search

google / csp-evaluator

https://csp-evaluator.withgoogle.com
Apache License 2.0
315 stars 45 forks source link

`CspParser` wrongly split directive using `data:` source containing `;base64...` #65

Open Pamplemousse opened 6 months ago

Pamplemousse commented 6 months ago

"data" URL schemes can contain a ; when using the base64 extension. When such scheme is used as a directive source, it seems that this ; trips the current CspParser, which wrongly splits the directive, as shown in the example below:

import { CspParser } from "csp_evaluator/dist/parser.js";

const example = "script-src 'nonce-xyz' data:image/png;base64,SGVsbG8sIFdvcmxkIQ== 'strict-dynamic'";
const { csp } = new CspParser(example);

console.log(csp)
Csp {
  directives: {
    'script-src': [ "'nonce-xyz'", 'data:image/png' ],
    'base64,sgvsbg8sifdvcmxkiq==': [ "'strict-dynamic'" ]
  }
}