Parse Content Security Policy (CSP)

parseCsp.js

// Playground here: https://codepen.io/tw3/pen/eYaMPOZ

function parseCsp(csp) {
  const result = [];
  const cspArr = csp.split(';');
  cspArr.forEach((x) => {
    const vals = x.trim().split(' ').filter(Boolean);
    let idx = 0;
    const entryArr = [];
    entryArr.push(vals[idx++]); // resource, e.g. default-src
    const isTarget = vals[idx]?.startsWith("'");
    if (isTarget) {
      entryArr.push(vals[idx++]); // target, e.g. 'self'
    }
    const domains = vals.slice(idx++);
    entryArr.push(domains);
    result.push(entryArr);
  });
  return result;
}

var cspStr = "default-src 'self'; script-src 'unsafe-eval' scripts.com; object-src; style-src styles.biz";
var result = parseCsp(cspStr);

console.log('result', result);

/*
result = [
  [ 'default-src', "'self'", [] ],
  [ 'script-src', "'unsafe-eval'", [ 'scripts.com' ] ],
  [ 'object-src', [] ],
  [ 'style-src', [ 'styles.biz' ] ]
]
*/

// You can modify the parsed result and convert back to a string as follows:

var newCspStr = result.map((entryArr) => entryArr.map((val) => Array.isArray(val) ? val.join(' ') : val).filter(Boolean).join(' ')).join('; ');

console.log('newCspStr', newCspStr); // "default-src 'self'; script-src 'unsafe-eval' scripts.com; object-src; style-src styles.biz"
console.log(newCspStr === cspStr); // true