Home

Awesome

CSP-Fiddler-Extension

Content Security Policy rule collector extension for Fiddler helps you produce a strong CSP for a web page.

What's this?

Use this extension to add a CSP header to your page, or tighten up your existing CSP header.

This is an extension for Fiddler that gives you the most restrictive Content-Security-Policy for a web page but that won't generate any errors for that web page. Install the extension, turn it on, navigate to web pages using a browser that supports CSP, and view the CSP rules that the extension generates.

Install

Win+R, powershell.exe and enter the following into the PowerShell prompt:

wget -uri https://david-risney.github.io/CSP-Fiddler-Extension/fiddlercsp.dll -OutFile (Join-Path (mkdir -Force ~\Documents\Fiddler2\Scripts) FiddlerCSP.dll)

Or if you want to put in more effort, clone this repo, build it, and copy the built FiddlerCSP.dll to your ~\Documents\Fiddler2\Scripts directory.

Run

After installing:

For best results:

How does it work?

The extension adds mock Content-Security-Policy-Report-Only headers to servers' responses. For instance:

Content-Security-Policy-Report-Only: child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src 'none'; media-src 'none'; object-src 'none'; style-src 'none'; script-src 'unsafe-eval'; report-uri https://fiddlercsp.deletethis.net/unsafe-inline

It then watches for the browser to report errors to the specified report-uri and uses those reports to generate the most restrictive CSP that allows through all issues described in the reports.

Other