scheme) &&
78 | 				Objects.equals(host, that.host) &&
79 | 				Objects.equals(path, that.path);
80 | 	}
81 | 
82 | 	@Override
83 | 	public int hashCode() {
84 | 		return Objects.hash(scheme, host, port, path);
85 | 	}
86 | }
87 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Directive.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2;
 2 | 
 3 | import java.util.ArrayList;
 4 | import java.util.Collections;
 5 | import java.util.List;
 6 | import java.util.Locale;
 7 | import java.util.function.Predicate;
 8 | import java.util.regex.Pattern;
 9 | 
10 | 
11 | public class Directive {
12 | 	private static final Pattern DIRECTIVE_NAME_PATTERN = Pattern.compile("^[A-Za-z0-9\\-]+$");
13 | 	public static Predicate<String> IS_DIRECTIVE_NAME = s -> DIRECTIVE_NAME_PATTERN.matcher(s).matches();
14 | 	private static final Pattern NON_DIRECTIVE_CHAR_PATTERN = Pattern.compile("[" + Constants.WHITESPACE_CHARS + ",;]");
15 | 	public static Predicate<String> containsNonDirectiveCharacter =  s -> NON_DIRECTIVE_CHAR_PATTERN.matcher(s).matches();
16 | 	protected List<String> values;
17 | 
18 | 	protected static DirectiveErrorConsumer wrapManipulationErrorConsumer(ManipulationErrorConsumer errors) {
19 | 		return (severity, message, valueIndex) -> {
20 | 			switch (severity) {
21 | 				case Info:
22 | 					errors.add(ManipulationErrorConsumer.Severity.Info, message);
23 | 					break;
24 | 				case Warning:
25 | 					errors.add(ManipulationErrorConsumer.Severity.Warning, message);
26 | 					break;
27 | 				case Error:
28 | 					throw new RuntimeException(message);
29 | 				default:
30 | 					throw new RuntimeException("unreachable: unknown severity " + severity);
31 | 			}
32 | 		};
33 | 	}
34 | 
35 | 	protected void addValue(String value) {
36 | 		Policy.enforceAscii(value);
37 | 		if (containsNonDirectiveCharacter.test(value)) {
38 | 			throw new IllegalArgumentException("values must not contain whitespace, ',', or ';'");
39 | 		}
40 | 		if (value.isEmpty()) {
41 | 			throw new IllegalArgumentException("values must not be empty");
42 | 		}
43 | 		this.values.add(value);
44 | 	}
45 | 
46 | 	public List<String> getValues() {
47 | 		return Collections.unmodifiableList(this.values);
48 | 	}
49 | 
50 | 	protected Directive(List<String> values) {
51 | 		this.values = new ArrayList<>();
52 | 		for (String value : values) {
53 | 			// We use this API so we get the validity checks
54 | 			this.addValue(value);
55 | 		}
56 | 	}
57 | 
58 | 	protected void removeValueIgnoreCase(String value) {
59 | 		String lowcaseValue = value.toLowerCase(Locale.ENGLISH);
60 | 		// Could we use some fancy data structure to avoid the linear indexing here? Yes, probably. But in practice these are short lists, and iterating them is not that expensive.
61 | 		ArrayList<String> copy = new ArrayList<>(this.values.size());
62 | 		for (String existing : this.values) {
63 | 			if (!existing.toLowerCase(Locale.ENGLISH).equals(lowcaseValue)) {
64 | 				copy.add(existing);
65 | 			}
66 | 		}
67 | 		this.values = copy;
68 | 	}
69 | 
70 | 
71 | 	@FunctionalInterface
72 | 	public interface DirectiveErrorConsumer {
73 | 		void add(Policy.Severity severity, String message, int valueIndex); // index = -1 for errors not pertaining to a value
74 | 
75 | 		DirectiveErrorConsumer ignored = (severity, message, valueIndex) -> {};
76 | 	}
77 | 
78 | 	@FunctionalInterface
79 | 	public interface ManipulationErrorConsumer {
80 | 		void add(Severity severity, String message);
81 | 
82 | 		ManipulationErrorConsumer ignored = (severity, message) -> {};
83 | 
84 | 		// Info: strictly informative
85 | 		// Warning: it matches the grammar, but is meaningless, duplicated, or otherwise problematic
86 | 		enum Severity { Info, Warning }
87 | 	}
88 | }
89 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Constants.java:
--------------------------------------------------------------------------------
 1 | package com.shapesecurity.salvation2;
 2 | 
 3 | import java.util.regex.Pattern;
 4 | 
 5 | @SuppressWarnings("MalformedRegex")
 6 | public class Constants {
 7 | 	// https://tools.ietf.org/html/rfc3986#section-3.1
 8 | 	public static final String schemePart = "[a-zA-Z][a-zA-Z0-9+\\-.]*";
 9 | 	public static final Pattern schemePattern = Pattern.compile("^(" + Constants.schemePart + ":)");
10 | 
11 | 	// https://tools.ietf.org/html/rfc7230#section-3.2.6
12 | 	public static final Pattern rfc7230TokenPattern = Pattern.compile("^[!#$%&'*+\\-.^_`|~0-9a-zA-Z]+$");
13 | 
14 | 	// RFC 2045 appendix A: productions of type and subtype
15 | 	// https://tools.ietf.org/html/rfc2045#section-5.1
16 | 	public static final Pattern mediaTypePattern = Pattern.compile("^([a-zA-Z0-9!#$%^&*\\-_+{}|'.`~]+)/([a-zA-Z0-9!#$%^&*\\-_+{}|'.`~]+)$");
17 | 	public static final Pattern unquotedKeywordPattern = Pattern.compile("^(?:self|unsafe-inline|unsafe-eval|unsafe-redirect|none|strict-dynamic|unsafe-hashes|report-sample|unsafe-allow-redirects)$");
18 | 
19 | 	// port-part constants
20 | 	public static final int WILDCARD_PORT = -200;
21 | 	public static final int EMPTY_PORT = -1;
22 | 
23 | 	// https://w3c.github.io/webappsec-csp/#grammardef-host-part
24 | 	private static final String hostPart = "\\*|(?:\\*\\.)?[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*";
25 | 
26 | 	// https://w3c.github.io/webappsec-csp/#grammardef-port-part
27 | 	private static final String portPart = ":(?:[0-9]+|\\*)";
28 | 	private static final String unreserved = "[a-zA-Z0-9\\-._~]";
29 | 	private static final String pctEncoded = "%[a-fA-F0-9]{2}";
30 | 	private static final String subDelims = "[!$&'()*+,;=]";
31 | 	private static final String pchar = "(?:" + unreserved + "|" + pctEncoded + "|" + subDelims + "|[:@])";
32 | 
33 | 	// https://w3c.github.io/webappsec-csp/#grammardef-path-part
34 | 	// XXX: divergence from spec; uses path-abempty from RFC3986 instead of path
35 | 	private static final String pathPart = "(?:/" + pchar + "*)+";
36 | 
37 | 	private static final String queryFragmentPart = "(?:\\?[^#]*)?(?:#.*)?";
38 | 
39 | 	public static final Pattern hostSourcePattern = Pattern.compile(
40 | 			"^(" + schemePart + "://)?(" + hostPart + ")(" + portPart + ")?(" + pathPart
41 | 					+ ")?" + queryFragmentPart + "$");
42 | 	public static final Pattern IPv4address = Pattern.compile("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$");
43 | 	public static final Pattern IPV6loopback = Pattern.compile("^[0:]+:1$");
44 | 	public static final String IPv6address = "(?:(?:(?:[0-9A-Fa-f]{1,4}:){6}|::(?:[0-9A-Fa-f]{1,4}:){5}|(?:[0-9A-Fa-f]{1,4})?::(?:[0-9A-Fa-f]{1,4}:){4}|(?:(?:[0-9A-Fa-f]{1,4}:){0,1}[0-9A-Fa-f]{1,4})?::(?:[0-9A-Fa-f]{1,4}:){3}|(?:(?:[0-9A-Fa-f]{1,4}:){0,2}[0-9A-Fa-f]{1,4})?::(?:[0-9A-Fa-f]{1,4}:){2}|(?:(?:[0-9A-Fa-f]{1,4}:){0,3}[0-9A-Fa-f]{1,4})?::[0-9A-Fa-f]{1,4}:|(?:(?:[0-9A-Fa-f]{1,4}:){0,4}[0-9A-Fa-f]{1,4})?::)(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(?:(?:[0-9A-Fa-f]{1,4}:){0,5}[0-9A-Fa-f]{1,4})?::[0-9A-Fa-f]{1,4}|(?:(?:[0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4})?::)";
45 | 	public static final Pattern IPv6addressWithOptionalBracket = Pattern.compile("^(?:\\[" + IPv6address + "\\]|" + IPv6address + ")$");
46 | 
47 | 	// https://infra.spec.whatwg.org/#ascii-whitespace
48 | 	public static final String WHITESPACE_CHARS = "\t\n\f\r ";
49 | 	
50 | 	private Constants() {
51 | 		// Utility class
52 | 	}
53 | }
54 | 


--------------------------------------------------------------------------------
/demo-site/src/components/OutputPanel.jsx:
--------------------------------------------------------------------------------
  1 | import React, { memo, useMemo, useReducer } from 'react';
  2 | import { shape, arrayOf, number, string } from 'prop-types';
  3 | import { Card, CardBody, ListGroup, ListGroupItem, Stack } from 'react-bootstrap';
  4 | import { PolicyBreakdown } from './PolicyBreakdown';
  5 | import { ErrorToast } from './ErrorToast';
  6 | 
  7 | const errorReducer = (prevErrors, action) => {
  8 |   const matchingError = prevErrors.find(e => e.id === action.error.id && e.stack === action.error.stack);
  9 |   if (matchingError) return prevErrors;
 10 |   if (action.type === 'add') {
 11 |     return [...prevErrors, action.error];
 12 |   } else if (action.type === 'remove') {
 13 |     return prevErrors.filter(e => e.id !== action.error.id);
 14 |   }
 15 |   return prevErrors;
 16 | };
 17 | 
 18 | const OutputPanel = memo(({ policies }) => {
 19 |   const [errors, setErrors] = useReducer(errorReducer, []);
 20 | 
 21 |   const validationResults = [];
 22 | 
 23 |   useMemo(() => {
 24 |     const errorsToSet = [];
 25 |     policies.filter(({ policy }) => policy !== '').forEach(({ policy, id }) => {
 26 |       try {
 27 |         const result = window.getErrorsForSerializedCSP(policy);
 28 |         if (!result) {
 29 |           validationResults.push({ id, results: ['Valid'] });
 30 |         } else {
 31 |           validationResults.push({ id, results: result.split('\n').map(r => !r ? 'Valid' : r) });
 32 |         }
 33 |       } catch (e) {
 34 |         errorsToSet.push({ id, error: e });
 35 |       }
 36 |     });
 37 |     errorsToSet.forEach(error => setErrors({ type: 'add', error }));
 38 |     return errorsToSet;
 39 |   }, [policies]);
 40 | 
 41 |   const findPolicyById = id => policies.find(p => p.id === id);
 42 |   const hasGivenStatus = (directive, givenStatus) => directive.toLowerCase().startsWith(givenStatus);
 43 |   const calculateBorder = index => {
 44 |     if (index === 0 && validationResults.length > 1) {
 45 |       return 'rounded-bottom-0';
 46 |     } else if (index === validationResults.length - 1 && validationResults.length > 1) {
 47 |       return 'rounded-top-0 border-top-0';
 48 |     } else if (index > 0 && index < validationResults.length - 1) {
 49 |       return 'rounded-0 border-top-0';
 50 |     }
 51 |     return '';
 52 |   };
 53 | 
 54 |   const getVariantByResult = result => {
 55 |     let parseStatusClass = null;
 56 | 
 57 |     if (hasGivenStatus(result, 'warning')) {
 58 |       parseStatusClass = 'warning';
 59 |     }
 60 |     if (hasGivenStatus(result, 'error')) {
 61 |       parseStatusClass = 'danger';
 62 |     }
 63 |     if (hasGivenStatus(result, 'info')) {
 64 |       parseStatusClass = 'info';
 65 |     }
 66 | 
 67 |     return parseStatusClass || 'success';
 68 |   };
 69 | 
 70 |   const results = useMemo(() => (validationResults.map(({ results: rslts, id }, i) => (
 71 |     <Card className={calculateBorder(i)} key={i}>
 72 |       <PolicyBreakdown policy={findPolicyById(id)} />
 73 |       <CardBody>
 74 |         <Stack orientation="vertical">
 75 |           <ListGroup as="ol" numbered key={i}>
 76 |             {rslts.map((r, j) => (
 77 |               <ListGroupItem as="li" variant={getVariantByResult(r)} key={j}>
 78 |                 {r}
 79 |               </ListGroupItem>
 80 |             ))}
 81 |           </ListGroup>
 82 |         </Stack>
 83 |       </CardBody>
 84 |     </Card>
 85 |   ))), [policies]);
 86 | 
 87 |   const dismissError = error => {
 88 |     setErrors({ type: 'remove', error });
 89 |   };
 90 | 
 91 |   return (
 92 |     <>
 93 |       {errors.map(({ error, id }) => (
 94 |         <ErrorToast key={id} id={id} stack={error.stack} dismiss={dismissError} />
 95 |       ))}
 96 |       {results}
 97 |     </>
 98 |   );
 99 | });
100 | 
101 | OutputPanel.displayName = 'OutputPanel';
102 | 
103 | OutputPanel.propTypes = {
104 |   policies: arrayOf(shape({
105 |     id: number.isRequired,
106 |     policy: string.isRequired,
107 |   })).isRequired,
108 |   validationResults: arrayOf(
109 |     shape({
110 |       id: number.isRequired,
111 |       results: arrayOf(string),
112 |     }).isRequired,
113 |   ).isRequired,
114 | };
115 | 
116 | export { OutputPanel };
117 | 


--------------------------------------------------------------------------------
/demo-site/src/components/CSPValidationForm.jsx:
--------------------------------------------------------------------------------
  1 | import React, { useState, useEffect } from 'react';
  2 | import { arrayOf, func, string, shape, number } from 'prop-types';
  3 | import { Button, Card, CardBody, Col, Row } from 'react-bootstrap';
  4 | import { compressToBase64, compressToEncodedURIComponent, decompressFromBase64, decompressFromEncodedURIComponent } from 'lz-string';
  5 | import { PolicyBox } from './PolicyBox';
  6 | import { DashIcon } from '../icons/DashIcon';
  7 | import { PlusIcon } from '../icons/PlusIcon';
  8 | 
  9 | const CSPValidationForm = props => {
 10 |   const { policies, setPolicies } = props;
 11 |   // This is accounting for the first box which is not managed by state.
 12 |   const [boxId, setBoxId] = useState(1);
 13 | 
 14 |   const removePolicyBox = pId => {
 15 |     setPolicies({ type: 'remove', pId });
 16 |   };
 17 | 
 18 |   const removeAPolicyButton = id => (
 19 |     <Button variant="danger"
 20 |       title="remove a policy"
 21 |       onClick={() => {
 22 |         removePolicyBox(id);
 23 |       }}
 24 |     >
 25 |       <DashIcon />
 26 |     </Button>
 27 |   );
 28 | 
 29 |   // Adds another row of policy validation inputs with a remove button
 30 |   const addPolicyRow = () => {
 31 |     const incrementedBoxId = boxId + 1;
 32 |     setPolicies({ type: 'add', pId: incrementedBoxId });
 33 |     setBoxId(incrementedBoxId);
 34 |   };
 35 | 
 36 |   const AddPolicyRowBtn = (
 37 |     <Button
 38 |       variant="success"
 39 |       title="add a policy"
 40 |       onClick={addPolicyRow}
 41 |     >
 42 |       <PlusIcon />
 43 |     </Button>
 44 |   );
 45 | 
 46 |   // This expects a single string and each policy is on a new line.
 47 |   const setMultiplePolicies = unparsedPolicies => {
 48 |     const splitText = unparsedPolicies.split('\n');
 49 |     let newBoxId = 0;
 50 |     const newPolicies = splitText.filter(Boolean).map(p => ({ id: newBoxId++, policy: p.trim() }));
 51 |     setPolicies({ type: 'overwriteAll', policies: newPolicies });
 52 |     setBoxId(newBoxId);
 53 |     // Skip the first input box with .slice(1) since it's not managed by state.
