This is a general purpose library for working with Content Security Policy policies.
This is the code repository of the Content Security Policy support used by HtmlUnit.
The library was created by forking the salvation project as it is apparently no longer maintained.
For HtmlUnit, the code has been adapted to the code style rules used, and support for editing policies has been removed.
The code is being expanded, restructured and improved primarily to meet the requirements of this project.
❤️ Sponsor
HtmlUnit@mastodon | HtmlUnit@bsky | HtmlUnit@Twitter
Latest release Version 4.15.0 / August 17, 2025Add to your pom.xml:
<dependency>
<groupId>org.htmlunit</groupId>
<artifactId>htmlunit-csp</artifactId>
<version>4.15.0</version>
</dependency>
Add to your build.gradle:
implementation group: 'org.htmlunit', name: 'htmlunit-csp', version: '4.15.0'
The CSP specification is fairly complex even if you only care about the latest version. However, in practice you are likely to care that your policy does the things you intend it to on the browsers you care about, which are likely to implement different and potentially broken subsets of the specification (and potentially additional behavior which is not in the specification). And there are inevitable tradeoffs to be made regarding the size of your policy vs the security it provides.
As such, this project does not attempt to provide a one-size-fits-all way to manipulate a policy purely in terms of its effects - the full set of effects across all browsers is too vast to provide an effective API in general. It can help you build up a policy based on the directives and source-expressions you want, but to ensure your policy is correct, for your own definition of correct, there is no alternative to testing it on the real browsers you care about.
Parse a policy using either Policy.parseSerializedCSP or Policy.parseSerializedCSPList. The second parameter will be called for each warning or error.
String policyText = "script-src 'none'";
Policy policy = Policy.parseSerializedCSP(policyText, (severity, message, directiveIndex, valueIndex) -> {
System.err.println(severity.name() + " at directive " + directiveIndex + (valueIndex == -1 ? "" : " at value " + valueIndex) + ": " + message);
});
The high-level querying methods allow you to specify whatever relevant information you have. The missing information will be assumed to be worst-case - that is, these methods will return true only if any object which matches the provided characteristics would be allowed, regardless of its other characteristics.
Policy policy = Policy.parseSerializedCSP("script-src http://a", Policy.PolicyErrorConsumer.ignored);
// true
System.out.println(policy.allowsExternalScript(
Optional.empty(),
Optional.empty(),
Optional.of(URI.parse("http://a")),
Optional.empty(),
Optional.empty()
));
// false
System.out.println(policy.allowsExternalScript(
Optional.empty(),
Optional.empty(),
Optional.empty(),
Optional.empty(),
Optional.empty()
));
Because the Policy objects are rich structures, you can also ask about the presence or absence of specific directives or expressions:
Policy policy = Policy.parseSerializedCSP("script-src 'strict-dynamic'", Policy.PolicyErrorConsumer.ignored);
// Assumes the policy has a `script-src` directive (or else the `get` would throw), and checks if it contains the `'strict-dynamic'` source expression
System.out.println(policy.getFetchDirective(FetchDirectiveKind.ScriptSrc).get().strictDynamic());
The latest builds are available from our Jenkins CI build server
If you use maven please add:
<dependency>
<groupId>org.htmlunit</groupId>
<artifactId>htmlunit-csp</artifactId>
<version>4.16.0-SNAPSHOT</version>
</dependency>
You have to add the sonatype-central snapshot repository to your pom repositories section also:
<repositories>
<repository>
<name>Central Portal Snapshots</name>
<id>central-portal-snapshots</id>
<url>https://central.sonatype.com/repository/maven-snapshots/</url>
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
You simply only need a local maven installation.
Create a local clone of the repository and you are ready to start.
Open a command line window from the root folder of the project and call
Pull Requests and and all other Community Contributions are essential for open source software. Every contribution - from bug reports to feature requests, typos to full new features - are greatly appreciated.
Deployment and VersioningThis part is intended for committer who are packaging a release.
mvn versions:display-plugin-updates
mvn versions:display-dependency-updates
mvn -U clean test
Update the version number in pom.xml and README.md
Commit the changes
Build and deploy the artifacts
Go to Maven Central Portal and process the deploy
Create the version on Github
Update the version number in pom.xml to start next snapshot development
Update the htmlunit pom to use the new release
This project is licensed under the Apache 2.0 License
Many thanks to all of you contributing to salvation in the past.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4