csp #

Fuz supports SvelteKit's config for Content Security Policies with the create_csp_directives helper. Fuz also provides related helpers, types, and CSP data.

The goal is to provide a simple trust modeling system that balances safety+security+privacy with ergonomics in the hopes of finding a better global maximum, helping users maintain secure policies without unhelpful burden or restriction.

Auditability and transparency are key concerns for the API, but we trade away some of this for ergonomics, with the idea that we make it easy for users to safely configure basic scenarios, and advanced users can opt into using the API with full declarative transparency (and more verbosity and information load).

Fuz defines three levels of trust/risk/sensitivity (low/medium/high, Csp_Trust_Level) that can be configured for each trusted source to give blanket permissions at a specified tier, and then granular overrides are straightforward and declarative.

I'm trying to design for clear, intuitive boundaries with escalating security and privacy implications. Fuz includes a debatable set of defaults, and input is appreciated to help tune the tradeoffs.

import {create_csp_directives, type Csp_Source_Spec} from '@ryanatkn/fuz/csp.js';

export const my_csp_trusted_sources: Array<Csp_Source_Spec> = [
	{source: 'https://*.me.com/', trust: 'high'},
	{source: 'https://*.my.domain/', trust: 'medium'}, // no scripting allowed
	{source: 'https://me.github.io/', trust: 'low', directives: ['script-src-elem']}, // low but allow script
];

const csp = create_csp_directives({
  trusted_sources: my_csp_trusted_sources,
});

// Or get the default with no trusted sources except 'self':
const csp = create_csp_directives();

// You can also override or transform directives:
const custom_csp = create_csp_directives({
  trusted_sources: my_csp_trusted_sources,
  directives: {
    // Add additional domains to existing values:
    'img-src': (v) => [...v, 'trusted.domain'], // extend trusted sources

     // Or completely replace values:
    'connect-src': ['self', 'trusted.domain'], // no base trusted sources!
    'connect-src': () => ['self', 'trusted.domain'], // equivalent

    // Example opt-in to eval:
    'script-src-elem': (v) => [...v, 'unsafe-eval', 'wasm-unsafe-eval'], // alert alert
  },
});

Trust

Fuz's CSP abstraction provides three trust levels (Csp_Trust_Level) with escalating risk.

  • null - No trust. This is used for directives that don't support sources.
  • 'low' - Passive resources only - no script execution, no styling or UI control
  • 'medium' - Content that may affect layout, styling, or embed external browsing contexts, but cannot directly run code in the page's JS execution environment or perform other high-risk actions
  • 'high' - Sources that can execute code in the page's context

Default directive trust levels

trust leveldirectives
nulldefault-src, script-src-attr, manifest-src, child-src, object-src, base-uri, upgrade-insecure-requests, report-to, require-trusted-types-for, trusted-types, sandbox
lowimg-src, media-src, font-src
mediumstyle-src, style-src-elem, style-src-attr, connect-src, frame-src, frame-ancestors, form-action, worker-src
highscript-src, script-src-elem

Directive specs

directivefallbackfallback of
default-srcscript-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, media-src, font-src, manifest-src, child-src, connect-src, worker-src, object-src
script-srcdefault-srcscript-src-elem, script-src-attr, worker-src
script-src-elemscript-src, default-src
script-src-attrscript-src, default-src
style-srcdefault-srcstyle-src-elem, style-src-attr
style-src-elemstyle-src, default-src
style-src-attrstyle-src, default-src
img-srcdefault-src
media-srcdefault-src
font-srcdefault-src
manifest-srcdefault-src
child-srcdefault-srcframe-src, worker-src
connect-srcdefault-src
frame-srcchild-src
frame-ancestors
form-action
worker-srcchild-src, script-src, default-src
object-srcdefault-src
base-uri
upgrade-insecure-requests
report-to
require-trusted-types-for
trusted-types
sandbox