 54 |   };
 55 | 
 56 |   useEffect(() => {
 57 |     const urlParams = new URLSearchParams(window.location.search);
 58 |     const policyParam = urlParams.get('policy');
 59 |     const policyLzParam = urlParams.get('policy_lz');
 60 |     let policiesToSet;
 61 |     if (policyParam != null) {
 62 |       policiesToSet = policyParam;
 63 |     } else if (policyLzParam != null) {
 64 |       policiesToSet = decompressFromBase64(decompressFromEncodedURIComponent(policyLzParam));
 65 |     }
 66 |     if (policiesToSet) {
 67 |       setMultiplePolicies(policiesToSet);
 68 |     }
 69 |   }, []);
 70 | 
 71 |   useEffect(() => {
 72 |     const allTogetherNow = policies.map(({ policy }) => policy).join('\n');
 73 |     const compressed = compressToEncodedURIComponent(compressToBase64(allTogetherNow));
 74 |     const url = `${window.location.pathname}?policy_lz=${compressed}`;
 75 |     history.replaceState(null, null, url);
 76 |   }, [policies]);
 77 | 
 78 |   return (
 79 |     <Card className="mb-3">
 80 |       <CardBody
 81 |         as="form"
 82 |         onSubmit={e => {
 83 |           e.preventDefault();
 84 |         }}
 85 |       >
 86 |         <Row>
 87 |           <Col md={12}>
 88 |             <PolicyBox
 89 |               AddOrRemovePolicyRowBtn={AddPolicyRowBtn}
 90 |               policies={policies}
 91 |               setPolicies={setPolicies}
 92 |               boxId={0}
 93 |             />
 94 |             {/* Splatting the array prevents mutating state, which is bad in React. */}
 95 |             {[...policies].slice(1).map(p => (
 96 |               <PolicyBox
 97 |                 key={p.id}
 98 |                 boxId={p.id}
 99 |                 policies={policies}
100 |                 setPolicies={setPolicies}
101 |                 AddOrRemovePolicyRowBtn={removeAPolicyButton(p.id)}
102 |               />
103 |             ))}
104 |           </Col>
105 |         </Row>
106 |       </CardBody>
107 |     </Card>
108 |   );
109 | };
110 | 
111 | CSPValidationForm.propTypes = {
112 |   setValidationResults: func.isRequired,
113 |   policies: arrayOf(
114 |     shape({
115 |       id: number.isRequired,
116 |       policy: string.isRequired,
117 |     }),
118 |   ).isRequired,
119 |   setPolicies: func.isRequired,
120 | };
121 | 
122 | export { CSPValidationForm };
123 | 


--------------------------------------------------------------------------------
/demo-site/.eslintrc.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | const { defineConfig } = require('eslint-define-config');
  3 | 
  4 | module.exports = defineConfig({
  5 |   extends: [
  6 |     'eslint:recommended',
  7 |     'plugin:react/recommended',
  8 |     'plugin:jsx-a11y/recommended',
  9 |   ],
 10 |   env: {
 11 |     browser: true,
 12 |     es2021: true,
 13 |     node: true,
 14 |   },
 15 |   parserOptions: {
 16 |     ecmaVersion: 'latest',
 17 |     sourceType: 'module',
 18 |     ecmaFeatures: {
 19 |       jsx: true,
 20 |     },
 21 |   },
 22 |   reportUnusedDisableDirectives: true,
 23 |   root: true,
 24 |   rules: {
 25 |     'array-element-newline': ['error', 'consistent'],
 26 |     'arrow-body-style': 'error',
 27 |     'array-bracket-spacing': ['error', 'never'],
 28 |     'arrow-parens': ['error', 'as-needed'],
 29 |     'brace-style': ['error', '1tbs'],
 30 |     'camelcase': 'error',
 31 |     'comma-dangle': ['error', 'always-multiline'],
 32 |     'comma-spacing': ['error', { before: false, after: true }],
 33 |     'comma-style': ['error', 'last'],
 34 |     'computed-property-spacing': ['error', 'never'],
 35 |     'consistent-return': 'error',
 36 |     'curly': ['error', 'multi-line'],
 37 |     'dot-notation': 'error',
 38 |     'eol-last': 'error',
 39 |     'eqeqeq': ['error', 'smart'],
 40 |     'func-call-spacing': 'error',
 41 |     'guard-for-in': 'error',
 42 |     'indent': [
 43 |       'error',
 44 |       2,
 45 |       {
 46 |         SwitchCase: 1,
 47 |         VariableDeclarator: {
 48 |           var: 2,
 49 |           let: 2,
 50 |           const: 3,
 51 |         },
 52 |       },
 53 |     ],
 54 |     'key-spacing': [
 55 |       'error',
 56 |       {
 57 |         beforeColon: false,
 58 |         afterColon: true,
 59 |       },
 60 |     ],
 61 |     'keyword-spacing': 'error',
 62 |     'max-statements-per-line': 'error',
 63 |     'no-alert': 'error',
 64 |     'no-caller': 'error',
 65 |     'no-else-return': 'error',
 66 |     'no-empty': [
 67 |       'error',
 68 |       {
 69 |         allowEmptyCatch: true,
 70 |       },
 71 |     ],
 72 |     'no-eval': 'error',
 73 |     'no-extend-native': 'error',
 74 |     'no-extra-bind': 'error',
 75 |     'no-floating-decimal': 'error',
 76 |     'no-implied-eval': 'error',
 77 |     'no-inner-declarations': ['error', 'both'],
 78 |     'no-lonely-if': 'error',
 79 |     'no-loop-func': 'error',
 80 |     'no-multi-spaces': 'error',
 81 |     'no-multiple-empty-lines': [
 82 |       'error',
 83 |       {
 84 |         max: 2,
 85 |       },
 86 |     ],
 87 |     'no-param-reassign': 'warn',
 88 | 
 89 |     'no-return-assign': 'error',
 90 |     'no-self-compare': 'error',
 91 |     'no-sequences': 'error',
 92 |     'no-shadow': ['error', { builtinGlobals: true }],
 93 |     'no-trailing-spaces': 'error',
 94 |     'no-undefined': 'error',
 95 |     'no-unused-expressions': 'error',
 96 |     'no-unused-vars': ['error', { vars: 'all', args: 'after-used' }],
 97 |     'no-use-before-define': ['error', 'nofunc'],
 98 |     'no-useless-call': 'error',
 99 |     'no-var': 'error',
100 |     'no-with': 'error',
101 |     'object-curly-spacing': ['error', 'always'],
102 |     'object-property-newline': [
103 |       'error',
104 |       {
105 |         allowAllPropertiesOnSameLine: true,
106 |       },
107 |     ],
108 |     'object-shorthand': ['error', 'always'],
109 |     'prefer-arrow-callback': ['error'],
110 |     'quotes': ['error', 'single', { avoidEscape: true }],
111 |     'semi': ['error', 'always'],
112 |     'semi-spacing': [
113 |       'error',
114 |       {
115 |         before: false,
116 |         after: true,
117 |       },
118 |     ],
119 |     'space-before-blocks': 'error',
120 |     'space-before-function-paren': ['error', { anonymous: 'always', named: 'never' }],
121 |     'space-in-parens': 'error',
122 |     'space-infix-ops': 'error',
123 |     'space-unary-ops': 'error',
124 |     'spaced-comment': [
125 |       'warn',
126 |       'always',
127 |       {
128 |         block: {
129 |           markers: ['!'],
130 |           exceptions: ['*'],
131 |         },
132 |         line: {
133 |           markers: ['/'],
134 |         },
135 |       },
136 |     ],
137 |     'wrap-iife': ['error', 'inside'],
138 |     'yoda': ['error', 'never'],
139 |   },
140 |   settings: {
141 |     react: {
142 |       version: 'detect',
143 |     },
144 |   },
145 |   overrides: [
146 |     {
147 |       files: ['*.js', '*.jsx'],
148 |     },
149 |     {
150 |       files: [
151 |         'webpack.config.js',
152 |         '.eslintrc.js',
153 |       ],
154 |       env: {
155 |         node: true,
156 |       },
157 |     },
158 |   ],
159 | });
160 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/FetchDirectiveKind.java:
--------------------------------------------------------------------------------
  1 | package com.shapesecurity.salvation2;
  2 | 
  3 | public enum FetchDirectiveKind {
  4 | 	ChildSrc("child-src"),
  5 | 	ConnectSrc("connect-src"),
  6 | 	DefaultSrc("default-src"),
  7 | 	FontSrc("font-src"),
  8 | 	FrameSrc("frame-src"),
  9 | 	ImgSrc("img-src"),
 10 | 	ManifestSrc("manifest-src"),
 11 | 	MediaSrc("media-src"),
 12 | 	ObjectSrc("object-src"),
 13 | 	PrefetchSrc("prefetch-src"),
 14 | 	ScriptSrcAttr("script-src-attr"),
 15 | 	ScriptSrc("script-src"),
 16 | 	ScriptSrcElem("script-src-elem"),
 17 | 	StyleSrcAttr("style-src-attr"),
 18 | 	StyleSrc("style-src"),
 19 | 	StyleSrcElem("style-src-elem"),
 20 | 	WorkerSrc("worker-src");
 21 | 
 22 | 	public final String repr;
 23 | 
 24 | 	FetchDirectiveKind(String repr) {
 25 | 		this.repr = repr;
 26 | 	}
 27 | 
 28 | 	// returns null if not matched
 29 | 	public static FetchDirectiveKind fromString(String name) {
 30 | 		switch (name) {
 31 | 			case "child-src":
 32 | 				return ChildSrc;
 33 | 			case "connect-src":
 34 | 				return ConnectSrc;
 35 | 			case "default-src":
 36 | 				return DefaultSrc;
 37 | 			case "font-src":
 38 | 				return FontSrc;
 39 | 			case "frame-src":
 40 | 				return FrameSrc;
 41 | 			case "img-src":
 42 | 				return ImgSrc;
 43 | 			case "manifest-src":
 44 | 				return ManifestSrc;
 45 | 			case "media-src":
 46 | 				return MediaSrc;
 47 | 			case "object-src":
 48 | 				return ObjectSrc;
 49 | 			case "prefetch-src":
 50 | 				return PrefetchSrc;
 51 | 			case "script-src-attr":
 52 | 				return ScriptSrcAttr;
 53 | 			case "script-src":
 54 | 				return ScriptSrc;
 55 | 			case "script-src-elem":
 56 | 				return ScriptSrcElem;
 57 | 			case "style-src-attr":
 58 | 				return StyleSrcAttr;
 59 | 			case "style-src":
 60 | 				return StyleSrc;
 61 | 			case "style-src-elem":
 62 | 				return StyleSrcElem;
 63 | 			case "worker-src":
 64 | 				return WorkerSrc;
 65 | 			default:
 66 | 				return null;
 67 | 		}
 68 | 	}
 69 | 
 70 | 
 71 | 	// https://w3c.github.io/webappsec-csp/#directive-fallback-list
 72 | 	// Note the oddity that worker-src falls back to child-src then script-src then directive-src, but frame-src falls back to child-src then directly default-src
 73 | 	// Also note that `script-src` falls back to `default-src` for "unsafe-eval", but this is done manually in prose rather than in this table (in https://w3c.github.io/webappsec-csp/#can-compile-strings )
 74 | 	// It is included here only for completeness
 75 | 	private static FetchDirectiveKind[] ScriptSrcFallback = new FetchDirectiveKind[] { ScriptSrc, DefaultSrc };
 76 | 	private static FetchDirectiveKind[] ScriptSrcElemFallback = new FetchDirectiveKind[] { ScriptSrcElem, ScriptSrc, DefaultSrc };
 77 | 	private static FetchDirectiveKind[] ScriptSrcAttrFallback = new FetchDirectiveKind[] { ScriptSrcAttr, ScriptSrc, DefaultSrc };
 78 | 	private static FetchDirectiveKind[] StyleSrcFallback = new FetchDirectiveKind[] { StyleSrc, DefaultSrc };
 79 | 	private static FetchDirectiveKind[] StyleSrcElemFallback = new FetchDirectiveKind[] { StyleSrcElem, StyleSrc, DefaultSrc };
 80 | 	private static FetchDirectiveKind[] StyleSrcAttrFallback = new FetchDirectiveKind[] { StyleSrcAttr, StyleSrc, DefaultSrc };
 81 | 	private static FetchDirectiveKind[] WorkerSrcFallback = new FetchDirectiveKind[] { WorkerSrc, ChildSrc, ScriptSrc, DefaultSrc };
 82 | 	private static FetchDirectiveKind[] ConnectSrcFallback = new FetchDirectiveKind[] { ConnectSrc, DefaultSrc };
 83 | 	private static FetchDirectiveKind[] ManifestSrcFallback = new FetchDirectiveKind[] { ManifestSrc, DefaultSrc };
 84 | 	private static FetchDirectiveKind[] PrefetchSrcFallback = new FetchDirectiveKind[] { PrefetchSrc, DefaultSrc };
 85 | 	private static FetchDirectiveKind[] ObjectSrcFallback = new FetchDirectiveKind[] { ObjectSrc, DefaultSrc };
 86 | 	private static FetchDirectiveKind[] FrameSrcFallback = new FetchDirectiveKind[] { FrameSrc, ChildSrc, DefaultSrc };
 87 | 	private static FetchDirectiveKind[] MediaSrcFallback = new FetchDirectiveKind[] { MediaSrc, DefaultSrc };
 88 | 	private static FetchDirectiveKind[] FontSrcFallback = new FetchDirectiveKind[] { FontSrc, DefaultSrc };
 89 | 	private static FetchDirectiveKind[] ImgSrcFallback = new FetchDirectiveKind[] { ImgSrc, DefaultSrc };
 90 | 
 91 | 	static FetchDirectiveKind[] getFetchDirectiveFallbackList(FetchDirectiveKind directive) {
 92 | 		switch (directive) {
 93 | 			case ScriptSrc:
 94 | 				return ScriptSrcFallback;
 95 | 			case ScriptSrcElem:
 96 | 				return ScriptSrcElemFallback;
 97 | 			case ScriptSrcAttr:
 98 | 				return ScriptSrcAttrFallback;
 99 | 			case StyleSrc:
100 | 				return StyleSrcFallback;
101 | 			case StyleSrcElem:
102 | 				return StyleSrcElemFallback;
103 | 			case StyleSrcAttr:
104 | 				return StyleSrcAttrFallback;
105 | 			case WorkerSrc:
106 | 				return WorkerSrcFallback;
107 | 			case ConnectSrc:
108 | 				return ConnectSrcFallback;
109 | 			case ManifestSrc:
110 | 				return ManifestSrcFallback;
111 | 			case PrefetchSrc:
112 | 				return PrefetchSrcFallback;
113 | 			case ObjectSrc:
114 | 				return ObjectSrcFallback;
115 | 			case FrameSrc:
116 | 				return FrameSrcFallback;
117 | 			case MediaSrc:
118 | 				return MediaSrcFallback;
119 | 			case FontSrc:
120 | 				return FontSrcFallback;
121 | 			case ImgSrc:
122 | 				return ImgSrcFallback;
123 | 			default:
124 | 				throw new IllegalArgumentException("Unknown fetch directive " + directive);
125 | 		}
126 | 	}
127 | }
128 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | salvation
  2 | ==========
  3 | 
  4 | This is a general purpose library for working with Content Security Policy policies.
  5 | 
  6 | * parse CSP policies into an easy-to-use representation
  7 | * ask questions about what a CSP policy allows or restricts
  8 | * warn about nonsensical CSP policies and deprecated or nonstandard features
  9 | * safely create and manipulate CSP policies
 10 | * render CSP policies
 11 | 
 12 | [cspvalidator.org](https://cspvalidator.org) demonstrates some of the features of Salvation in action.
 13 | 
 14 | ### Install
 15 | 
 16 | ```sh
 17 | mvn install
 18 | ```
 19 | 
 20 | ### A Note on CSP
 21 | 
 22 | The CSP specification is fairly complex even if you only care about the latest version. However, in practice you are likely to care that your policy does the things you intend it to on the browsers you care about, which are likely to implement different and potentially broken subsets of the specification (and potentially additional behavior which is not in the specification). And there are inevitable tradeoffs to be made regarding the size of your policy vs the security it provides.
 23 | 
 24 | As such, this project does not attempt to provide a one-size-fits-all way to manipulate a policy purely in terms of its effects - the full set of effects across all browsers is too vast to provide an effective API in general. It can help you build up a policy based on the directives and source-expressions you want, but to ensure your policy is correct, for your own definition of correct, there is no alternative to testing it on the real browsers you care about.
 25 | 
 26 | 
 27 | ### Create a Policy
 28 | 
 29 | Parse a policy using either `Policy.parseSerializedCSP` or `Policy.parseSerializedCSPList`. The second parameter will be called for each warning or error.
 30 | 
 31 | ```java
 32 | String policyText = "script-src 'none'";
 33 | Policy policy = Policy.parseSerializedCSP(policyText, (severity, message, directiveIndex, valueIndex) -> {
 34 |   System.err.println(severity.name() + " at directive " + directiveIndex + (valueIndex == -1 ? "" : " at value " + valueIndex) + ": " + message);
 35 | });
 36 | ```
 37 | 
 38 | ### Query a Policy
 39 | 
 40 | The high-level querying methods allow you to specify whatever relevant information you have. The missing information will be assumed to be worst-case - that is, these methods will return `true` only if any object which matches the provided characteristics would be allowed, regardless of its other characteristics. 
 41 | 
 42 | ```java
 43 | Policy policy = Policy.parseSerializedCSP("script-src http://a", Policy.PolicyErrorConsumer.ignored);
 44 | 
 45 | // true
 46 | System.out.println(policy.allowsExternalScript(
 47 |   Optional.empty(),
 48 |   Optional.empty(),
 49 |   Optional.of(URI.parse("http://a")),
 50 |   Optional.empty(),
 51 |   Optional.empty()
 52 | ));
 53 | 
 54 | // false
 55 | System.out.println(policy.allowsExternalScript(
 56 |   Optional.empty(),
 57 |   Optional.empty(),
 58 |   Optional.empty(),
 59 |   Optional.empty(),
 60 |   Optional.empty()
 61 | ));
 62 | ```
 63 | 
 64 | Note that these methods were correct according to current draft of the CSP specification when this library was written, but no browser implements precisely the current draft, and changes to the specification may also invalidate assumptions this library makes. There is no alternative to testing on the browsers you care about.
 65 | 
 66 | Because the `Policy` objects are rich structures, you can also ask about the presence or absence of specific directives or expressions:
 67 | 
 68 | ```java
 69 | Policy policy = Policy.parseSerializedCSP("script-src 'strict-dynamic'", Policy.PolicyErrorConsumer.ignored);
 70 | 
 71 | // Assumes the policy has a `script-src` directive (or else the `get` would throw), and checks if it contains the `'strict-dynamic'` source expression
 72 | System.out.println(policy.getFetchDirective(FetchDirectiveKind.ScriptSrc).get().strictDynamic());
 73 | ```
 74 | 
 75 | ### Manipulate a Policy
 76 | 
 77 | ```java
 78 | Policy policy = Policy.parseSerializedCSP("", Policy.PolicyErrorConsumer.ignored);
 79 | 
 80 | policy.add("sandbox", Collections.emptyList(), Directive.DirectiveErrorConsumer.ignored);
 81 | 
 82 | // you can use the provided Java APIs to manipulate values Salvation knows about
 83 | policy.sandbox().get().setAllowScripts(true);
 84 | 
 85 | // or you can use the lower-level APIs to manipulate values directly 
 86 | policy.sandbox().get().addValue("allow-something-new");
 87 | 
 88 | // "sandbox allow-scripts allow-something-new"
 89 | System.out.println(policy.toString());
 90 | 
 91 | ```
 92 | 
 93 | ### Serialize a Policy
 94 | 
 95 | ```java
 96 | policy.toString();
 97 | ```
 98 | 
 99 | ## Transpiling to JavaScript
100 | To reduce the overhead of running this library, it will now automatically be transpiled to JS as part of the compile goal by using [TeaVM](https://teavm.org/). It can then be placed on any webpage to be used as static JavaScript, thus alleviating the need for a JRE.
101 | 
102 | The transpiled code will be placed in `target/javascript` as `salvation-v${project.version}.min.js`.
103 | 
104 | If you experience errors relating to TeaVM transpiling, check the [supported TeaVM classes](https://teavm.org/jcl-report/recent/jcl.html).
105 | 
106 | ### Using the JavaScript
107 | 
108 | First run `mvn clean install` to build the JS file. Then include `salvation-vX.X.X.min.js` in your webpage.
109 | To use the parsing functions in on the webpage run `window.main()` to initialize them. From then on, `window.parseSerializedCSPList()` and `window.parseSerializedCSP()` will be available.
110 | 
111 | `parseSerializedCSP()` and `parseSerializedCSPList()` will return strings containing the parsing results. If there are multiple results, they will be separated by a newline. This is simply because TeaVM requires a lot of extra work for it to be able to return JS objects.
112 | 


--------------------------------------------------------------------------------
/src/test/java/com/shapesecurity/salvation2/TestBase.java:
--------------------------------------------------------------------------------
  1 | package com.shapesecurity.salvation2;
  2 | 
  3 | import java.util.Locale;
  4 | import java.util.Objects;
  5 | 
  6 | public class TestBase {
  7 | 	Policy.PolicyListErrorConsumer throwIfPolicyListError = (severity, message, policyIndex, directiveIndex, valueIndex) -> {
  8 | 		throw new RuntimeException(new PolicyListError(severity, message, policyIndex, directiveIndex, valueIndex).toString());
  9 | 	};
 10 | 
 11 | 	Policy.PolicyErrorConsumer throwIfPolicyError = (severity, message, directiveIndex, valueIndex) -> {
 12 | 		throw new RuntimeException(new PolicyError(severity, message, directiveIndex, valueIndex).toString());
 13 | 	};
 14 | 
 15 | 	Directive.DirectiveErrorConsumer throwIfDirectiveError = (severity, message, valueIndex) -> {
 16 | 		throw new RuntimeException(new DirectiveError(severity, message, valueIndex).toString());
 17 | 	};
 18 | 
 19 | 	Directive.ManipulationErrorConsumer throwIfManipulationError = (severity, message) -> {
 20 | 		throw new RuntimeException(new ManipulationError(severity, message).toString());
 21 | 	};
 22 | 
 23 | 	static void inTurkey(Runnable r) {
 24 | 		Locale current = Locale.getDefault();
 25 | 		try {
 26 | 			// In Turkey, "I" lowercases to "ı". This test enforces that we're doing ASCII-case-insensitive comparisons, rather than locale-specific comparisons.
