Skip to content
Parse Content Security Policy headers, warn about policy errors, safely manipulate, render, and optimise policies
Branch: master
Clone or download
Pull request Compare This branch is even with shapesecurity:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This is a general purpose library for working with Content Security Policy policies.

  • parse CSP policies into an easy-to-use representation
  • ask questions about what a CSP policy allows or restricts
  • warn about nonsensical CSP policies and deprecated or nonstandard features
  • safely create, manipulate, and merge CSP policies
  • render and optimise CSP policies demonstrates some of the features of Salvation in action.


mvn install

Create a Policy

Parse a policy using one of the Parser.parse static methods. An Origin or String may be given as the origin. The third parameter, if given, will be populated with notices.

ArrayList<Notice> notices = new ArrayList<>();
Origin origin = URI.parse("");
String policyText = "...";
Policy p = Parser.parse(policyText, origin, notices);

To include location information, use ParserWithLocation.parse in place of Parser.parse.

ArrayList<Notice> notices = new ArrayList<>();
ParserWithLocation.parse("image-src *; script-src none; report-uri /report", "", notices);

// 1:1: Unrecognised directive-name: "image-src".

// 1:25: This host name is unusual, and likely meant to be a keyword that is missing the required quotes: 'none'.

// 1:31: A draft of the next version of CSP deprecates report-uri in favour of a new report-to directive.

A policy may also be created using the Policy constructor and populated using the addDirective method.

Origin origin = URI.parse("");
Policy p = new Policy(origin);
Set<SourceExpression> scriptSourceValues = new HashSet<>();
p.addDirective(new ScriptSrcDirective(scriptSourceValues));

Query a Policy

Policy p = Parser.parse("script-src a; default-src b", "");
p.allowsScriptFromSource(URI.parse("http://a")); // true
p.allowsScriptFromSource(URI.parse("http://b")); // false
p.allowsStyleFromSource(URI.parse("http://b")); // true

Perform source-expression-specific queries and manipulations:

Policy p = Parser.parse("default-src * 'unsafe-inline' 'nonce-123' 'strict-dynamic'", "");
p.containsSourceExpression(ScriptSrcDirective.class, x -> x == KeywordSource.UnsafeInline)); // true
p.allowsUnsafeInlineScript(); // false
p.getEffectiveSourceExpressions(ScriptSrcDirective.class).filter(x -> x instanceof HostSource).count(); // 1

Manipulate Policies

Intersection merge:

Policy p = Parser.parse("script-src a; default-src b", "");
Policy q = Parser.parse("script-src b;", "");
p.intersect(q);; // script-src; default-src b

Union merge:

Policy p = Parser.parse("script-src a; default-src b", "");
Policy q = Parser.parse("script-src b;", "");
p.union(q);; // script-src a b
You can’t perform that action at this time.