Skip to content
Permalink
Browse files
CSP: Improved tokenization (#3276)
  • Loading branch information
RunDevelopment committed Dec 18, 2021
1 parent acc0bc0 commit a943f2bbb9c81d16fc8386c3b7df456ccc458046
@@ -4,26 +4,73 @@
* Reference: https://scotthelme.co.uk/csp-cheat-sheet/
*
* Supports the following:
* - CSP Level 1
* - CSP Level 2
* - CSP Level 3
* - https://www.w3.org/TR/CSP1/
* - https://www.w3.org/TR/CSP2/
* - https://www.w3.org/TR/CSP3/
*/

Prism.languages.csp = {
'directive': {
pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,
lookbehind: true,
alias: 'keyword'
},
'safe': {
// CSP2 hashes and nonces are base64 values. CSP3 accepts both base64 and base64url values.
// See https://tools.ietf.org/html/rfc4648#section-4
// See https://tools.ietf.org/html/rfc4648#section-5
pattern: /'(?:deny|none|report-sample|self|strict-dynamic|top-only|(?:nonce|sha(?:256|384|512))-[-+/\w=]+)'/i,
alias: 'selector'
},
'unsafe': {
pattern: /(?:'unsafe-(?:allow-redirects|dynamic|eval|hash-attributes|hashed-attributes|hashes|inline)'|\*)/i,
alias: 'function'
(function (Prism) {

/**
* @param {string} source
* @returns {RegExp}
*/
function value(source) {
return RegExp(/([ \t])/.source + '(?:' + source + ')' + /(?=[\s;]|$)/.source, 'i');
}
};

Prism.languages.csp = {
'directive': {
pattern: /(^|[\s;])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[\s;]|$)/i,
lookbehind: true,
alias: 'property'
},
'scheme': {
pattern: value(/[a-z][a-z0-9.+-]*:/.source),
lookbehind: true
},
'none': {
pattern: value(/'none'/.source),
lookbehind: true,
alias: 'keyword'
},
'nonce': {
pattern: value(/'nonce-[-+/\w=]+'/.source),
lookbehind: true,
alias: 'number'
},
'hash': {
pattern: value(/'sha(?:256|384|512)-[-+/\w=]+'/.source),
lookbehind: true,
alias: 'number'
},
'host': {
pattern: value(
/[a-z][a-z0-9.+-]*:\/\/[^\s;,']*/.source +
'|' +
/\*[^\s;,']*/.source +
'|' +
/[a-z0-9-]+(?:\.[a-z0-9-]+)+(?::[\d*]+)?(?:\/[^\s;,']*)?/.source
),
lookbehind: true,
alias: 'url',
inside: {
'important': /\*/
}
},
'keyword': [
{
pattern: value(/'unsafe-[a-z-]+'/.source),
lookbehind: true,
alias: 'unsafe'
},
{
pattern: value(/'[a-z-]+'/.source),
lookbehind: true,
alias: 'safe'
},
],
'punctuation': /;/
};

}(Prism));

Some generated files are not rendered by default. Learn more.

@@ -4,7 +4,7 @@ upgrade-insecure-requests;

[
["directive", "upgrade-insecure-requests"],
";"
["punctuation", ";"]
]

----------------------------------------------------
@@ -4,21 +4,26 @@ input-protection tolerance=50; input-protection-clip before=60; input-protection

[
["directive", "input-protection"],
" tolerance=50; ",
" tolerance=50",
["punctuation", ";"],
["directive", "input-protection-clip"],
" before=60; ",
" before=60",
["punctuation", ";"],
["directive", "input-protection-selectors"],
" div; ",
" div",
["punctuation", ";"],
["directive", "policy-uri"],
" https://example.com; ",
["host", ["https://example.com"]],
["punctuation", ";"],
["directive", "script-src"],
" example.com; ",
["host", ["example.com"]],
["punctuation", ";"],
["directive", "script-src-attr"],
["safe", "'none'"],
"; ",
["none", "'none'"],
["punctuation", ";"],
["directive", "style-src-elem"],
["safe", "'none'"],
";"
["none", "'none'"],
["punctuation", ";"]
]