 27 | 			Locale.setDefault(new Locale("tr", "TR"));
 28 | 			r.run();
 29 | 		} finally {
 30 | 			Locale.setDefault(current);
 31 | 		}
 32 | 	}
 33 | 
 34 | 	protected static PolicyListError e(Policy.Severity severity, String message, int policyIndex, int directiveIndex, int valueIndex) {
 35 | 		return new PolicyListError(severity, message, policyIndex, directiveIndex, valueIndex);
 36 | 	}
 37 | 
 38 | 	protected static PolicyError e(Policy.Severity severity, String message, int directiveIndex, int valueIndex) {
 39 | 		return new PolicyError(severity, message, directiveIndex, valueIndex);
 40 | 	}
 41 | 
 42 | 	protected static DirectiveError e(Policy.Severity severity, String message, int valueIndex) {
 43 | 		return new DirectiveError(severity, message, valueIndex);
 44 | 	}
 45 | 
 46 | 	protected static ManipulationError e(Directive.ManipulationErrorConsumer.Severity severity, String message) {
 47 | 		return new ManipulationError(severity, message);
 48 | 	}
 49 | 
 50 | 	static class PolicyListError {
 51 | 		final Policy.Severity severity;
 52 | 		final String message;
 53 | 		final int policyIndex;
 54 | 		final int directiveIndex;
 55 | 		final int valueIndex;
 56 | 
 57 | 		PolicyListError(Policy.Severity severity, String message, int policyIndex, int directiveIndex, int valueIndex) {
 58 | 			this.severity = severity;
 59 | 			this.message = message;
 60 | 			this.policyIndex = policyIndex;
 61 | 			this.directiveIndex = directiveIndex;
 62 | 			this.valueIndex = valueIndex;
 63 | 		}
 64 | 
 65 | 		@Override
 66 | 		public String toString() {
 67 | 			return "(" + this.severity.name() + ") " + this.message + " at policy " + this.policyIndex + " at directive " + this.directiveIndex + " at value " + this.valueIndex;
 68 | 		}
 69 | 
 70 | 		@Override
 71 | 		public boolean equals(Object o) {
 72 | 			if (this == o) return true;
 73 | 			if (o == null || getClass() != o.getClass()) return false;
 74 | 			PolicyListError that = (PolicyListError) o;
 75 | 			return policyIndex == that.policyIndex &&
 76 | 					directiveIndex == that.directiveIndex &&
 77 | 					valueIndex == that.valueIndex &&
 78 | 					severity == that.severity &&
 79 | 					message.equals(that.message);
 80 | 		}
 81 | 
 82 | 		@Override
 83 | 		public int hashCode() {
 84 | 			return Objects.hash(severity, message, policyIndex, directiveIndex, valueIndex);
 85 | 		}
 86 | 	}
 87 | 
 88 | 	static class PolicyError {
 89 | 		final Policy.Severity severity;
 90 | 		final String message;
 91 | 		final int directiveIndex;
 92 | 		final int valueIndex;
 93 | 
 94 | 		PolicyError(Policy.Severity severity, String message, int directiveIndex, int valueIndex) {
 95 | 			this.severity = severity;
 96 | 			this.message = message;
 97 | 			this.directiveIndex = directiveIndex;
 98 | 			this.valueIndex = valueIndex;
 99 | 		}
100 | 
101 | 		@Override
102 | 		public String toString() {
103 | 			return "(" + this.severity.name() + ") " + this.message + " at directive " + this.directiveIndex + " at value " + this.valueIndex;
104 | 		}
105 | 
106 | 		@Override
107 | 		public boolean equals(Object o) {
108 | 			if (this == o) return true;
109 | 			if (o == null || getClass() != o.getClass()) return false;
110 | 			PolicyError that = (PolicyError) o;
111 | 			return directiveIndex == that.directiveIndex &&
112 | 					valueIndex == that.valueIndex &&
113 | 					severity == that.severity &&
114 | 					message.equals(that.message);
115 | 		}
116 | 
117 | 		@Override
118 | 		public int hashCode() {
119 | 			return Objects.hash(severity, message, directiveIndex, valueIndex);
120 | 		}
121 | 	}
122 | 
123 | 	static class DirectiveError {
124 | 		final Policy.Severity severity;
125 | 		final String message;
126 | 		final int valueIndex;
127 | 
128 | 		DirectiveError(Policy.Severity severity, String message, int valueIndex) {
129 | 			this.severity = severity;
130 | 			this.message = message;
131 | 			this.valueIndex = valueIndex;
132 | 		}
133 | 
134 | 		@Override
135 | 		public String toString() {
136 | 			return "(" + this.severity.name() + ") " + this.message + " at value " + this.valueIndex;
137 | 		}
138 | 
139 | 		@Override
140 | 		public boolean equals(Object o) {
141 | 			if (this == o) return true;
142 | 			if (o == null || getClass() != o.getClass()) return false;
143 | 			DirectiveError that = (DirectiveError) o;
144 | 			return valueIndex == that.valueIndex &&
145 | 					severity == that.severity &&
146 | 					message.equals(that.message);
147 | 		}
148 | 
149 | 		@Override
150 | 		public int hashCode() {
151 | 			return Objects.hash(severity, message, valueIndex);
152 | 		}
153 | 	}
154 | 
155 | 	static class ManipulationError {
156 | 		final Directive.ManipulationErrorConsumer.Severity severity;
157 | 		final String message;
158 | 
159 | 		ManipulationError(Directive.ManipulationErrorConsumer.Severity severity, String message) {
160 | 			this.severity = severity;
161 | 			this.message = message;
162 | 		}
163 | 
164 | 		@Override
165 | 		public String toString() {
166 | 			return "(" + this.severity.name() + ") " + this.message;
167 | 		}
168 | 
169 | 		@Override
170 | 		public boolean equals(Object o) {
171 | 			if (this == o) return true;
172 | 			if (o == null || getClass() != o.getClass()) return false;
173 | 			ManipulationError that = (ManipulationError) o;
174 | 			return severity == that.severity &&
175 | 					message.equals(that.message);
176 | 		}
177 | 
178 | 		@Override
179 | 		public int hashCode() {
180 | 			return Objects.hash(severity, message);
181 | 		}
182 | 	}
183 | 
184 | }
185 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Directives/HostSourceDirective.java:
--------------------------------------------------------------------------------
  1 | package com.shapesecurity.salvation2.Directives;
  2 | 
  3 | import com.shapesecurity.salvation2.Constants;
  4 | import com.shapesecurity.salvation2.Directive;
  5 | import com.shapesecurity.salvation2.Policy;
  6 | import com.shapesecurity.salvation2.Values.Host;
  7 | import com.shapesecurity.salvation2.Values.Scheme;
  8 | 
  9 | import java.util.ArrayList;
 10 | import java.util.Collections;
 11 | import java.util.List;
 12 | import java.util.Optional;
 13 | import java.util.function.Function;
 14 | 
 15 | public abstract class HostSourceDirective extends Directive {
 16 | 	private static final String NONE_SRC = "'none'";
 17 | 	private static final String SELF_SRC = "'self'";
 18 | 	protected List<Scheme> schemes = new ArrayList<>();
 19 | 	protected List<Host> hosts = new ArrayList<>();
 20 | 	protected boolean star = false;
 21 | 	protected boolean self = false;
 22 | 
 23 | 	protected String none = null;
 24 | 
 25 | 	protected HostSourceDirective(List<String> values) {
 26 | 		super(values);
 27 | 	}
 28 | 
 29 | 	@Override
 30 | 	protected void addValue(String value) {
 31 | 		if (this.none != null) {
 32 | 			super.removeValueIgnoreCase(NONE_SRC); // super so as to not immediately add it back
 33 | 			this.none = null;
 34 | 		}
 35 | 		super.addValue(value);
 36 | 	}
 37 | 
 38 | 	@Override
 39 | 	protected void removeValueIgnoreCase(String value) {
 40 | 		super.removeValueIgnoreCase(value);
 41 | 		if (this.values.isEmpty()) {
 42 | 			this.values.add(NONE_SRC);
 43 | 			this.none = NONE_SRC;
 44 | 		}
 45 | 	}
 46 | 
 47 | 	protected <T> void removeValuesMatching(T value, Function<String, Optional<T>> parser) {
 48 | 		ArrayList<String> copy = new ArrayList<>(this.values.size());
 49 | 		for (String existing : this.values) {
 50 | 			Optional<T> parsed = parser.apply(existing);
 51 | 			if (!parsed.isPresent() || !parsed.get().equals(value)) {
 52 | 				copy.add(existing);
 53 | 			}
 54 | 		}
 55 | 		this.values = copy;
 56 | 		if (this.values.isEmpty()) {
 57 | 			this.values.add(NONE_SRC);
 58 | 			this.none = NONE_SRC;
 59 | 		}
 60 | 	}
 61 | 
 62 | 	void _addHostOrSchemeDuringConstruction(String token, String lowcaseToken, String kind, int index, DirectiveErrorConsumer errors) {
 63 | 		if (lowcaseToken.equals(NONE_SRC)) {
 64 | 			if (this.none == null) {
 65 | 				this.none = token;
 66 | 			}
 67 | 		} else if (lowcaseToken.equals("*")) {
 68 | 			// Technically this is just a specific kind of host-source, but it's worth handling explicitly
 69 | 			if (!this.star) {
 70 | 				this.star = true;
 71 | 			} else {
 72 | 				errors.add(Policy.Severity.Warning, "Duplicate " + kind + " *", index);
 73 | 			}
 74 | 		} else if (lowcaseToken.equals(SELF_SRC)) {
 75 | 			if (!this.self) {
 76 | 				this.self = true;
 77 | 			} else {
 78 | 				errors.add(Policy.Severity.Warning, "Duplicate " + kind + " 'self'", index);
 79 | 			}
 80 | 		} else {
 81 | 			Optional<Scheme> asScheme = Scheme.parseScheme(token);
 82 | 			if (asScheme.isPresent()) {
 83 | 				this._addScheme(asScheme.get(), index, errors);
 84 | 			} else {
 85 | 				if (Constants.unquotedKeywordPattern.matcher(token).find()) {
 86 | 					errors.add(Policy.Severity.Warning, "This host name is unusual, and likely meant to be a keyword that is missing the required quotes: \'" + token + "\'.", index);
 87 | 				}
 88 | 
 89 | 				Optional<Host> asHost = Host.parseHost(token);
 90 | 				if (asHost.isPresent()) {
 91 | 					this._addHostSource(asHost.get(), index, errors);
 92 | 				} else {
 93 | 					errors.add(Policy.Severity.Error, "Unrecognized " + kind + " " + token, index);
 94 | 				}
 95 | 			}
 96 | 		}
 97 | 	}
 98 | 
 99 | 	private boolean _addScheme(Scheme scheme, int index, DirectiveErrorConsumer errors) {
100 | 		if (this.schemes.contains(scheme)) {
101 | 			errors.add(Policy.Severity.Warning, "Duplicate scheme " + scheme, index);
102 | 			return false;
103 | 		} else {
104 | 			// TODO check if this subsumes or is subsumed by any existing scheme/host
105 | 			// NB we add it even if it subsumes or is subsumed by existing things, since it's still valid and not a duplicate
106 | 			this.schemes.add(scheme);
107 | 			return true;
108 | 		}
109 | 	}
110 | 
111 | 	private boolean _addHostSource(Host source, int index, DirectiveErrorConsumer errors) {
112 | 		if (this.hosts.contains(source)) {
113 | 			errors.add(Policy.Severity.Warning, "Duplicate host " + source.toString(), index);
114 | 			return false;
115 | 		} else {
116 | 			// TODO check if this subsumes or is subsumed by any existing scheme/host
117 | 			this.hosts.add(source);
118 | 			return true;
119 | 		}
120 | 	}
121 | 
122 | 	public boolean star() {
123 | 		return this.star;
124 | 	}
125 | 
126 | 	public void setStar(boolean star) {
127 | 		if (this.star == star) {
128 | 			return;
129 | 		}
130 | 		if (star) {
131 | 			this.addValue("*");
132 | 		} else {
133 | 			this.removeValueIgnoreCase("*");
134 | 		}
135 | 		this.star = star;
136 | 	}
137 | 
138 | 	public boolean self() {
139 | 		return this.self;
140 | 	}
141 | 
142 | 	public void setSelf(boolean self) {
143 | 		if (this.self == self) {
144 | 			return;
145 | 		}
146 | 		if (self) {
147 | 			this.addValue(SELF_SRC);
148 | 		} else {
149 | 			this.removeValueIgnoreCase(SELF_SRC);
150 | 		}
151 | 		this.self = self;
152 | 	}
153 | 
154 | 	public List<Scheme> getSchemes() {
155 | 		return Collections.unmodifiableList(this.schemes);
156 | 	}
157 | 
158 | 	public void addScheme(Scheme scheme, ManipulationErrorConsumer errors) {
159 | 		if (this._addScheme(scheme, -1, wrapManipulationErrorConsumer(errors))) {
160 | 			this.addValue(scheme.toString());
161 | 		}
162 | 	}
163 | 
164 | 	public boolean removeScheme(Scheme scheme) {
165 | 		if (!this.schemes.contains(scheme)) {
166 | 			return false;
167 | 		}
168 | 		this.schemes.remove(scheme);
169 | 		this.removeValueIgnoreCase(scheme.toString());
170 | 		return true;
171 | 	}
172 | 
173 | 
174 | 	public List<Host> getHosts() {
175 | 		return Collections.unmodifiableList(this.hosts);
176 | 	}
177 | 
178 | 	public void addHost(Host host, ManipulationErrorConsumer errors) {
179 | 		if (host.equals(Host.STAR)) {
180 | 			if (this.star) {
181 | 				errors.add(ManipulationErrorConsumer.Severity.Warning, "Duplicate host *");
182 | 			} else {
183 | 				this.star = true;
184 | 				this.addValue("*");
185 | 			}
186 | 			return;
187 | 		}
188 | 		if (this._addHostSource(host, -1, wrapManipulationErrorConsumer(errors))) {
189 | 			this.addValue(host.toString());
190 | 		}
191 | 	}
192 | 
193 | 	public boolean removeHost(Host host) {
194 | 		if (host.equals(Host.STAR)) {
195 | 			if (this.star) {
196 | 				this.setStar(false);
197 | 				return true;
198 | 			}
199 | 			return false;
200 | 		}
201 | 		if (!this.hosts.contains(host)) {
202 | 			return false;
203 | 		}
204 | 		this.hosts.remove(host);
205 | 		// Removing hosts is considerably more annoying than removing anything else, because they can have many representations.
