Evaluate

Test a CSP before you enforce it

Use --evaluate to inject a candidate policy as Content-Security-Policy-Report-Only, collect violations, and fail the run if anything would break.

cspresso https://example.com \
  --bypass-csp \
  --evaluate "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net;" \
  --json

Exit codes

0 → no Report‑Only violations detected

1 → violations detected (ideal for CI gates)

Tip: keep your CSP string quoted; it usually contains spaces and semicolons.

Why `--bypass-csp` matters

If the target site already sets an enforcing CSP, it can block loads and change runtime behaviour. That can hide potential violations in your candidate policy. Using --bypass-csp strips existing CSP headers on HTML responses during the crawl.

Safety note

Bypassing CSP means you’re letting the page execute without those protections. Run evaluation only on sites you trust, or in a sandboxed environment.

CI example (GitHub Actions)

- name: Evaluate CSP
  run: |
    pipx install cspresso
    cspresso https://example.com \
      --bypass-csp \
      --evaluate "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net;" \
      --json

If you cache Playwright browsers, set --browsers-path to a persistent directory.

Troubleshooting

Sourcemaps causing connect-src noise

DevTools often fetches sourcemaps even when headless browsing doesn’t. If you want to model those requests, use --include-sourcemaps to add sourcemap origins to connect-src.

Non-HTML crawled resources

If your site has downloadable files on the same origin, consider --ignore-non-html to avoid edge cases like browser “word-wrap” injected styles affecting hashes.

Why --bypass-csp matters

CI example (GitHub Actions)

Troubleshooting

Why `--bypass-csp` matters