----------------------------------------------------
@@ -0,0 +1,8 @@
style-src 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4='

----------------------------------------------------

[
["directive", "style-src"],
["hash", "'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4='"]
]
@@ -0,0 +1,46 @@
default-src trusted.com *.trusted.com;
img-src *;
media-src media1.com media2.com;
script-src userscripts.example.com;
frame-ancestors https://alice https://bob;
frame-ancestors https://example.com/;

sandbox allow-scripts;

----------------------------------------------------

[
["directive", "default-src"],
["host", ["trusted.com"]],
["host", [
["important", "*"],
".trusted.com"
]],
["punctuation", ";"],

["directive", "img-src"],
["host", [
["important", "*"]
]],
["punctuation", ";"],

["directive", "media-src"],
["host", ["media1.com"]],
["host", ["media2.com"]],
["punctuation", ";"],

["directive", "script-src"],
["host", ["userscripts.example.com"]],
["punctuation", ";"],

["directive", "frame-ancestors"],
["host", ["https://alice"]],
["host", ["https://bob"]],
["punctuation", ";"],

["directive", "frame-ancestors"],
["host", ["https://example.com/"]],
["punctuation", ";"],

["directive", "sandbox"], " allow-scripts", ["punctuation", ";"]
]
@@ -3,7 +3,10 @@ default-src-is-a-fake; fake-default-src;
----------------------------------------------------

[
"default-src-is-a-fake; fake-default-src;"
"default-src-is-a-fake",
["punctuation", ";"],
" fake-default-src",
["punctuation", ";"]
]

----------------------------------------------------
@@ -0,0 +1,16 @@
default-src 'report-sample';
style-src 'self' 'strict-dynamic';

----------------------------------------------------

<span class="token directive property">default-src</span>
<span class="token keyword safe">'report-sample'</span>
<span class="token punctuation">;</span>
<span class="token directive property">style-src</span>
<span class="token keyword safe">'self'</span>
<span class="token keyword safe">'strict-dynamic'</span>
<span class="token punctuation">;</span>

----------------------------------------------------

Checks for source expressions classified as safe.
@@ -0,0 +1,20 @@
navigate-to 'unsafe-allow-redirects';
script-src 'unsafe-dynamic' 'unsafe-eval' 'unsafe-hash-attributes' 'unsafe-hashed-attributes' 'unsafe-hashes' 'unsafe-inline';

----------------------------------------------------

<span class="token directive property">navigate-to</span>
<span class="token keyword unsafe">'unsafe-allow-redirects'</span>
<span class="token punctuation">;</span>
<span class="token directive property">script-src</span>
<span class="token keyword unsafe">'unsafe-dynamic'</span>
<span class="token keyword unsafe">'unsafe-eval'</span>
<span class="token keyword unsafe">'unsafe-hash-attributes'</span>
<span class="token keyword unsafe">'unsafe-hashed-attributes'</span>
<span class="token keyword unsafe">'unsafe-hashes'</span>
<span class="token keyword unsafe">'unsafe-inline'</span>
<span class="token punctuation">;</span>

----------------------------------------------------

Checks for source expressions classified as unsafe.
@@ -0,0 +1,9 @@
style-src 'nonce-yeah';

----------------------------------------------------

[
["directive", "style-src"],
["nonce", "'nonce-yeah'"],
["punctuation", ";"]
]
@@ -0,0 +1,8 @@
sandbox 'none'

----------------------------------------------------

[
["directive", "sandbox"],
["none", "'none'"]
]

This file was deleted.

@@ -0,0 +1,10 @@
default-src https: 'unsafe-inline' 'unsafe-eval'

----------------------------------------------------

[
["directive", "default-src"],
["scheme", "https:"],
["keyword", "'unsafe-inline'"],
["keyword", "'unsafe-eval'"]
]

This file was deleted.

0 comments on commit a943f2b

Please sign in to comment.