206 | 		removeValuesMatching(host, Host::parseHost);
207 | 		return true;
208 | 	}
209 | }
210 | 


--------------------------------------------------------------------------------
/style.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0"?>
  2 | <!DOCTYPE module PUBLIC
  3 |         "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
  4 |         "http://checkstyle.sourceforge.net/dtds/configuration_1_3.dtd">
  5 | 
  6 | <module name = "Checker">
  7 |     <property name="charset" value="UTF-8"/>
  8 | 
  9 |     <property name="severity" value="error"/>
 10 | 
 11 |     <property name="fileExtensions" value="java, properties, xml"/>
 12 | 
 13 |     <!-- Files end in a newline -->
 14 |     <module name="NewlineAtEndOfFile"/>
 15 | 
 16 |     <module name="TreeWalker">
 17 |         <property name="tabWidth" value="4"/>
 18 | 
 19 |         <!-- Lines are indented with tabs -->
 20 |         <module name="RegexpSinglelineJava">
 21 |             <property name="format" value="^\t* "/>
 22 |             <property name="message" value="Indent must use tabs, not spaces"/>
 23 |             <property name="ignoreComments" value="true"/>
 24 |         </module>
 25 | 
 26 |         <!-- The filename matches the class or type declared in the file  -->
 27 |         <module name="OuterTypeFilename"/>
 28 | 
 29 |         <!-- There is only one top-level cass per file  -->
 30 |         <module name="OneTopLevelClass"/>
 31 | 
 32 |         <!-- Imports and package declarations don't have linebreaks  -->
 33 |         <module name="NoLineWrap"/>
 34 | 
 35 |         <!-- No empty blocks for try/if/switch (not case/default) -->
 36 |         <module name="EmptyBlock">
 37 |             <property name="option" value="TEXT"/>
 38 |             <property name="tokens"
 39 |                       value="LITERAL_TRY, LITERAL_FINALLY, LITERAL_IF, LITERAL_ELSE, LITERAL_SWITCH"/>
 40 |         </module>
 41 | 
 42 |         <!-- `if`s and loops have braces -->
 43 |         <module name="NeedBraces">
 44 |             <property name="allowSingleLineStatement" value="true"/>
 45 |             <property name="allowEmptyLoopBody" value="true"/>
 46 |         </module>
 47 | 
 48 |         <!-- `if (...) {`, not `if (...) \n {` -->
 49 |         <module name="LeftCurly"/>
 50 | 
 51 |         <!-- `} else`, not `} \n else` -->
 52 |         <module name="RightCurly">
 53 |             <property name="id" value="RightCurlySame"/>
 54 |             <property name="tokens" value="LITERAL_TRY, LITERAL_CATCH, LITERAL_FINALLY, LITERAL_IF, LITERAL_ELSE, LITERAL_DO"/>
 55 |         </module>
 56 |         <module name="RightCurly">
 57 |             <property name="id" value="RightCurlyAlone"/>
 58 |             <property name="option" value="alone"/>
 59 |             <property name="tokens" value="CLASS_DEF, METHOD_DEF, CTOR_DEF, LITERAL_FOR, LITERAL_WHILE, STATIC_INIT, INSTANCE_INIT"/>
 60 |         </module>
 61 | 
 62 |         <!-- `a = b`, not `a=b`; `if (...)`, not `if(...)`; etc -->
 63 |         <module name="WhitespaceAround">
 64 |             <property name="allowEmptyConstructors" value="true"/>
 65 |             <property name="allowEmptyMethods" value="true"/>
 66 |             <property name="allowEmptyTypes" value="true"/>
 67 |             <property name="allowEmptyLoops" value="true"/>
 68 |             <property name="allowEmptyLambdas" value="true"/>
 69 |             <message key="ws.notFollowed"
 70 |                      value="WhitespaceAround: ''{0}'' is not followed by whitespace."/>
 71 |             <message key="ws.notPreceded"
 72 |                      value="WhitespaceAround: ''{0}'' is not preceded with whitespace."/>
 73 |         </module>
 74 | 
 75 |         <!-- One statement per line -->
 76 |         <module name="OneStatementPerLine"/>
 77 | 
 78 |         <!-- Java-style `int[] ar` rather than C-style `int ar[]` -->
 79 |         <module name="ArrayTypeStyle">
 80 |             <message key="array.type.style" value="Array brackets should follow the contained type: `int[] ar`, not `int ar[]`"/>
 81 |         </module>
 82 | 
 83 |         <!-- Switch statements should have a default, even if it's just `/* pass */` or `throw new Error("unreachable");`-->
 84 |         <module name="MissingSwitchDefault"/>
 85 | 
 86 |         <!-- Fallthrough in non-empty `case`s needs to be marked explicitly with a `// falls through` comment -->
 87 |         <module name="FallThrough"/>
 88 | 
 89 |         <!-- Long numeric literals are written `0L`, not `0l` -->
 90 |         <module name="UpperEll"/>
 91 | 
 92 |         <!-- Modifiers appear in the order recommended by the Java standard -->
 93 |         <module name="ModifierOrder">
 94 |             <message key="mod.order" value="Modifier order should be `public abstract static final synchronized` etc; see http://checkstyle.sourceforge.net/config_modifier.html#ModifierOrder"/>
 95 |         </module>
 96 | 
 97 |         <!-- There is a blank line between methods and in other similar places -->
 98 |         <module name="EmptyLineSeparator">
 99 |             <property name="allowNoEmptyLineBetweenFields" value="true"/>
100 |             <property name="tokens" value="PACKAGE_DEF, IMPORT, STATIC_INIT, INSTANCE_INIT, METHOD_DEF, CTOR_DEF"/>
101 |         </module>
102 | 
103 |         <!-- `a\n.b`, not `a.\nb` -->
104 |         <module name="SeparatorWrap">
105 |             <property name="id" value="SeparatorWrapDot"/>
106 |             <property name="tokens" value="DOT"/>
107 |             <property name="option" value="nl"/>
108 |         </module>
109 | 
110 |         <!-- `f(a,\nb)`, not `f(a\n, b)` -->
111 |         <module name="SeparatorWrap">
112 |             <property name="id" value="SeparatorWrapComma"/>
113 |             <property name="tokens" value="COMMA"/>
114 |             <property name="option" value="EOL"/>
115 |         </module>
116 | 
117 |         <!-- `a\n::b`, not `a::\nb` -->
118 |         <module name="SeparatorWrap">
119 |             <property name="id" value="SeparatorWrapMethodRef"/>
120 |             <property name="tokens" value="METHOD_REF"/>
121 |             <property name="option" value="nl"/>
122 |         </module>
123 | 
124 |         <!-- Generics look like `<T> void f()` or `a.<T>b()`, not anything else -->
125 |         <module name="GenericWhitespace">
126 |             <message key="ws.followed"
127 |                      value="GenericWhitespace ''{0}'' is followed by whitespace."/>
128 |             <message key="ws.preceded"
129 |                      value="GenericWhitespace ''{0}'' is preceded with whitespace."/>
130 |             <message key="ws.illegalFollow"
131 |                      value="GenericWhitespace ''{0}'' should followed by whitespace."/>
132 |             <message key="ws.notPreceded"
133 |                      value="GenericWhitespace ''{0}'' is not preceded with whitespace."/>
134 |         </module>
135 | 
136 |         <!-- Indent by one tab -->
137 |         <module name="Indentation">
138 |             <property name="basicOffset" value="4"/>
139 |             <property name="braceAdjustment" value="0"/>
140 |             <property name="caseIndent" value="4"/>
141 |             <property name="throwsIndent" value="4"/>
142 |             <property name="lineWrappingIndentation" value="4"/>
143 |             <property name="arrayInitIndent" value="4"/>
144 |         </module>
145 | 
146 |         <!-- Overloaded methods are grouped together -->
147 |         <module name="OverloadMethodsDeclarationOrder"/>
148 | 
149 |         <!-- `void f(int a)`, not `void f( int a )` -->
150 |         <module name="MethodParamPad"/>
151 | 
152 |         <!-- No stray whitespace before semicolons, etc -->
153 |         <module name="NoWhitespaceBefore">
154 |             <property name="tokens"
155 |                       value="COMMA, SEMI, POST_INC, POST_DEC, DOT, ELLIPSIS, METHOD_REF"/>
156 |             <property name="allowLineBreaks" value="true"/>
157 |         </module>
158 | 
159 |         <!-- `(a + b)`, not `( a + b )` -->
160 |         <module name="ParenPad"/>
161 | 
162 |         <!-- Comments are indented to the same depth as surrounding code -->
163 |         <module name="CommentsIndentation"/>
164 |     </module>
165 | </module>


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Directives/SourceExpressionDirective.java:
--------------------------------------------------------------------------------
  1 | package com.shapesecurity.salvation2.Directives;
  2 | 
  3 | import com.shapesecurity.salvation2.Policy;
  4 | import com.shapesecurity.salvation2.Values.Hash;
  5 | import com.shapesecurity.salvation2.Values.Nonce;
  6 | 
  7 | import java.util.ArrayList;
  8 | import java.util.Collections;
  9 | import java.util.List;
 10 | import java.util.Locale;
 11 | import java.util.Optional;
 12 | 
 13 | public class SourceExpressionDirective extends HostSourceDirective {
 14 | 	private static final String REPORT_SAMPLE = "'report-sample'";
 15 | 	private static final String UNSAFE_INLINE = "'unsafe-inline'";
 16 | 	private static final String STRICT_DYNAMIC = "'strict-dynamic'";
 17 | 	private static final String UNSAFE_ALLOW_REDIRECTS = "'unsafe-allow-redirects'";
 18 | 	private static final String UNSAFE_EVAL = "'unsafe-eval'";
 19 | 	private static final String UNSAFE_HASHES = "'unsafe-hashes'";
 20 | 	private boolean unsafeInline = false;
 21 | 	private boolean unsafeEval = false;
 22 | 	private boolean strictDynamic = false;
 23 | 	private boolean unsafeHashes = false;
 24 | 	private boolean reportSample = false;
 25 | 	private boolean unsafeAllowRedirects = false;
 26 | 
 27 | 	// In practice, these are probably small enough for Lists to be faster than LinkedHashSets
 28 | 	private List<Nonce> nonces = new ArrayList<>();
 29 | 	private List<Hash> hashes = new ArrayList<>();
 30 | 
 31 | 
 32 | 	public SourceExpressionDirective(List<String> values, DirectiveErrorConsumer errors) {
 33 | 		super(values);
 34 | 
 35 | 		int index = 0;
 36 | 		for (String token : values) {
 37 | 			// The CSP grammar uses ABNF grammars, whose strings are case-insensitive: https://tools.ietf.org/html/rfc5234
 38 | 			String lowcaseToken = token.toLowerCase(Locale.ENGLISH); // This needs to be ASCII-lowercase, so that `'strIct-dynamic''` still parses in Turkey
 39 | 			switch (lowcaseToken) {
 40 | 				case UNSAFE_INLINE:
 41 | 					if (!this.unsafeInline) {
 42 | 						this.unsafeInline = true;
 43 | 					} else {
 44 | 						errors.add(Policy.Severity.Warning, "Duplicate source-expression 'unsafe-inline'", index);
 45 | 					}
 46 | 					break;
 47 | 				case UNSAFE_EVAL:
 48 | 					if (!this.unsafeEval) {
 49 | 						this.unsafeEval = true;
 50 | 					} else {
 51 | 						errors.add(Policy.Severity.Warning, "Duplicate source-expression 'unsafe-eval'", index);
 52 | 					}
 53 | 					break;
 54 | 				case STRICT_DYNAMIC:
 55 | 					if (!this.strictDynamic) {
 56 | 						this.strictDynamic = true;
 57 | 					} else {
 58 | 						errors.add(Policy.Severity.Warning, "Duplicate source-expression 'strict-dynamic'", index);
 59 | 					}
 60 | 					break;
 61 | 				case UNSAFE_HASHES:
 62 | 					if (!this.unsafeHashes) {
 63 | 						this.unsafeHashes = true;
 64 | 					} else {
 65 | 						errors.add(Policy.Severity.Warning, "Duplicate source-expression 'unsafe-hashes'", index);
 66 | 					}
 67 | 					break;
 68 | 				case REPORT_SAMPLE:
 69 | 					if (!this.reportSample) {
 70 | 						this.reportSample = true;
 71 | 					} else {
 72 | 						errors.add(Policy.Severity.Warning, "Duplicate source-expression 'report-sample'", index);
 73 | 					}
 74 | 					break;
 75 | 				case UNSAFE_ALLOW_REDIRECTS:
 76 | 					if (!this.unsafeAllowRedirects) {
 77 | 						this.unsafeAllowRedirects = true;
 78 | 					} else {
 79 | 						errors.add(Policy.Severity.Warning, "Duplicate source-expression 'unsafe-allow-redirects'", index);
 80 | 					}
 81 | 					break;
 82 | 				case "'unsafe-redirect'":
 83 | 					errors.add(Policy.Severity.Error, "'unsafe-redirect' has been removed from CSP as of version 2.0", index);
 84 | 					break;
 85 | 				case "'unsafe-hashed-attributes'":
 86 | 					errors.add(Policy.Severity.Error, "'unsafe-hashed-attributes' was renamed to 'unsafe-hashes' in June 2018", index);
 87 | 					break;
 88 | 				default:
 89 | 					if (lowcaseToken.startsWith("'nonce-")) {
 90 | 						// the above check is not strictly necessary, but allows us to give a better message for nonce-likes which don't match the base64 grammar
 91 | 						Optional<Nonce> nonce = Nonce.parseNonce(token);
 92 | 						if (nonce.isPresent()) {
 93 | 							this._addNonce(nonce.get(), index, errors);
 94 | 						} else {
 95 | 							errors.add(Policy.Severity.Error, "Unrecognised nonce " + token, index);
 96 | 						}
 97 | 						break;
 98 | 					} else if (lowcaseToken.startsWith("'sha")) {
 99 | 						// the above check is not strictly necessary, but allows us to give a better message for hash-likes which don't match the base64 grammar
100 | 						Optional<Hash> hash = Hash.parseHash(token);
101 | 						if (hash.isPresent()) {
102 | 							this._addHash(hash.get(), index, errors);
103 | 						} else {
104 | 							errors.add(Policy.Severity.Error, "'sha...' source-expression uses an unrecognized algorithm or does not match the base64-value grammar (or is missing its trailing \"'\")", index);
105 | 						}
106 | 						break;
107 | 					} else {
108 | 						this._addHostOrSchemeDuringConstruction(token, lowcaseToken, "source-expression", index, errors);
109 | 					}
110 | 			}
111 | 			++index;
112 | 		}
113 | 
114 | 		if (this.none != null && values.size() > 1) {
115 | 			errors.add(Policy.Severity.Error, "'none' must not be combined with any other source-expression", 1);
116 | 		}
117 | 
118 | 		if (values.isEmpty()) {
119 | 			errors.add(Policy.Severity.Error, "Source-expression lists cannot be empty (use 'none' instead)", -1);
120 | 		}
121 | 	}
122 | 
123 | 	private boolean _addNonce(Nonce nonce, int index, DirectiveErrorConsumer errors) {
124 | 		if (this.nonces.contains(nonce)) {
125 | 			errors.add(Policy.Severity.Warning, "Duplicate nonce " + nonce.toString(), index);
126 | 			return false;
127 | 		} else {
128 | 			this.nonces.add(nonce);
129 | 			return true;
130 | 		}
131 | 	}
132 | 
133 | 	private boolean _addHash(Hash hash, int index, DirectiveErrorConsumer errors) {
134 | 		if (this.hashes.contains(hash)) {
135 | 			errors.add(Policy.Severity.Warning, "Duplicate hash " + hash.toString(), index);
136 | 			return false;
137 | 		} else {
138 | 			if (hash.base64ValuePart.length() != hash.algorithm.length) {
139 | 				errors.add(Policy.Severity.Warning, "Wrong length for " + hash.algorithm.toString() + ": expected " + hash.algorithm.length + ", got " + hash.base64ValuePart.length(), index);
140 | 			}
141 | 
142 | 			if (hash.base64ValuePart.contains("_") || hash.base64ValuePart.contains("-")) {
143 | 				errors.add(Policy.Severity.Warning, "'_' and '-' in hashes can never match actual elements", index);
144 | 			}
145 | 
146 | 			this.hashes.add(hash);
147 | 			return true;
148 | 		}
149 | 	}
150 | 
151 | 
152 | 
153 | 	// Accessors
154 | 
155 | 	// TODO it would be nice to warn for adding things which are irrelevant
156 | 	// Though it would be better to just not provide those methods at all
157 | 	// But that kind of conflicts with the "only error on things which don't match the grammar" goal
158 | 	// See also https://github.com/w3c/webappsec-csp/issues/431
159 | 
160 | 	public boolean unsafeInline() {
161 | 		return this.unsafeInline;
162 | 	}
163 | 
164 | 	public void setUnsafeInline(boolean unsafeInline) {
165 | 		if (this.unsafeInline == unsafeInline) {
166 | 			return;
167 | 		}
168 | 		if (unsafeInline) {
169 | 			this.addValue(UNSAFE_INLINE);
170 | 		} else {
171 | 			this.removeValueIgnoreCase(UNSAFE_INLINE);
172 | 		}
173 | 		this.unsafeInline = unsafeInline;
174 | 	}
175 | 
176 | 
177 | 	public boolean unsafeEval() {
178 | 		return this.unsafeEval;
179 | 	}
180 | 
181 | 	public void setUnsafeEval(boolean unsafeEval) {
182 | 		if (this.unsafeEval == unsafeEval) {
183 | 			return;
184 | 		}
185 | 		if (unsafeEval) {
186 | 			this.addValue(UNSAFE_EVAL);
187 | 		} else {
188 | 			this.removeValueIgnoreCase(UNSAFE_EVAL);
189 | 		}
190 | 		this.unsafeEval = unsafeEval;
191 | 	}
192 | 
193 | 
194 | 	public boolean strictDynamic() {
195 | 		return this.strictDynamic;
196 | 	}
197 | 
198 | 	public void setStrictDynamic(boolean strictDynamic) {
199 | 		if (this.strictDynamic == strictDynamic) {
200 | 			return;
201 | 		}
202 | 		if (strictDynamic) {
203 | 			this.addValue(STRICT_DYNAMIC);
204 | 		} else {
205 | 			this.removeValueIgnoreCase(STRICT_DYNAMIC);
206 | 		}
207 | 		this.strictDynamic = strictDynamic;
208 | 	}
209 | 
210 | 
211 | 	public boolean unsafeHashes() {
212 | 		return this.unsafeHashes;
213 | 	}
214 | 
215 | 	public void setUnsafeHashes(boolean unsafeHashes) {
216 | 		if (this.unsafeHashes == unsafeHashes) {
217 | 			return;
218 | 		}
219 | 		if (unsafeHashes) {
220 | 			this.addValue(UNSAFE_HASHES);
221 | 		} else {
222 | 			this.removeValueIgnoreCase(UNSAFE_HASHES);
223 | 		}
224 | 		this.unsafeHashes = unsafeHashes;
225 | 	}
226 | 
227 | 
228 | 	public boolean reportSample() {
229 | 		return this.reportSample;
230 | 	}
231 | 
232 | 	public void setReportSample(boolean reportSample) {
233 | 		if (this.reportSample == reportSample) {
234 | 			return;
235 | 		}
236 | 		if (reportSample) {
237 | 			this.addValue(REPORT_SAMPLE);
238 | 		} else {
239 | 			this.removeValueIgnoreCase(REPORT_SAMPLE);
240 | 		}
241 | 		this.reportSample = reportSample;
242 | 	}
243 | 
244 | 
245 | 	public boolean unsafeAllowRedirects() {
246 | 		return this.unsafeAllowRedirects;
247 | 	}
248 | 
249 | 	public void setUnsafeAllowRedirects(boolean unsafeAllowRedirects) {
250 | 		if (this.unsafeAllowRedirects == unsafeAllowRedirects) {
251 | 			return;
252 | 		}
253 | 		if (unsafeAllowRedirects) {
254 | 			this.addValue(UNSAFE_ALLOW_REDIRECTS);
255 | 		} else {
256 | 			this.removeValueIgnoreCase(UNSAFE_ALLOW_REDIRECTS);
257 | 		}
258 | 		this.unsafeAllowRedirects = unsafeAllowRedirects;
259 | 	}
260 | 
261 | 
262 | 	public List<Nonce> getNonces() {
263 | 		return Collections.unmodifiableList(this.nonces);
264 | 	}
265 | 
266 | 	public void addNonce(Nonce nonce, ManipulationErrorConsumer errors) {
267 | 		if (this._addNonce(nonce, -1, wrapManipulationErrorConsumer(errors))) {
268 | 			this.addValue(nonce.toString());
269 | 		}
270 | 	}
271 | 
272 | 	public boolean removeNonce(Nonce nonce) {
273 | 		if (!this.nonces.contains(nonce)) {
274 | 			return false;
275 | 		}
276 | 		this.nonces.remove(nonce);
277 | 		// we can't just "removeValue" or "removeValueIgnoreCase" because the `nonce-` part is case-insensitive but the remainder is case-sensitive
278 | 		this.removeValuesMatching(nonce, Nonce::parseNonce);
279 | 		return true;
280 | 	}
281 | 
282 | 	public List<Hash> getHashes() {
283 | 		return Collections.unmodifiableList(this.hashes);
284 | 	}
285 | 
286 | 	public void addHash(Hash hash, ManipulationErrorConsumer errors) {
287 | 		if (this._addHash(hash, -1, wrapManipulationErrorConsumer(errors))) {
288 | 			this.addValue(hash.toString());
289 | 		}
290 | 	}
291 | 
292 | 	public boolean removeHash(Hash hash) {
293 | 		if (!this.hashes.contains(hash)) {
294 | 			return false;
295 | 		}
296 | 		this.hashes.remove(hash);
297 | 		// we can't just "removeValue" or "removeValueIgnoreCase" because the `sha256-` part is case-insensitive but the remainder is case-sensitive
298 | 		this.removeValuesMatching(hash, Hash::parseHash);
299 | 		return true;
300 | 	}
301 | }
302 | 


--------------------------------------------------------------------------------
/src/main/java/com/shapesecurity/salvation2/Directives/SandboxDirective.java:
--------------------------------------------------------------------------------
  1 | package com.shapesecurity.salvation2.Directives;
  2 | 
  3 | import com.shapesecurity.salvation2.Directive;
  4 | import com.shapesecurity.salvation2.Policy;
  5 | 
  6 | import java.util.List;
  7 | import java.util.Locale;
  8 | 
  9 | public class SandboxDirective extends Directive {
 10 | 	private static final String ALLOW_DOWNLOADS = "allow-downloads";
 11 | 	private boolean allowDownloads = false;
 12 | 	private boolean allowForms = false;
 13 | 	private boolean allowModals = false;
 14 | 	private boolean allowOrientationLock = false;
 15 | 	private boolean allowPointerLock = false;
 16 | 	private boolean allowPopups = false;
 17 | 	private boolean allowPopupsToEscapeSandbox = false;
 18 | 	private boolean allowPresentation = false;
 19 | 	private boolean allowSameOrigin = false;
 20 | 	private boolean allowScripts = false;
 21 | 	private boolean allowStorageAccessByUserActivation = false;
 22 | 	private boolean allowTopNavigation = false;
 23 | 	private boolean allowTopNavigationByUserActivation = false;
 24 | 
 25 | 	public SandboxDirective(List<String> values, DirectiveErrorConsumer errors) {
