Validation of CSP

[bfg1981]

I had a server with an invalid CSP header. I got a lot of strange errors until I figured out the main culprit. It would be beneficial to make sure that the values checked are actually syntactically correct, before checking them for privacy/security. This probably applies to other values as well.

[andersju]

Agreed. I'm already planning to move most analysis stuff to the JS "backend" part. This should make it easier to add validation because it looks there are a bunch of CSP validation/parsing things in the Node.js world. (Our current code is an Elixir reimplementation of the CSP stuff from https://github.com/mozilla/http-observatory, whose future seems uncertain because the author left Mozilla several months ago and nobody has done anything since.)

[bfg1981]

I had a look at the code, but decided that I didn't want to learn Elixir. I'm already working on some Puppeteer stuff, so if you move to Node, I'll probably be able to do some patching on my own.