I am happy to unveil a new GitHub project today, CSP Library or Content Security Policy Library. The project aims to collect and maintain the list of websites and services, with the rules required for various CSP directives.
The Content Security Policy is an increasingly relevant and popular security header supported by all major browsers (to different degrees). But, it can be quite difficult to configure and include all the required directives and rules. If you use Google Fonts or Maps on your website, or you have Twitter or Facebook widgets and other elements from outside sources, and you want to protect your website with Content Security Policy, you would need to include all relevant rules for various CSP directives to allow these services to work inside your website.
To learn more about Content Security Policy, check out the resources on the Mozilla Developer Network. It is important to know that specifications for CSP are always changing and evolving and that different browsers support different aspects of the policy.
Let’s go back to the new GitHub project. As far as I know, there is no central resource available where the list of rules for popular websites and services is listed, and getting a valid list of rules can be very tiresome, especially for complex services like Google Adsense or Google Maps. Don’t get me wrong, you can manually figure out what is needed through testing for most services, but that is not something most website owners are willing to do or will know to do. For some services, that may not be enough (Google Local Pixels domains list is very long, and you can’t easily find the full list through testing only because each domain on this list depends on your location).
Check out the GitHub project Content Security Policy Library. If you want to contribute, you can open a new issue or create a pull request to submit changes to the existing rules (if you have noticed that some website-specific rules have changed) or submit new website or service rules.
The CSP Library project currently lists 60+ websites and services using simple JSON format files where you have the name of the website or service, an optional description, and a list of rules for every directive needed. If you need to use these rules on your website to configure CSP rules better, feel free to use the provided rules, and again, I would appreciate contributing to the maintenance and expansion of this library.
The upcoming Dev4Press security plugin (the one aiming to replace two of our old security plugins) is going to use this library to improve the CSP implementation, so stay tuned for that, coming out most likely in early September 2023.
Let me know if you want to see more services in the library, use GitHub issues and pull requests to contribute, and let me know how this project can be improved in the future.