 26 | 		super(values);
 27 | 
 28 | 		int index = 0;
 29 | 		for (String token : values) {
 30 | 			// HTML attribute keywords are ascii-case-insensitive: https://html.spec.whatwg.org/multipage/common-microsyntaxes.html#keywords-and-enumerated-attributes
 31 | 			String lowcaseToken = token.toLowerCase(Locale.ENGLISH);
 32 | 			switch (lowcaseToken) {
 33 | 				case ALLOW_DOWNLOADS:
 34 | 					if (!this.allowDownloads) {
 35 | 						this.allowDownloads = true;
 36 | 					} else {
 37 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-downloads", index);
 38 | 					}
 39 | 					break;
 40 | 				case "allow-forms":
 41 | 					if (!this.allowForms) {
 42 | 						this.allowForms = true;
 43 | 					} else {
 44 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-forms", index);
 45 | 					}
 46 | 					break;
 47 | 				case "allow-modals":
 48 | 					if (!this.allowModals) {
 49 | 						this.allowModals = true;
 50 | 					} else {
 51 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-modals", index);
 52 | 					}
 53 | 					break;
 54 | 				case "allow-orientation-lock":
 55 | 					if (!this.allowOrientationLock) {
 56 | 						this.allowOrientationLock = true;
 57 | 					} else {
 58 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-orientation-lock", index);
 59 | 					}
 60 | 					break;
 61 | 				case "allow-pointer-lock":
 62 | 					if (!this.allowPointerLock) {
 63 | 						this.allowPointerLock = true;
 64 | 					} else {
 65 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-pointer-lock", index);
 66 | 					}
 67 | 					break;
 68 | 				case "allow-popups":
 69 | 					if (!this.allowPopups) {
 70 | 						this.allowPopups = true;
 71 | 					} else {
 72 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-popups", index);
 73 | 					}
 74 | 					break;
 75 | 				case "allow-popups-to-escape-sandbox":
 76 | 					if (!this.allowPopupsToEscapeSandbox) {
 77 | 						this.allowPopupsToEscapeSandbox = true;
 78 | 					} else {
 79 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-popups-to-escape-sandbox", index);
 80 | 					}
 81 | 					break;
 82 | 				case "allow-presentation":
 83 | 					if (!this.allowPresentation) {
 84 | 						this.allowPresentation = true;
 85 | 					} else {
 86 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-presentation", index);
 87 | 					}
 88 | 					break;
 89 | 				case "allow-same-origin":
 90 | 					if (!this.allowSameOrigin) {
 91 | 						this.allowSameOrigin = true;
 92 | 					} else {
 93 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-same-origin", index);
 94 | 					}
 95 | 					break;
 96 | 				case "allow-scripts":
 97 | 					if (!this.allowScripts) {
 98 | 						this.allowScripts = true;
 99 | 					} else {
100 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-scripts", index);
101 | 					}
102 | 					break;
103 | 				case "allow-storage-access-by-user-activation":
104 | 					if (!this.allowStorageAccessByUserActivation) {
105 | 						this.allowStorageAccessByUserActivation = true;
106 | 					} else {
107 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-storage-access-by-user-activation", index);
108 | 					}
109 | 					break;
110 | 				case "allow-top-navigation":
111 | 					if (!this.allowTopNavigation) {
112 | 						this.allowTopNavigation = true;
113 | 					} else {
114 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-top-navigation", index);
115 | 					}
116 | 					break;
117 | 				case "allow-top-navigation-by-user-activation":
118 | 					if (!this.allowTopNavigationByUserActivation) {
119 | 						this.allowTopNavigationByUserActivation = true;
120 | 					} else {
121 | 						errors.add(Policy.Severity.Warning, "Duplicate sandbox keyword allow-top-navigation-by-user-activation", index);
122 | 					}
123 | 					break;
124 | 				default:
125 | 					if (token.startsWith("'")) {
126 | 						errors.add(Policy.Severity.Error, "Unrecognized sandbox keyword " + token + " - note that sandbox keywords do not have \"'\"s", index);
127 | 					} else {
128 | 						errors.add(Policy.Severity.Error, "Unrecognized sandbox keyword " + token, index);
129 | 					}
130 | 			}
131 | 			++index;
132 | 		}
133 | 	}
134 | 
135 | 
136 | 	public boolean allowDownloads() {
137 | 		return this.allowDownloads;
138 | 	}
139 | 
140 | 	public void setAllowDownloads(boolean allowDownloads) {
141 | 		if (this.allowDownloads == allowDownloads) {
142 | 			return;
143 | 		}
144 | 		if (allowDownloads) {
145 | 			this.addValue(ALLOW_DOWNLOADS);
146 | 		} else {
147 | 			this.removeValueIgnoreCase(ALLOW_DOWNLOADS);
148 | 		}
149 | 		this.allowDownloads = allowDownloads;
150 | 	}
151 | 
152 | 
153 | 	public boolean allowForms() {
154 | 		return this.allowForms;
155 | 	}
156 | 
157 | 	public void setAllowForms(boolean allowForms) {
158 | 		if (this.allowForms == allowForms) {
159 | 			return;
160 | 		}
161 | 		if (allowForms) {
162 | 			this.addValue("allow-forms");
163 | 		} else {
164 | 			this.removeValueIgnoreCase("allow-forms");
165 | 		}
166 | 		this.allowForms = allowForms;
167 | 	}
168 | 
169 | 
170 | 	public boolean allowModals() {
171 | 		return this.allowModals;
172 | 	}
173 | 
174 | 	public void setAllowModals(boolean allowModals) {
175 | 		if (this.allowModals == allowModals) {
176 | 			return;
177 | 		}
178 | 		if (allowModals) {
179 | 			this.addValue("allow-modals");
180 | 		} else {
181 | 			this.removeValueIgnoreCase("allow-modals");
182 | 		}
183 | 		this.allowModals = allowModals;
184 | 	}
185 | 
186 | 
187 | 	public boolean allowOrientationLock() {
188 | 		return this.allowOrientationLock;
189 | 	}
190 | 
191 | 	public void setAllowOrientationLock(boolean allowOrientationLock) {
192 | 		if (this.allowOrientationLock == allowOrientationLock) {
193 | 			return;
194 | 		}
195 | 		if (allowOrientationLock) {
196 | 			this.addValue("allow-orientation-lock");
197 | 		} else {
198 | 			this.removeValueIgnoreCase("allow-orientation-lock");
199 | 		}
200 | 		this.allowOrientationLock = allowOrientationLock;
201 | 	}
202 | 
203 | 
204 | 	public boolean allowPointerLock() {
205 | 		return this.allowPointerLock;
206 | 	}
207 | 
208 | 	public void setAllowPointerLock(boolean allowPointerLock) {
209 | 		if (this.allowPointerLock == allowPointerLock) {
210 | 			return;
211 | 		}
212 | 		if (allowPointerLock) {
213 | 			this.addValue("allow-pointer-lock");
214 | 		} else {
215 | 			this.removeValueIgnoreCase("allow-pointer-lock");
216 | 		}
217 | 		this.allowPointerLock = allowPointerLock;
218 | 	}
219 | 
220 | 
221 | 	public boolean allowPopups() {
222 | 		return this.allowPopups;
223 | 	}
224 | 
225 | 	public void setAllowPopups(boolean allowPopups) {
226 | 		if (this.allowPopups == allowPopups) {
227 | 			return;
228 | 		}
229 | 		if (allowPopups) {
230 | 			this.addValue("allow-popups");
231 | 		} else {
232 | 			this.removeValueIgnoreCase("allow-popups");
233 | 		}
234 | 		this.allowPopups = allowPopups;
235 | 	}
236 | 
237 | 
238 | 	public boolean allowPopupsToEscapeSandbox() {
239 | 		return this.allowPopupsToEscapeSandbox;
240 | 	}
241 | 
242 | 	public void setAllowPopupsToEscapeSandbox(boolean allowPopupsToEscapeSandbox) {
243 | 		if (this.allowPopupsToEscapeSandbox == allowPopupsToEscapeSandbox) {
244 | 			return;
245 | 		}
246 | 		if (allowPopupsToEscapeSandbox) {
247 | 			this.addValue("allow-popups-to-escape-sandbox");
248 | 		} else {
249 | 			this.removeValueIgnoreCase("allow-popups-to-escape-sandbox");
250 | 		}
251 | 		this.allowPopupsToEscapeSandbox = allowPopupsToEscapeSandbox;
252 | 	}
253 | 
254 | 
255 | 	public boolean allowPresentation() {
256 | 		return this.allowPresentation;
257 | 	}
258 | 
259 | 	public void setAllowPresentation(boolean allowPresentation) {
260 | 		if (this.allowPresentation == allowPresentation) {
261 | 			return;
262 | 		}
263 | 		if (allowPresentation) {
264 | 			this.addValue("allow-presentation");
265 | 		} else {
266 | 			this.removeValueIgnoreCase("allow-presentation");
267 | 		}
268 | 		this.allowPresentation = allowPresentation;
269 | 	}
270 | 
271 | 
272 | 	public boolean allowSameOrigin() {
273 | 		return this.allowSameOrigin;
274 | 	}
275 | 
276 | 	public void setAllowSameOrigin(boolean allowSameOrigin) {
277 | 		if (this.allowSameOrigin == allowSameOrigin) {
278 | 			return;
279 | 		}
280 | 		if (allowSameOrigin) {
281 | 			this.addValue("allow-same-origin");
282 | 		} else {
283 | 			this.removeValueIgnoreCase("allow-same-origin");
284 | 		}
285 | 		this.allowSameOrigin = allowSameOrigin;
286 | 	}
287 | 
288 | 
289 | 	public boolean allowScripts() {
290 | 		return this.allowScripts;
291 | 	}
292 | 
293 | 	public void setAllowScripts(boolean allowScripts) {
294 | 		if (this.allowScripts == allowScripts) {
295 | 			return;
296 | 		}
297 | 		if (allowScripts) {
298 | 			this.addValue("allow-scripts");
299 | 		} else {
300 | 			this.removeValueIgnoreCase("allow-scripts");
301 | 		}
302 | 		this.allowScripts = allowScripts;
303 | 	}
304 | 
305 | 
306 | 	public boolean allowStorageAccessByUserActivation() {
307 | 		return this.allowStorageAccessByUserActivation;
308 | 	}
309 | 
310 | 	public void setAllowStorageAccessByUserActivation(boolean allowStorageAccessByUserActivation) {
311 | 		if (this.allowStorageAccessByUserActivation == allowStorageAccessByUserActivation) {
312 | 			return;
313 | 		}
314 | 		if (allowStorageAccessByUserActivation) {
315 | 			this.addValue("allow-storage-access-by-user-activation");
316 | 		} else {
317 | 			this.removeValueIgnoreCase("allow-storage-access-by-user-activation");
318 | 		}
319 | 		this.allowStorageAccessByUserActivation = allowStorageAccessByUserActivation;
320 | 	}
321 | 
322 | 
323 | 	public boolean allowTopNavigation() {
324 | 		return this.allowTopNavigation;
325 | 	}
326 | 
327 | 	public void setAllowTopNavigation(boolean allowTopNavigation) {
328 | 		if (this.allowTopNavigation == allowTopNavigation) {
329 | 			return;
330 | 		}
331 | 		if (allowTopNavigation) {
332 | 			this.addValue("allow-top-navigation");
333 | 		} else {
334 | 			this.removeValueIgnoreCase("allow-top-navigation");
335 | 		}
336 | 		this.allowTopNavigation = allowTopNavigation;
337 | 	}
338 | 
339 | 
340 | 	public boolean allowTopNavigationByUserActivation() {
341 | 		return this.allowTopNavigationByUserActivation;
342 | 	}
343 | 
344 | 	public void setAllowTopNavigationByUserActivation(boolean allowTopNavigationByUserActivation) {
345 | 		if (this.allowTopNavigationByUserActivation == allowTopNavigationByUserActivation) {
346 | 			return;
347 | 		}
348 | 		if (allowTopNavigationByUserActivation) {
349 | 			this.addValue("allow-top-navigation-by-user-activation");
350 | 		} else {
351 | 			this.removeValueIgnoreCase("allow-top-navigation-by-user-activation");
352 | 		}
353 | 		this.allowTopNavigationByUserActivation = allowTopNavigationByUserActivation;
354 | 	}
355 | }
356 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | 
  2 |                                  Apache License
  3 |                            Version 2.0, January 2004
  4 |                         http://www.apache.org/licenses/
  5 | 
  6 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  7 | 
  8 |    1. Definitions.
  9 | 
 10 |       "License" shall mean the terms and conditions for use, reproduction,
 11 |       and distribution as defined by Sections 1 through 9 of this document.
 12 | 
 13 |       "Licensor" shall mean the copyright owner or entity authorized by
 14 |       the copyright owner that is granting the License.
 15 | 
 16 |       "Legal Entity" shall mean the union of the acting entity and all
 17 |       other entities that control, are controlled by, or are under common
 18 |       control with that entity. For the purposes of this definition,
 19 |       "control" means (i) the power, direct or indirect, to cause the
 20 |       direction or management of such entity, whether by contract or
 21 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 22 |       outstanding shares, or (iii) beneficial ownership of such entity.
 23 | 
 24 |       "You" (or "Your") shall mean an individual or Legal Entity
 25 |       exercising permissions granted by this License.
 26 | 
 27 |       "Source" form shall mean the preferred form for making modifications,
 28 |       including but not limited to software source code, documentation
 29 |       source, and configuration files.
 30 | 
 31 |       "Object" form shall mean any form resulting from mechanical
 32 |       transformation or translation of a Source form, including but
 33 |       not limited to compiled object code, generated documentation,
 34 |       and conversions to other media types.
 35 | 
 36 |       "Work" shall mean the work of authorship, whether in Source or
 37 |       Object form, made available under the License, as indicated by a
 38 |       copyright notice that is included in or attached to the work
 39 |       (an example is provided in the Appendix below).
 40 | 
 41 |       "Derivative Works" shall mean any work, whether in Source or Object
 42 |       form, that is based on (or derived from) the Work and for which the
 43 |       editorial revisions, annotations, elaborations, or other modifications
 44 |       represent, as a whole, an original work of authorship. For the purposes
 45 |       of this License, Derivative Works shall not include works that remain
 46 |       separable from, or merely link (or bind by name) to the interfaces of,
 47 |       the Work and Derivative Works thereof.
 48 | 
 49 |       "Contribution" shall mean any work of authorship, including
 50 |       the original version of the Work and any modifications or additions
 51 |       to that Work or Derivative Works thereof, that is intentionally
 52 |       submitted to Licensor for inclusion in the Work by the copyright owner
 53 |       or by an individual or Legal Entity authorized to submit on behalf of
 54 |       the copyright owner. For the purposes of this definition, "submitted"
 55 |       means any form of electronic, verbal, or written communication sent
 56 |       to the Licensor or its representatives, including but not limited to
 57 |       communication on electronic mailing lists, source code control systems,
 58 |       and issue tracking systems that are managed by, or on behalf of, the
 59 |       Licensor for the purpose of discussing and improving the Work, but
 60 |       excluding communication that is conspicuously marked or otherwise
 61 |       designated in writing by the copyright owner as "Not a Contribution."
 62 | 
 63 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 64 |       on behalf of whom a Contribution has been received by Licensor and
 65 |       subsequently incorporated within the Work.
 66 | 
 67 |    2. Grant of Copyright License. Subject to the terms and conditions of
 68 |       this License, each Contributor hereby grants to You a perpetual,
 69 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 70 |       copyright license to reproduce, prepare Derivative Works of,
 71 |       publicly display, publicly perform, sublicense, and distribute the
 72 |       Work and such Derivative Works in Source or Object form.
 73 | 
 74 |    3. Grant of Patent License. Subject to the terms and conditions of
 75 |       this License, each Contributor hereby grants to You a perpetual,
 76 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 77 |       (except as stated in this section) patent license to make, have made,
 78 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 79 |       where such license applies only to those patent claims licensable
 80 |       by such Contributor that are necessarily infringed by their
 81 |       Contribution(s) alone or by combination of their Contribution(s)
 82 |       with the Work to which such Contribution(s) was submitted. If You
 83 |       institute patent litigation against any entity (including a
 84 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 85 |       or a Contribution incorporated within the Work constitutes direct
 86 |       or contributory patent infringement, then any patent licenses
 87 |       granted to You under this License for that Work shall terminate
 88 |       as of the date such litigation is filed.
 89 | 
 90 |    4. Redistribution. You may reproduce and distribute copies of the
 91 |       Work or Derivative Works thereof in any medium, with or without
 92 |       modifications, and in Source or Object form, provided that You
 93 |       meet the following conditions:
 94 | 
 95 |       (a) You must give any other recipients of the Work or
 96 |           Derivative Works a copy of this License; and
 97 | 
 98 |       (b) You must cause any modified files to carry prominent notices
 99 |           stating that You changed the files; and
100 | 
101 |       (c) You must retain, in the Source form of any Derivative Works
102 |           that You distribute, all copyright, patent, trademark, and
103 |           attribution notices from the Source form of the Work,
104 |           excluding those notices that do not pertain to any part of
105 |           the Derivative Works; and
106 | 
107 |       (d) If the Work includes a "NOTICE" text file as part of its
108 |           distribution, then any Derivative Works that You distribute must
109 |           include a readable copy of the attribution notices contained
110 |           within such NOTICE file, excluding those notices that do not
111 |           pertain to any part of the Derivative Works, in at least one
112 |           of the following places: within a NOTICE text file distributed
113 |           as part of the Derivative Works; within the Source form or
114 |           documentation, if provided along with the Derivative Works; or,
115 |           within a display generated by the Derivative Works, if and
116 |           wherever such third-party notices normally appear. The contents
117 |           of the NOTICE file are for informational purposes only and
118 |           do not modify the License. You may add Your own attribution
119 |           notices within Derivative Works that You distribute, alongside
120 |           or as an addendum to the NOTICE text from the Work, provided
121 |           that such additional attribution notices cannot be construed
122 |           as modifying the License.
123 | 
124 |       You may add Your own copyright statement to Your modifications and
125 |       may provide additional or different license terms and conditions
126 |       for use, reproduction, or distribution of Your modifications, or
127 |       for any such Derivative Works as a whole, provided Your use,
128 |       reproduction, and distribution of the Work otherwise complies with
129 |       the conditions stated in this License.
130 | 
131 |    5. Submission of Contributions. Unless You explicitly state otherwise,
132 |       any Contribution intentionally submitted for inclusion in the Work
133 |       by You to the Licensor shall be under the terms and conditions of
134 |       this License, without any additional terms or conditions.
135 |       Notwithstanding the above, nothing herein shall supersede or modify
136 |       the terms of any separate license agreement you may have executed
137 |       with Licensor regarding such Contributions.
138 | 
139 |    6. Trademarks. This License does not grant permission to use the trade
140 |       names, trademarks, service marks, or product names of the Licensor,
141 |       except as required for reasonable and customary use in describing the
142 |       origin of the Work and reproducing the content of the NOTICE file.
143 | 
144 |    7. Disclaimer of Warranty. Unless required by applicable law or
145 |       agreed to in writing, Licensor provides the Work (and each
146 |       Contributor provides its Contributions) on an "AS IS" BASIS,
147 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 |       implied, including, without limitation, any warranties or conditions
149 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 |       PARTICULAR PURPOSE. You are solely responsible for determining the
151 |       appropriateness of using or redistributing the Work and assume any
152 |       risks associated with Your exercise of permissions under this License.
153 | 
154 |    8. Limitation of Liability. In no event and under no legal theory,
155 |       whether in tort (including negligence), contract, or otherwise,
156 |       unless required by applicable law (such as deliberate and grossly
157 |       negligent acts) or agreed to in writing, shall any Contributor be
158 |       liable to You for damages, including any direct, indirect, special,
159 |       incidental, or consequential damages of any character arising as a
160 |       result of this License or out of the use or inability to use the
161 |       Work (including but not limited to damages for loss of goodwill,
162 |       work stoppage, computer failure or malfunction, or any and all
163 |       other commercial damages or losses), even if such Contributor
164 |       has been advised of the possibility of such damages.
165 | 
166 |    9. Accepting Warranty or Additional Liability. While redistributing
167 |       the Work or Derivative Works thereof, You may choose to offer,
168 |       and charge a fee for, acceptance of support, warranty, indemnity,
169 |       or other liability obligations and/or rights consistent with this
170 |       License. However, in accepting such obligations, You may act only
171 |       on Your own behalf and on Your sole responsibility, not on behalf
172 |       of any other Contributor, and only if You agree to indemnify,
173 |       defend, and hold each Contributor harmless for any liability
174 |       incurred by, or claims asserted against, such Contributor by reason
175 |       of your accepting any such warranty or additional liability.
176 | 
177 |    END OF TERMS AND CONDITIONS
178 | 
179 |    APPENDIX: How to apply the Apache License to your work.
180 | 
181 |       To apply the Apache License to your work, attach the following
182 |       boilerplate notice, with the fields enclosed by brackets "[]"
183 |       replaced with your own identifying information. (Don't include
184 |       the brackets!)  The text should be enclosed in the appropriate
185 |       comment syntax for the file format. We also recommend that a
186 |       file or class name and description of purpose be included on the
187 |       same "printed page" as the copyright notice for easier
188 |       identification within third-party archives.
189 | 
190 |    Copyright [yyyy] [name of copyright owner]
191 | 
192 |    Licensed under the Apache License, Version 2.0 (the "License");
193 |    you may not use this file except in compliance with the License.
194 |    You may obtain a copy of the License at
195 | 
196 |        http://www.apache.org/licenses/LICENSE-2.0
197 | 
198 |    Unless required by applicable law or agreed to in writing, software
199 |    distributed under the License is distributed on an "AS IS" BASIS,
200 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 |    See the License for the specific language governing permissions and
202 |    limitations under the License.
203 | 


--------------------------------------------------------------------------------
/src/test/java/com/shapesecurity/salvation2/LowLevelPolicyManipulationTest.java:
--------------------------------------------------------------------------------
  1 | package com.shapesecurity.salvation2;
  2 | 
  3 | import org.junit.Test;
  4 | 
  5 | import java.util.ArrayList;
  6 | import java.util.Arrays;
  7 | import java.util.Collections;
  8 | import java.util.List;
  9 | 
 10 | import static org.junit.Assert.assertEquals;
 11 | import static org.junit.Assert.assertFalse;
 12 | import static org.junit.Assert.assertTrue;
 13 | 
 14 | public class LowLevelPolicyManipulationTest extends TestBase {
 15 | 	@Test
 16 | 	public void testAdd() {
 17 | 		Policy p;
 18 | 
 19 | 		// Basic ability to add directives
 20 | 		p = Policy.parseSerializedCSP("", throwIfPolicyError);
 21 | 		assertFalse(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).isPresent());
 22 | 		add(
 23 | 				p,
 24 | 				"default-src",
 25 | 				Arrays.asList("'self'")
 26 | 		);
 27 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).isPresent());
 28 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).get().self());
 29 | 		assertFalse(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).get().unsafeInline());
 30 | 		assertEquals("default-src 'self'", p.toString());
 31 | 
 32 | 		// Supports adding duplicates
 33 | 		add(
 34 | 				p,
 35 | 				"default-src",
 36 | 				Arrays.asList("'unsafe-inline'"),
 37 | 				e(Policy.Severity.Warning, "Duplicate directive default-src", -1)
 38 | 		);
 39 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).isPresent());
 40 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).get().self());
 41 | 		assertFalse(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).get().unsafeInline());
 42 | 		assertEquals("default-src 'self'; default-src 'unsafe-inline'", p.toString());
 43 | 
 44 | 		// Supports adding directives with odd casing
 45 | 		assertFalse(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
 46 | 		inTurkey(() -> {
 47 | 			add(
 48 | 					p,
 49 | 					"SCRIPT-SRC",
 50 | 					Arrays.asList("'STRICT-DYNAMIC'")
 51 | 			);
 52 | 		});
 53 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
 54 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).get().strictDynamic());
 55 | 		assertEquals("default-src 'self'; default-src 'unsafe-inline'; SCRIPT-SRC 'STRICT-DYNAMIC'", p.toString());
 56 | 
 57 | 		// Supports adding unknown directives
 58 | 		add(
 59 | 				p,
 60 | 				"not-a-directive",
 61 | 				Arrays.asList(),
 62 | 				e(Policy.Severity.Warning, "Unrecognized directive not-a-directive", -1)
 63 | 		);
 64 | 		assertEquals("default-src 'self'; default-src 'unsafe-inline'; SCRIPT-SRC 'STRICT-DYNAMIC'; not-a-directive", p.toString());
 65 | 
 66 | 		// Supports adding directives with unreasonable values
 67 | 		add(
 68 | 				p,
 69 | 				"sandbox",
 70 | 				Arrays.asList("allow-nonsense"),
 71 | 				e(Policy.Severity.Error, "Unrecognized sandbox keyword allow-nonsense", 0)
 72 | 		);
 73 | 		assertEquals("default-src 'self'; default-src 'unsafe-inline'; SCRIPT-SRC 'STRICT-DYNAMIC'; not-a-directive; sandbox allow-nonsense", p.toString());
 74 | 
 75 | 		// TODO tests for invalid inputs
 76 | 	}
 77 | 
 78 | 	@Test
 79 | 	public void testRemove() {
 80 | 		Policy p;
 81 | 
 82 | 		p = Policy.parseSerializedCSP("default-src a; script-src b; img-src c", throwIfPolicyError);
 83 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).isPresent());
 84 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
 85 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ImgSrc).isPresent());
 86 | 
 87 | 		// Basic ability to remove things
 88 | 		assertTrue(p.remove("script-src"));
 89 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).isPresent());
 90 | 		assertFalse(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
 91 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ImgSrc).isPresent());
 92 | 		assertEquals("default-src a; img-src c", p.toString());
 93 | 
 94 | 		assertTrue(p.remove("default-src"));
 95 | 		assertFalse(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).isPresent());
 96 | 		assertFalse(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
 97 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ImgSrc).isPresent());
 98 | 		assertEquals("img-src c", p.toString());
 99 | 
100 | 		// Removes all copies
101 | 		p = Policy.parseSerializedCSP("default-src a; script-src b; img-src c; script-src d", Policy.PolicyErrorConsumer.ignored);
102 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).isPresent());
103 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
104 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ImgSrc).isPresent());
105 | 		assertEquals("default-src a; script-src b; img-src c; script-src d", p.toString());
106 | 
107 | 		assertTrue(p.remove("script-src"));
108 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).isPresent());
109 | 		assertFalse(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
110 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ImgSrc).isPresent());
111 | 		assertEquals("default-src a; img-src c", p.toString());
112 | 
113 | 		// Removing is case-insensitive
114 | 		inTurkey(() -> {
115 | 			Policy p2 = Policy.parseSerializedCSP("scrIPT-src a", Policy.PolicyErrorConsumer.ignored);
116 | 			assertTrue(p2.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
117 | 
118 | 			assertTrue(p2.remove("SCRipt-SRC"));
119 | 			assertFalse(p2.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
120 | 			assertEquals("", p2.toString());
121 | 
122 | 			p2 = Policy.parseSerializedCSP("script-src a", Policy.PolicyErrorConsumer.ignored);
123 | 			assertTrue(p2.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
124 | 
125 | 			assertTrue(p2.remove("SCRIPT-SRC"));
126 | 			assertFalse(p2.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
127 | 			assertEquals("", p2.toString());
128 | 		});
129 | 
130 | 		// Returns false if nothing is removed
131 | 		p = Policy.parseSerializedCSP("default-src a; script-src b; img-src c", throwIfPolicyError);
132 | 		assertFalse(p.remove("font-src"));
133 | 		assertFalse(p.remove("not-a-directive"));
134 | 		assertEquals("default-src a; script-src b; img-src c", p.toString());
135 | 
136 | 		// Can remove nonsense directives
137 | 		p = Policy.parseSerializedCSP("default-src a; not-a-directive b", Policy.PolicyErrorConsumer.ignored);
138 | 		assertTrue(p.remove("not-a-directive"));
139 | 		assertEquals("default-src a", p.toString());
140 | 
141 | 		// Every kind of directive is removable
142 | 		p = Policy.parseSerializedCSP("base-uri 'self'", throwIfPolicyError);
143 | 		assertTrue(p.baseUri().isPresent());
144 | 		assertTrue(p.remove("base-uri"));
145 | 		assertFalse(p.remove("base-uri"));
146 | 		assertFalse(p.baseUri().isPresent());
147 | 		assertEquals("", p.toString());
148 | 
149 | 		p = Policy.parseSerializedCSP("block-all-mixed-content", throwIfPolicyError);
150 | 		assertTrue(p.blockAllMixedContent());
151 | 		assertTrue(p.remove("block-all-mixed-content"));
152 | 		assertFalse(p.remove("block-all-mixed-content"));
153 | 		assertFalse(p.blockAllMixedContent());
154 | 		assertEquals("", p.toString());
155 | 
156 | 		p = Policy.parseSerializedCSP("form-action 'self'", throwIfPolicyError);
157 | 		assertTrue(p.formAction().isPresent());
158 | 		assertTrue(p.remove("form-action"));
159 | 		assertFalse(p.remove("form-action"));
160 | 		assertFalse(p.formAction().isPresent());
161 | 		assertEquals("", p.toString());
162 | 
163 | 		p = Policy.parseSerializedCSP("frame-ancestors 'self'", throwIfPolicyError);
164 | 		assertTrue(p.frameAncestors().isPresent());
165 | 		assertTrue(p.remove("frame-ancestors"));
166 | 		assertFalse(p.remove("frame-ancestors"));
167 | 		assertFalse(p.frameAncestors().isPresent());
168 | 		assertEquals("", p.toString());
169 | 
170 | 		p = Policy.parseSerializedCSP("navigate-to 'self'", throwIfPolicyError);
171 | 		assertTrue(p.navigateTo().isPresent());
172 | 		assertTrue(p.remove("navigate-to"));
173 | 		assertFalse(p.remove("navigate-to"));
174 | 		assertFalse(p.navigateTo().isPresent());
175 | 		assertEquals("", p.toString());
176 | 
177 | 		p = Policy.parseSerializedCSP("plugin-types a/b", throwIfPolicyError);
178 | 		assertTrue(p.pluginTypes().isPresent());
179 | 		assertTrue(p.remove("plugin-types"));
180 | 		assertFalse(p.remove("plugin-types"));
181 | 		assertFalse(p.pluginTypes().isPresent());
182 | 		assertEquals("", p.toString());
183 | 
184 | 		p = Policy.parseSerializedCSP("report-to 'self'", throwIfPolicyError);
185 | 		assertTrue(p.reportTo().isPresent());
186 | 		assertTrue(p.remove("report-to"));
187 | 		assertFalse(p.remove("report-to"));
188 | 		assertFalse(p.reportTo().isPresent());
189 | 		assertEquals("", p.toString());
190 | 
191 | 		p = Policy.parseSerializedCSP("report-uri 'self'", Policy.PolicyErrorConsumer.ignored);
192 | 		assertTrue(p.reportUri().isPresent());
193 | 		assertTrue(p.remove("report-uri"));
194 | 		assertFalse(p.remove("report-uri"));
195 | 		assertFalse(p.reportUri().isPresent());
196 | 		assertEquals("", p.toString());
197 | 
198 | 		p = Policy.parseSerializedCSP("sandbox allow-downloads", throwIfPolicyError);
199 | 		assertTrue(p.sandbox().isPresent());
200 | 		assertTrue(p.remove("sandbox"));
201 | 		assertFalse(p.remove("sandbox"));
202 | 		assertFalse(p.sandbox().isPresent());
203 | 		assertEquals("", p.toString());
204 | 
205 | 		p = Policy.parseSerializedCSP("upgrade-insecure-requests", throwIfPolicyError);
206 | 		assertTrue(p.upgradeInsecureRequests());
207 | 		assertTrue(p.remove("upgrade-insecure-requests"));
208 | 		assertFalse(p.remove("upgrade-insecure-requests"));
209 | 		assertFalse(p.upgradeInsecureRequests());
210 | 		assertEquals("", p.toString());
211 | 	}
212 | 
213 | 	@Test(expected = IllegalArgumentException.class)
214 | 	public void testAddAssertsNonemptyNames() {
215 | 		Policy p = Policy.parseSerializedCSP("", throwIfPolicyError);
216 | 		p.add("", Collections.emptyList(), Directive.DirectiveErrorConsumer.ignored);
217 | 	}
218 | 
219 | 	@Test(expected = IllegalArgumentException.class)
220 | 	public void testAddAssertsAsciiInNames() {
221 | 		Policy p = Policy.parseSerializedCSP("", throwIfPolicyError);
222 | 		p.add("é", Collections.emptyList(), Directive.DirectiveErrorConsumer.ignored);
223 | 	}
224 | 
225 | 	@Test(expected = IllegalArgumentException.class)
226 | 	public void testAddAssertsNoCommasInNames() {
227 | 		Policy p = Policy.parseSerializedCSP("", throwIfPolicyError);
228 | 		p.add(",", Collections.emptyList(), Directive.DirectiveErrorConsumer.ignored);
229 | 	}
230 | 
231 | 	@Test(expected = IllegalArgumentException.class)
232 | 	public void testAddAssertsNoSemisInNames() {
233 | 		Policy p = Policy.parseSerializedCSP("", throwIfPolicyError);
234 | 		p.add(";", Collections.emptyList(), Directive.DirectiveErrorConsumer.ignored);
235 | 	}
236 | 
237 | 	@Test(expected = IllegalArgumentException.class)
238 | 	public void testAddAssertsNonemptyValues() {
239 | 		Policy p = Policy.parseSerializedCSP("", throwIfPolicyError);
240 | 		p.add("default-src", Collections.singletonList(""), Directive.DirectiveErrorConsumer.ignored);
241 | 	}
242 | 
243 | 	@Test(expected = IllegalArgumentException.class)
244 | 	public void testAddAssertsAsciiInValues() {
245 | 		Policy p = Policy.parseSerializedCSP("", throwIfPolicyError);
246 | 		p.add("default-src", Collections.singletonList("é"), Directive.DirectiveErrorConsumer.ignored);
247 | 	}
248 | 
249 | 	@Test(expected = IllegalArgumentException.class)
250 | 	public void testAddAssertsNoCommasInValues() {
251 | 		Policy p = Policy.parseSerializedCSP("", throwIfPolicyError);
252 | 		p.add("default-src", Collections.singletonList(","), Directive.DirectiveErrorConsumer.ignored);
253 | 	}
254 | 
255 | 	@Test(expected = IllegalArgumentException.class)
256 | 	public void testAddAssertsNoSemisInValues() {
257 | 		Policy p = Policy.parseSerializedCSP("", throwIfPolicyError);
258 | 		p.add("default-src", Collections.singletonList(";"), Directive.DirectiveErrorConsumer.ignored);
259 | 	}
260 | 
261 | 
262 | 	private static void add(Policy p, String name, List<String> values, DirectiveError... errors) {
263 | 		ArrayList<DirectiveError> observedErrors = new ArrayList<>();
264 | 		Directive.DirectiveErrorConsumer consumer = (severity, message, valueIndex) -> {
265 | 			observedErrors.add(e(severity, message, valueIndex));
266 | 		};
267 | 		p.add(name, values, consumer);
268 | 		assertEquals("should have the expected number of errors", errors.length, observedErrors.size());
269 | 		for (int i = 0; i < errors.length; ++i) {
270 | 			assertEquals(errors[i], observedErrors.get(i));
271 | 		}
272 | 	}
273 | 
274 | }
275 | 


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  3 |          xmlns="http://maven.apache.org/POM/4.0.0"
  4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5 |     <modelVersion>4.0.0</modelVersion>
  6 | 
  7 |     <groupId>com.shapesecurity</groupId>
  8 |     <artifactId>salvation2</artifactId>
  9 |     <version>3.0.1</version>
 10 |     <packaging>jar</packaging>
 11 | 
 12 |     <name>salvation</name>
 13 |     <description>Parse Content Security Policy headers, warn about policy errors, safely manipulate, render, and optimise policies</description>
 14 |     <url>http://cspvalidator.org</url>
 15 | 
 16 |     <properties>
 17 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 18 |         <gpg.skip>true</gpg.skip>
 19 |     </properties>
 20 | 
 21 |     <developers>
 22 |         <developer>
 23 |             <name>Michael Ficarra</name>
 24 |             <email>mficarra@shapesecurity.com</email>
 25 |             <organization>Shape Security</organization>
 26 |             <organizationUrl>https://www.shapesecurity.com</organizationUrl>
 27 |         </developer>
 28 |         <developer>
 29 |             <name>Sergey Shekyan</name>
 30 |             <email>shekyan@gmail.com</email>
 31 |             <organization>Shape Security</organization>
 32 |             <organizationUrl>https://www.shapesecurity.com</organizationUrl>
 33 |         </developer>
 34 |         <developer>
 35 |             <name>Kevin Gibbons</name>
 36 |             <email>kevin@shapesecurity.com</email>
 37 |             <organization>Shape Security</organization>
 38 |             <organizationUrl>https://www.shapesecurity.com</organizationUrl>
 39 |         </developer>
 40 |     </developers>
 41 | 
 42 |     <scm>
 43 |         <connection>scm:git:git@github.com:shapesecurity/salvation.git</connection>
 44 |         <developerConnection>scm:git:git@github.com:shapesecurity/salvation.git</developerConnection>
 45 |         <url>git@github.com:shapesecurity/salvation.git</url>
 46 |     </scm>
 47 | 
 48 |     <licenses>
 49 |         <license>
 50 |             <name>Apache License, Version 2.0</name>
 51 |             <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
 52 |             <distribution>repo</distribution>
 53 |         </license>
 54 |     </licenses>
 55 | 
 56 |     <distributionManagement>
 57 |         <snapshotRepository>
 58 |             <id>ossrh</id>
 59 |             <url>https://oss.sonatype.org/content/repositories/snapshots</url>
 60 |         </snapshotRepository>
 61 |         <repository>
 62 |             <id>ossrh</id>
 63 |             <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
 64 |         </repository>
 65 |     </distributionManagement>
 66 | 
 67 |     <dependencies>
 68 |         <dependency>
 69 |             <groupId>org.teavm</groupId>
 70 |             <artifactId>teavm-jso</artifactId>
 71 |             <version>0.9.2</version>
 72 |         </dependency>
 73 |         <dependency>
 74 |             <groupId>org.teavm</groupId>
 75 |             <artifactId>teavm-jso-apis</artifactId>
 76 |             <version>0.9.2</version>
 77 |         </dependency>
 78 |         <dependency>
 79 |             <groupId>com.google.code.findbugs</groupId>
 80 |             <artifactId>jsr305</artifactId>
 81 |             <version>2.0.1</version>
 82 |             <scope>provided</scope>
 83 |         </dependency>
 84 |         <dependency>
 85 |             <groupId>junit</groupId>
 86 |             <artifactId>junit</artifactId>
 87 |             <version>4.11</version>
 88 |             <scope>test</scope>
 89 |         </dependency>
 90 |     </dependencies>
 91 | 
 92 |     <build>
 93 |         <plugins>
 94 |             <plugin>
 95 |                 <groupId>org.teavm</groupId>
 96 |                 <artifactId>teavm-maven-plugin</artifactId>
 97 |                 <version>0.9.2</version>
 98 |                 <dependencies>
 99 |                     <dependency>
100 |                         <groupId>org.teavm</groupId>
101 |                         <artifactId>teavm-classlib</artifactId>
102 |                         <version>0.9.2</version>
103 |                     </dependency>
104 |                 </dependencies>
105 |                 <executions>
106 |                     <execution>
107 |                         <goals>
108 |                             <goal>compile</goal>
109 |                         </goals>
110 |                         <phase>process-classes</phase>
111 |                         <configuration>
112 |                             <mainClass>com.shapesecurity.salvation2.JSInterface</mainClass>
113 |                             <minifying>true</minifying>
114 |                             <sourceMapsGenerated>false</sourceMapsGenerated>
115 |                             <sourceFilesCopied>false</sourceFilesCopied>
116 |                             <targetFileName>salvation.min.js</targetFileName>
117 |                         </configuration>
118 |                     </execution>
119 |                 </executions>
120 |             </plugin>
121 |             <plugin>
122 |                 <groupId>org.sonatype.plugins</groupId>
123 |                 <artifactId>nexus-staging-maven-plugin</artifactId>
124 |                 <version>1.6.3</version>
125 |                 <extensions>true</extensions>
126 |                 <configuration>
127 |                     <serverId>ossrh</serverId>
128 |                     <nexusUrl>https://oss.sonatype.org/</nexusUrl>
129 |                     <autoReleaseAfterClose>true</autoReleaseAfterClose>
130 |                 </configuration>
131 |             </plugin>
132 |             <plugin>
133 |                 <groupId>org.apache.maven.plugins</groupId>
134 |                 <artifactId>maven-gpg-plugin</artifactId>
135 |                 <version>1.5</version>
136 |                 <executions>
137 |                     <execution>
138 |                         <id>sign-artifacts</id>
139 |                         <phase>verify</phase>
140 |                         <goals>
141 |                             <goal>sign</goal>
142 |                         </goals>
143 |                     </execution>
144 |                 </executions>
145 |             </plugin>
146 |             <plugin>
147 |                 <groupId>org.apache.maven.plugins</groupId>
148 |                 <artifactId>maven-compiler-plugin</artifactId>
149 |                 <version>2.3.2</version>
150 |                 <configuration>
151 |                     <source>1.8</source>
152 |                     <target>1.8</target>
153 |                 </configuration>
154 |             </plugin>
155 |             <plugin>
156 |                 <groupId>org.codehaus.mojo</groupId>
157 |                 <artifactId>findbugs-maven-plugin</artifactId>
158 |                 <version>3.0.1</version>
159 | 
160 |                 <configuration>
161 |                     <effort>Max</effort>
162 |                     <!-- Build doesn't fail if problems are found -->
163 |                     <failOnError>false</failOnError>
164 |                     <!-- Reports all bugs (other values are medium and max) -->
165 |                     <threshold>Low</threshold>
166 |                     <!-- Produces XML report -->
167 |                     <xmlOutput>true</xmlOutput>
168 |                     <!-- Configures the directory in which the XML report is created -->
169 |                     <findbugsXmlOutputDirectory>${project.build.directory}/findbugs/</findbugsXmlOutputDirectory>
170 |                 </configuration>
171 |             </plugin>
172 |             <plugin>
173 |                 <groupId>org.apache.maven.plugins</groupId>
174 |                 <artifactId>maven-source-plugin</artifactId>
175 |                 <version>2.2.1</version>
176 |                 <executions>
177 |                     <execution>
178 |                         <id>attach-sources</id>
179 |                         <goals>
180 |                             <goal>jar-no-fork</goal>
181 |                         </goals>
182 |                     </execution>
183 |                 </executions>
184 |             </plugin>
185 |             <plugin>
186 |                 <groupId>org.apache.maven.plugins</groupId>
187 |                 <artifactId>maven-javadoc-plugin</artifactId>
188 |                 <version>2.9.1</version>
189 |                 <executions>
190 |                     <execution>
191 |                         <id>attach-javadocs</id>
192 |                         <goals>
193 |                             <goal>jar</goal>
194 |                         </goals>
195 |                     </execution>
196 |                 </executions>
197 |             </plugin>
198 |             <plugin>
199 |                 <groupId>org.codehaus.mojo</groupId>
200 |                 <artifactId>xml-maven-plugin</artifactId>
201 |                 <version>1.0</version>
202 | 
203 |                 <executions>
204 |                     <!-- Ensures that the XSLT transformation is run when the project is compiled. -->
205 |                     <execution>
206 |                         <phase>verify</phase>
207 |                         <goals>
208 |                             <goal>transform</goal>
209 |                         </goals>
210 |                     </execution>
211 |                 </executions>
212 | 
213 |                 <configuration>
214 |                     <transformationSets>
215 |                         <transformationSet>
216 |                             <!-- Configures the source directory of XML files. -->
217 |                             <dir>${project.build.directory}/findbugs</dir>
218 |                             <!-- Configures the directory in which the FindBugs report is written.-->
219 |                             <outputDir>${project.build.directory}/findbugs</outputDir>
220 |                             <!-- Selects the used stylesheet. -->
221 |                             <!-- <stylesheet>fancy-hist.xsl</stylesheet> -->
222 |                             <stylesheet>default.xsl</stylesheet>
223 |                             <!--<stylesheet>plain.xsl</stylesheet>-->
224 |                             <!--<stylesheet>fancy.xsl</stylesheet>-->
225 |                             <!--<stylesheet>summary.xsl</stylesheet>-->
226 |                             <fileMappers>
227 |                                 <!-- Configures the file extension of the output files. -->
228 |                                 <fileMapper
229 |                                     implementation="org.codehaus.plexus.components.io.filemappers.FileExtensionMapper">
230 |                                     <targetExtension>.html</targetExtension>
231 |                                 </fileMapper>
232 |                             </fileMappers>
233 |                         </transformationSet>
234 |                     </transformationSets>
235 |                 </configuration>
236 |                 <dependencies>
237 |                     <dependency>
238 |                         <groupId>com.google.code.findbugs</groupId>
239 |                         <artifactId>findbugs</artifactId>
240 |                         <version>2.0.1</version>
241 |                     </dependency>
242 |                 </dependencies>
243 |             </plugin>
244 |             <plugin>
245 |                 <groupId>org.apache.maven.plugins</groupId>
246 |                 <artifactId>maven-checkstyle-plugin</artifactId>
247 |                 <version>3.1.1</version>
248 |                 <dependencies>
249 |                     <dependency>
250 |                         <groupId>com.puppycrawl.tools</groupId>
251 |                         <artifactId>checkstyle</artifactId>
252 |                         <version>[8.18,10.0)</version>
253 |                     </dependency>
254 |                 </dependencies>
255 |                 <configuration>
256 |                     <configLocation>style.xml</configLocation>
257 |                     <encoding>UTF-8</encoding>
258 |                     <sourceDirectories>
259 |                         <sourceDirectory>${project.build.sourceDirectory}</sourceDirectory>
260 |                         <sourceDirectory>${project.build.testSourceDirectory}</sourceDirectory>
261 |                     </sourceDirectories>
262 |                 </configuration>
263 |                 <executions>
264 |                     <execution>
265 |                         <id>test</id>
266 |                         <phase>test</phase>
267 |                         <goals>
268 |                             <goal>check</goal>
269 |                         </goals>
270 |                         <configuration>
271 |                             <configLocation>style.xml</configLocation>
272 |                             <encoding>UTF-8</encoding>
273 |                             <sourceDirectories>
274 |                                 <sourceDirectory>${project.build.sourceDirectory}</sourceDirectory>
275 |                                 <sourceDirectory>${project.build.testSourceDirectory}</sourceDirectory>
276 |                             </sourceDirectories>
277 |                             <consoleOutput>true</consoleOutput>
278 |                             <failsOnError>true</failsOnError>
279 |                         </configuration>
280 |                     </execution>
281 |                 </executions>
282 |             </plugin>
283 |         </plugins>
284 |     </build>
285 | </project>
286 | 


--------------------------------------------------------------------------------
/src/test/java/com/shapesecurity/salvation2/ParserTest.java:
--------------------------------------------------------------------------------
  1 | package com.shapesecurity.salvation2;
  2 | 
  3 | import com.shapesecurity.salvation2.Values.Scheme;
  4 | import org.junit.Test;
  5 | 
  6 | import java.util.ArrayList;
  7 | 
  8 | import static org.junit.Assert.assertEquals;
  9 | import static org.junit.Assert.assertTrue;
 10 | 
 11 | public class ParserTest extends TestBase {
 12 | 	@Test
 13 | 	public void testEmptyPolicy() {
 14 | 		roundTrips("");
 15 | 		serializesTo(";", "");
 16 | 
 17 | 		PolicyList p = Policy.parseSerializedCSPList("", throwIfPolicyListError);
 18 | 		assertEquals("", p.toString());
 19 | 	}
 20 | 
 21 | 	@Test
 22 | 	public void testList() {
 23 | 		PolicyList p = Policy.parseSerializedCSPList("DEFAULT-SRC 'NONE', default-src 'none'", throwIfPolicyListError);
 24 | 		assertEquals("DEFAULT-SRC 'NONE', default-src 'none'", p.toString());
 25 | 
 26 | 		ArrayList<PolicyListError> observedErrors = new ArrayList<>();
 27 | 		Policy.PolicyListErrorConsumer consumer = (severity, message, policyIndex, directiveIndex, valueIndex) -> {
 28 | 			observedErrors.add(e(severity, message, policyIndex, directiveIndex, valueIndex));
 29 | 		};
 30 | 		p = Policy.parseSerializedCSPList("default-src 'none', default-src 'not-a-keyword'; script-src asdf asdf", consumer);
 31 | 		assertEquals("default-src 'none', default-src 'not-a-keyword'; script-src asdf asdf", p.toString());
 32 | 
 33 | 		PolicyListError[] errors = {
 34 | 				e(Policy.Severity.Error, "Unrecognized source-expression 'not-a-keyword'", 1, 0, 0),
 35 | 				e(Policy.Severity.Warning, "Duplicate host asdf", 1, 1, 1)
 36 | 		};
 37 | 		assertEquals("should have the expected number of errors", errors.length, observedErrors.size());
 38 | 		for (int i = 0; i < errors.length; ++i) {
 39 | 			assertEquals(errors[i], observedErrors.get(i));
 40 | 		}
 41 | 	}
 42 | 
 43 | 	@Test
 44 | 	public void testSimpleCases() {
 45 | 		Policy p;
 46 | 
 47 | 		p = Policy.parseSerializedCSP("base-uri a", throwIfPolicyError);
 48 | 		assertTrue(p.baseUri().isPresent());
 49 | 
 50 | 		p = Policy.parseSerializedCSP("block-all-mixed-content", throwIfPolicyError);
 51 | 		assertTrue(p.blockAllMixedContent());
 52 | 
 53 | 		p = Policy.parseSerializedCSP("form-action a", throwIfPolicyError);
 54 | 		assertTrue(p.formAction().isPresent());
 55 | 
 56 | 		p = Policy.parseSerializedCSP("frame-ancestors 'none'", throwIfPolicyError);
 57 | 		assertTrue(p.frameAncestors().isPresent());
 58 | 
 59 | 		p = Policy.parseSerializedCSP("navigate-to 'none'", throwIfPolicyError);
 60 | 		assertTrue(p.navigateTo().isPresent());
 61 | 
 62 | 		p = Policy.parseSerializedCSP("plugin-types a/b", throwIfPolicyError);
 63 | 		assertTrue(p.pluginTypes().isPresent());
 64 | 
 65 | 		p = Policy.parseSerializedCSP("report-to a", throwIfPolicyError);
 66 | 		assertTrue(p.reportTo().isPresent());
 67 | 
 68 | 		p = Policy.parseSerializedCSP("report-uri http://example.com", Policy.PolicyErrorConsumer.ignored);
 69 | 		assertTrue(p.reportUri().isPresent());
 70 | 
 71 | 		p = Policy.parseSerializedCSP("sandbox", throwIfPolicyError);
 72 | 		assertTrue(p.sandbox().isPresent());
 73 | 
 74 | 		p = Policy.parseSerializedCSP("upgrade-insecure-requests", throwIfPolicyError);
 75 | 		assertTrue(p.upgradeInsecureRequests());
 76 | 
 77 | 
 78 | 		p = Policy.parseSerializedCSP("child-src a", throwIfPolicyError);
 79 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ChildSrc).isPresent());
 80 | 
 81 | 		p = Policy.parseSerializedCSP("connect-src a", throwIfPolicyError);
 82 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ConnectSrc).isPresent());
 83 | 
 84 | 		p = Policy.parseSerializedCSP("default-src a", throwIfPolicyError);
 85 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).isPresent());
 86 | 
 87 | 		p = Policy.parseSerializedCSP("font-src a", throwIfPolicyError);
 88 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.FontSrc).isPresent());
 89 | 
 90 | 		p = Policy.parseSerializedCSP("frame-src a", throwIfPolicyError);
 91 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.FrameSrc).isPresent());
 92 | 
 93 | 		p = Policy.parseSerializedCSP("img-src a", throwIfPolicyError);
 94 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ImgSrc).isPresent());
 95 | 
 96 | 		p = Policy.parseSerializedCSP("manifest-src a", throwIfPolicyError);
 97 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ManifestSrc).isPresent());
 98 | 
 99 | 		p = Policy.parseSerializedCSP("media-src a", throwIfPolicyError);
100 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.MediaSrc).isPresent());
101 | 
102 | 		p = Policy.parseSerializedCSP("object-src a", throwIfPolicyError);
103 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ObjectSrc).isPresent());
104 | 
105 | 		p = Policy.parseSerializedCSP("prefetch-src a", throwIfPolicyError);
106 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.PrefetchSrc).isPresent());
107 | 
108 | 		p = Policy.parseSerializedCSP("script-src-attr a", throwIfPolicyError);
109 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ScriptSrcAttr).isPresent());
110 | 
111 | 		p = Policy.parseSerializedCSP("script-src a", throwIfPolicyError);
112 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
113 | 
114 | 		p = Policy.parseSerializedCSP("script-src-elem a", throwIfPolicyError);
115 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.ScriptSrcElem).isPresent());
116 | 
117 | 		p = Policy.parseSerializedCSP("style-src-attr a", throwIfPolicyError);
118 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.StyleSrcAttr).isPresent());
119 | 
120 | 		p = Policy.parseSerializedCSP("style-src a", throwIfPolicyError);
121 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.StyleSrc).isPresent());
122 | 
123 | 		p = Policy.parseSerializedCSP("style-src-elem a", throwIfPolicyError);
124 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.StyleSrcElem).isPresent());
125 | 
126 | 		p = Policy.parseSerializedCSP("worker-src a", throwIfPolicyError);
127 | 		assertTrue(p.getFetchDirective(FetchDirectiveKind.WorkerSrc).isPresent());
128 | 	}
129 | 
130 | 	@Test
131 | 	public void testPreservesMalformed() {
132 | 		roundTrips(
133 | 				"not-a-directive foo",
134 | 				e(Policy.Severity.Warning, "Unrecognized directive not-a-directive", 0, -1)
135 | 		);
136 | 
137 | 		roundTrips(
138 | 				"default-src 'not-keyword'",
139 | 				e(Policy.Severity.Error, "Unrecognized source-expression 'not-keyword'", 0, 0)
140 | 		);
141 | 
142 | 		roundTrips(
143 | 				"default-src 'self'a",
144 | 				e(Policy.Severity.Error, "Unrecognized source-expression 'self'a", 0, 0)
145 | 		);
146 | 
147 | 		roundTrips(
148 | 				"default-src 'sha257-000'",
149 | 				e(Policy.Severity.Error, "'sha...' source-expression uses an unrecognized algorithm or does not match the base64-value grammar (or is missing its trailing \"'\")", 0, 0)
150 | 		);
151 | 
152 | 		roundTrips(
153 | 				"default-src 'sha256-000'",
154 | 				e(Policy.Severity.Warning, "Wrong length for sha256: expected 44, got 3", 0, 0)
155 | 		);
156 | 
157 | 		roundTrips(
158 | 				"default-src 'sha256-$$'",
159 | 				e(Policy.Severity.Error, "'sha...' source-expression uses an unrecognized algorithm or does not match the base64-value grammar (or is missing its trailing \"'\")", 0, 0)
160 | 		);
161 | 
162 | 		roundTrips(
163 | 				"base-uri 'not-keyword'",
164 | 				e(Policy.Severity.Error, "Unrecognized source-expression 'not-keyword'", 0, 0)
165 | 		);
166 | 
167 | 		roundTrips(
168 | 				"block-all-mixed-content 'none'",
169 | 				e(Policy.Severity.Error, "The block-all-mixed-content directive does not support values", 0, 0)
170 | 		);
171 | 
172 | 		roundTrips(
173 | 				"form-action 'not-keyword'",
174 | 				e(Policy.Severity.Error, "Unrecognized source-expression 'not-keyword'", 0, 0)
175 | 		);
176 | 
177 | 		roundTrips(
178 | 				"frame-ancestors 'nonce-asdf'",
179 | 				e(Policy.Severity.Error, "Unrecognized ancestor-source 'nonce-asdf'", 0, 0)
180 | 		);
181 | 
182 | 		roundTrips(
183 | 				"navigate-to 'not-keyword'",
184 | 				e(Policy.Severity.Error, "Unrecognized source-expression 'not-keyword'", 0, 0)
185 | 		);
186 | 
187 | 		roundTrips(
188 | 				"plugin-types a",
189 | 				e(Policy.Severity.Error, "Expecting media-type but found \"a\"", 0, 0)
190 | 		);
191 | 
192 | 		roundTrips(
193 | 				"report-to",
194 | 				e(Policy.Severity.Error, "The report-to directive requires a value", 0, -1)
195 | 		);
196 | 
197 | 		roundTrips(
198 | 				"report-to (a)",
199 | 				e(Policy.Severity.Error, "Expecting RFC 7230 token but found \"(a)\"", 0, 0)
200 | 		);
201 | 
202 | 		roundTrips(
203 | 				"report-to a b",
204 | 				e(Policy.Severity.Error, "The report-to directive requires exactly one value (found 2)", 0, 1)
205 | 		);
206 | 
207 | 		roundTrips(
208 | 				"report-uri a a",
209 | 				e(Policy.Severity.Warning, "The report-uri directive has been deprecated in favor of the new report-to directive", 0, -1),
210 | 				e(Policy.Severity.Info, "Duplicate report-to URI; are you sure you intend to get multiple copies of each report?", 0, 1)
211 | 		);
212 | 
213 | 		roundTrips(
214 | 				"sandbox allow-nonsense",
215 | 				e(Policy.Severity.Error, "Unrecognized sandbox keyword allow-nonsense", 0, 0)
216 | 		);
217 | 
218 | 		roundTrips(
219 | 				"sandbox allow-scripts allow-scripts",
220 | 				e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-scripts", 0, 1)
221 | 		);
222 | 
223 | 		roundTrips(
224 | 				"upgrade-insecure-requests a",
225 | 				e(Policy.Severity.Error, "The upgrade-insecure-requests directive does not support values", 0, 0)
226 | 		);
227 | 
228 | 		roundTrips(
229 | 				"&",
230 | 				e(Policy.Severity.Error, "Directive name & contains characters outside the range ALPHA / DIGIT / \"-\"", 0, -1)
231 | 		);
232 | 
233 | 		roundTrips(
234 | 				"default-src'self'",
235 | 				e(Policy.Severity.Error, "Directive name default-src'self' contains characters outside the range ALPHA / DIGIT / \"-\"", 0, -1)
236 | 		);
237 | 
238 | 		roundTrips(
239 | 				"default-src'self' a",
240 | 				e(Policy.Severity.Error, "Directive name default-src'self' contains characters outside the range ALPHA / DIGIT / \"-\"", 0, -1)
241 | 		);
242 | 
243 | 		roundTrips(
244 | 				"default-src'self'a",
245 | 				e(Policy.Severity.Error, "Directive name default-src'self'a contains characters outside the range ALPHA / DIGIT / \"-\"", 0, -1)
246 | 		);
247 | 	}
248 | 
249 | 	@Test
250 | 	public void testPreservesDuplicates() {
251 | 		roundTrips(
252 | 				"base-uri a; base-uri a",
253 | 				e(Policy.Severity.Warning, "Duplicate directive base-uri", 1, -1)
254 | 		);
255 | 
256 | 		roundTrips(
257 | 				"block-all-mixed-content; block-all-mixed-content",
258 | 				e(Policy.Severity.Warning, "Duplicate directive block-all-mixed-content", 1, -1)
259 | 		);
260 | 
261 | 		roundTrips(
262 | 				"form-action a; form-action a",
263 | 				e(Policy.Severity.Warning, "Duplicate directive form-action", 1, -1)
264 | 		);
265 | 
266 | 		roundTrips(
267 | 				"frame-ancestors 'none'; frame-ancestors 'none'",
268 | 				e(Policy.Severity.Warning, "Duplicate directive frame-ancestors", 1, -1)
269 | 		);
270 | 
271 | 		roundTrips(
272 | 				"navigate-to 'none'; navigate-to 'none'",
273 | 				e(Policy.Severity.Warning, "Duplicate directive navigate-to", 1, -1)
274 | 		);
275 | 
276 | 		roundTrips(
277 | 				"plugin-types a/b; plugin-types a/b",
278 | 				e(Policy.Severity.Warning, "Duplicate directive plugin-types", 1, -1)
279 | 		);
280 | 
281 | 		roundTrips(
282 | 				"report-to a; report-to a",
283 | 				e(Policy.Severity.Warning, "Duplicate directive report-to", 1, -1)
284 | 		);
285 | 
286 | 		roundTrips(
287 | 				"report-uri http://example.com; report-uri http://example.com",
288 | 				e(Policy.Severity.Warning, "The report-uri directive has been deprecated in favor of the new report-to directive", 0, -1),
289 | 				e(Policy.Severity.Warning, "The report-uri directive has been deprecated in favor of the new report-to directive", 1, -1),
290 | 				e(Policy.Severity.Warning, "Duplicate directive report-uri", 1, -1)
291 | 		);
292 | 
293 | 		roundTrips(
294 | 				"sandbox; sandbox",
295 | 				e(Policy.Severity.Warning, "Duplicate directive sandbox", 1, -1)
296 | 		);
297 | 
298 | 		roundTrips(
299 | 				"upgrade-insecure-requests; upgrade-insecure-requests",
300 | 				e(Policy.Severity.Warning, "Duplicate directive upgrade-insecure-requests", 1, -1)
301 | 		);
302 | 
303 | 
304 | 		roundTrips(
305 | 				"child-src a; child-src a",
306 | 				e(Policy.Severity.Warning, "Duplicate directive child-src", 1, -1)
307 | 		);
308 | 
309 | 		roundTrips(
310 | 				"connect-src a; connect-src a",
311 | 				e(Policy.Severity.Warning, "Duplicate directive connect-src", 1, -1)
312 | 		);
313 | 
314 | 		roundTrips(
315 | 				"default-src a; default-src a",
316 | 				e(Policy.Severity.Warning, "Duplicate directive default-src", 1, -1)
317 | 		);
318 | 
319 | 		roundTrips(
320 | 				"font-src a; font-src a",
321 | 				e(Policy.Severity.Warning, "Duplicate directive font-src", 1, -1)
322 | 		);
323 | 
324 | 		roundTrips(
325 | 				"frame-src a; frame-src a",
326 | 				e(Policy.Severity.Warning, "Duplicate directive frame-src", 1, -1)
327 | 		);
328 | 
329 | 		roundTrips(
330 | 				"img-src a; img-src a",
331 | 				e(Policy.Severity.Warning, "Duplicate directive img-src", 1, -1)
332 | 		);
333 | 
334 | 		roundTrips(
335 | 				"manifest-src a; manifest-src a",
336 | 				e(Policy.Severity.Warning, "Duplicate directive manifest-src", 1, -1)
337 | 		);
338 | 
339 | 		roundTrips(
340 | 				"media-src a; media-src a",
341 | 				e(Policy.Severity.Warning, "Duplicate directive media-src", 1, -1)
342 | 		);
343 | 
344 | 		roundTrips(
345 | 				"object-src a; object-src a",
346 | 				e(Policy.Severity.Warning, "Duplicate directive object-src", 1, -1)
347 | 		);
348 | 
349 | 		roundTrips(
350 | 				"prefetch-src a; prefetch-src a",
351 | 				e(Policy.Severity.Warning, "Duplicate directive prefetch-src", 1, -1)
352 | 		);
353 | 
354 | 		roundTrips(
355 | 				"script-src-attr a; script-src-attr a",
356 | 				e(Policy.Severity.Warning, "Duplicate directive script-src-attr", 1, -1)
357 | 		);
358 | 
359 | 		roundTrips(
360 | 				"script-src a; script-src a",
361 | 				e(Policy.Severity.Warning, "Duplicate directive script-src", 1, -1)
362 | 		);
363 | 
364 | 		roundTrips(
365 | 				"script-src-elem a; script-src-elem a",
366 | 				e(Policy.Severity.Warning, "Duplicate directive script-src-elem", 1, -1)
367 | 		);
368 | 
369 | 		roundTrips(
370 | 				"style-src-attr a; style-src-attr a",
371 | 				e(Policy.Severity.Warning, "Duplicate directive style-src-attr", 1, -1)
372 | 		);
373 | 
374 | 		roundTrips(
375 | 				"style-src a; style-src a",
376 | 				e(Policy.Severity.Warning, "Duplicate directive style-src", 1, -1)
377 | 		);
378 | 
379 | 		roundTrips(
380 | 				"style-src-elem a; style-src-elem a",
381 | 				e(Policy.Severity.Warning, "Duplicate directive style-src-elem", 1, -1)
382 | 		);
383 | 
384 | 		roundTrips(
385 | 				"worker-src a; worker-src a",
386 | 				e(Policy.Severity.Warning, "Duplicate directive worker-src", 1, -1)
387 | 		);
388 | 	}
389 | 
390 | 	@Test
391 | 	public void testPreservesWeirdness() {
392 | 		roundTrips(
393 | 				"deFAult-src 'SeLf'"
394 | 		);
395 | 
396 | 		roundTrips(
397 | 				"sandbox AlLoW-ScRiPtS"
398 | 		);
399 | 
400 | 		// TODO there should be an error emitted for this, since it's not a valid percent encoding
401 | 		roundTrips(
402 | 				"script-src example.com/%ef"
403 | 		);
404 | 
405 | 		// Note the use of both '_' and '/' - that's allowed!
406 | 		roundTrips(
407 | 				"default-src 'sha256-CihokcEcBW4atb_CW/XWsvWwbTjqwQlE9nj9ii5ww5M='",
408 | 				e(Policy.Severity.Warning, "'_' and '-' in hashes can never match actual elements", 0, 0)
409 | 		);
410 | 	}
411 | 
412 | 	@Test
413 | 	public void testWhitespace() {
414 | 		serializesTo(
415 | 				" default-src  a  ",
416 | 				"default-src a"
417 | 		);
418 | 
419 | 		serializesTo(
420 | 				";; default-src a ;; img-src b ;;",
421 | 				"default-src a; img-src b"
422 | 		);
423 | 
424 | 		serializesTo(
425 | 				"default-src\na;\rscript-src\fb",
426 | 				"default-src a; script-src b"
427 | 		);
428 | 	}
429 | 
430 | 	@Test
431 | 	public void testNone() {
432 | 		// This asserts that it serializes to the same, uppercased, value
433 | 		roundTrips(
434 | 				"default-src 'NONE'"
435 | 		);
436 | 
437 | 		roundTrips(
438 | 				"default-src",
439 | 				e(Policy.Severity.Error, "Source-expression lists cannot be empty (use 'none' instead)", 0, -1)
440 | 		);
441 | 
442 | 		roundTrips(
443 | 				"default-src 'NONE' a",
444 | 				e(Policy.Severity.Error, "'none' must not be combined with any other source-expression", 0, 1)
445 | 		);
446 | 
447 | 		roundTrips(
448 | 				"default-src 'NONE' 'none'",
449 | 				e(Policy.Severity.Error, "'none' must not be combined with any other source-expression", 0, 1)
450 | 		);
451 | 
452 | 		roundTrips(
453 | 				"default-src a 'NONE'",
454 | 				e(Policy.Severity.Error, "'none' must not be combined with any other source-expression", 0, 1)
455 | 		);
456 | 	}
457 | 
458 | 	@Test
459 | 	public void testCasing() {
460 | 		inTurkey(() -> {
461 | 			Policy p;
462 | 
463 | 			p = Policy.parseSerializedCSP("SCRIPT-SRC 'UNSAFE-INLINE'", throwIfPolicyError);
464 | 			assertTrue(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).isPresent());
465 | 			assertTrue(p.getFetchDirective(FetchDirectiveKind.ScriptSrc).get().unsafeInline());
466 | 
467 | 			p = Policy.parseSerializedCSP("sandbox AlLoW-ScRiPtS", throwIfPolicyError);
468 | 			assertTrue(p.sandbox().isPresent());
469 | 			assertTrue(p.sandbox().get().allowScripts());
470 | 
471 | 			p = Policy.parseSerializedCSP("BLOCK-ALL-MIXED-CONTENT", throwIfPolicyError);
472 | 			assertTrue(p.blockAllMixedContent());
473 | 
474 | 			p = Policy.parseSerializedCSP("default-src FILE:", throwIfPolicyError);
475 | 			assertTrue(p.getFetchDirective(FetchDirectiveKind.DefaultSrc).get().getSchemes().contains(Scheme.parseScheme("file:").get()));
476 | 		});
477 | 	}
478 | 
479 | 	@Test
480 | 	public void testWarnings() {
481 | 		inTurkey(() -> {
482 | 			roundTrips(
483 | 					"default-src none",
484 | 					e(Policy.Severity.Warning, "This host name is unusual, and likely meant to be a keyword that is missing the required quotes: 'none'.", 0, 0)
485 | 			);
486 | 
487 | 			roundTrips(
488 | 					"default-src 'unsafe-inline' 'UNSAFE-INLINE'",
489 | 					e(Policy.Severity.Warning, "Duplicate source-expression 'unsafe-inline'", 0, 1)
490 | 			);
491 | 
492 | 			roundTrips(
493 | 					"default-src 'unsafe-eval' 'UNSAFE-EVAL'",
494 | 					e(Policy.Severity.Warning, "Duplicate source-expression 'unsafe-eval'", 0, 1)
495 | 			);
496 | 
497 | 			roundTrips(
498 | 					"default-src 'strict-dynamic' 'STRICT-DYNAMIC'",
499 | 					e(Policy.Severity.Warning, "Duplicate source-expression 'strict-dynamic'", 0, 1)
500 | 			);
501 | 
502 | 			roundTrips(
503 | 					"default-src 'unsafe-hashes' 'UNSAFE-HASHES'",
504 | 					e(Policy.Severity.Warning, "Duplicate source-expression 'unsafe-hashes'", 0, 1)
505 | 			);
506 | 
507 | 			roundTrips(
508 | 					"default-src 'report-sample' 'REPORT-SAMPLE'",
509 | 					e(Policy.Severity.Warning, "Duplicate source-expression 'report-sample'", 0, 1)
510 | 			);
511 | 
512 | 			roundTrips(
513 | 					"default-src 'unsafe-allow-redirects' 'UNSAFE-ALLOW-REDIRECTS'",
514 | 					e(Policy.Severity.Warning, "Duplicate source-expression 'unsafe-allow-redirects'", 0, 1)
515 | 			);
516 | 
517 | 			roundTrips(
518 | 					"default-src 'self' 'self'",
519 | 					e(Policy.Severity.Warning, "Duplicate source-expression 'self'", 0, 1)
520 | 			);
521 | 
522 | 			roundTrips(
523 | 					"default-src * *",
524 | 					e(Policy.Severity.Warning, "Duplicate source-expression *", 0, 1)
525 | 			);
526 | 
527 | 			roundTrips(
528 | 					"default-src http: http:",
529 | 					e(Policy.Severity.Warning, "Duplicate scheme http:", 0, 1)
530 | 			);
531 | 
532 | 			roundTrips(
533 | 					"default-src a a",
534 | 					e(Policy.Severity.Warning, "Duplicate host a", 0, 1)
535 | 			);
536 | 
537 | 			roundTrips(
538 | 					"default-src 'none' foo",
539 | 					e(Policy.Severity.Error, "'none' must not be combined with any other source-expression", 0, 1)
540 | 			);
541 | 
542 | 			roundTrips(
543 | 					"default-src 'unsafe-redirect'",
544 | 					e(Policy.Severity.Error, "'unsafe-redirect' has been removed from CSP as of version 2.0", 0, 0)
545 | 			);
546 | 
547 | 			roundTrips(
548 | 					"default-src 'unsafe-hashed-attributes'",
549 | 					e(Policy.Severity.Error, "'unsafe-hashed-attributes' was renamed to 'unsafe-hashes' in June 2018", 0, 0)
550 | 			);
551 | 
552 | 			roundTrips(
553 | 					"sandbox 'allow-scripts'",
554 | 					e(Policy.Severity.Error, "Unrecognized sandbox keyword 'allow-scripts' - note that sandbox keywords do not have \"'\"s", 0, 0)
555 | 			);
556 | 
557 | 			roundTrips(
558 | 					"sandbox allow-downloads ALLOW-DOWNLOADS",
559 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-downloads", 0, 1)
560 | 			);
561 | 
562 | 			roundTrips(
563 | 					"sandbox allow-forms ALLOW-FORMS",
564 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-forms", 0, 1)
565 | 			);
566 | 
567 | 			roundTrips(
568 | 					"sandbox allow-modals ALLOW-MODALS",
569 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-modals", 0, 1)
570 | 			);
571 | 
572 | 			roundTrips(
573 | 					"sandbox allow-orientation-lock ALLOW-ORIENTATION-LOCK",
574 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-orientation-lock", 0, 1)
575 | 			);
576 | 
577 | 			roundTrips(
578 | 					"sandbox allow-pointer-lock ALLOW-POINTER-LOCK",
579 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-pointer-lock", 0, 1)
580 | 			);
581 | 
582 | 			roundTrips(
583 | 					"sandbox allow-popups ALLOW-POPUPS",
584 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-popups", 0, 1)
585 | 			);
586 | 
587 | 			roundTrips(
588 | 					"sandbox allow-popups-to-escape-sandbox ALLOW-POPUPS-TO-ESCAPE-SANDBOX",
589 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-popups-to-escape-sandbox", 0, 1)
590 | 			);
591 | 
592 | 			roundTrips(
593 | 					"sandbox allow-presentation ALLOW-PRESENTATION",
594 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-presentation", 0, 1)
595 | 			);
596 | 
597 | 			roundTrips(
598 | 					"sandbox allow-same-origin ALLOW-SAME-ORIGIN",
599 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-same-origin", 0, 1)
600 | 			);
601 | 
602 | 			roundTrips(
603 | 					"sandbox allow-scripts ALLOW-SCRIPTS",
604 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-scripts", 0, 1)
605 | 			);
606 | 
607 | 			roundTrips(
608 | 					"sandbox allow-storage-access-by-user-activation ALLOW-STORAGE-ACCESS-BY-USER-activation",
609 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-storage-access-by-user-activation", 0, 1)
610 | 			);
611 | 
612 | 			roundTrips(
613 | 					"sandbox allow-top-navigation ALLOW-TOP-NAVIGATION",
614 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-top-navigation", 0, 1)
615 | 			);
616 | 
617 | 			roundTrips(
618 | 					"sandbox allow-top-navigation-by-user-activation ALLOW-TOP-NAVIGATION-BY-USER-ACTIVATION",
619 | 					e(Policy.Severity.Warning, "Duplicate sandbox keyword allow-top-navigation-by-user-activation", 0, 1)
620 | 			);
621 | 
622 | 			roundTrips(
623 | 					"report-uri",
624 | 					e(Policy.Severity.Warning, "The report-uri directive has been deprecated in favor of the new report-to directive", 0, -1),
625 | 					e(Policy.Severity.Error, "The report-uri value requires at least one value", 0, -1)
626 | 			);
627 | 
628 | 			roundTrips(
629 | 					"frame-ancestors",
630 | 					e(Policy.Severity.Error, "Ancestor-source lists cannot be empty (use 'none' instead)", 0, -1)
631 | 			);
632 | 
633 | 			roundTrips(
634 | 					"frame-ancestors 'none' 'NONE'",
635 | 					e(Policy.Severity.Error, "'none' must not be combined with any other ancestor-source", 0, 0)
636 | 			);
637 | 
638 | 			roundTrips(
639 | 					"plugin-types */*",
640 | 					e(Policy.Severity.Warning, "Media types can only be matched literally. Make sure using `*` is not an oversight.", 0, 0)
641 | 			);
642 | 		});
643 | 	}
644 | 
645 | 	@Test(expected = IllegalArgumentException.class)
646 | 	public void testAssertsAscii() {
647 | 		Policy.parseSerializedCSP("\uD835\uDC9C", Policy.PolicyErrorConsumer.ignored);
648 | 	}
649 | 
650 | 	@Test(expected = IllegalArgumentException.class)
651 | 	public void testAssertsNoCommas() {
652 | 		Policy.parseSerializedCSP("a ,", Policy.PolicyErrorConsumer.ignored);
653 | 	}
654 | 
655 | 	private static void roundTrips(String input, PolicyError... errors) {
656 | 		serializesTo(input, input, errors);
657 | 	}
658 | 
659 | 	private static void serializesTo(String input, String output, PolicyError... errors) {
660 | 		ArrayList<PolicyError> observedErrors = new ArrayList<>();
661 | 		Policy.PolicyErrorConsumer consumer = (severity, message, directiveIndex, valueIndex) -> {
662 | 			observedErrors.add(e(severity, message, directiveIndex, valueIndex));
663 | 		};
664 | 		Policy policy = Policy.parseSerializedCSP(input, consumer);
665 | 		assertEquals("should have the expected number of errors", errors.length, observedErrors.size());
666 | 		for (int i = 0; i < errors.length; ++i) {
667 | 			assertEquals(errors[i], observedErrors.get(i));
668 | 		}
669 | 		assertEquals(output, policy.toString());
670 | 	}
671 | }
672 | 


--------------------------------------------------------------------------------