Content Security Policy for Morepath
Project description
Usage
To protect all views with a default content security policy:
from morepath import App
from more.content_security import ContentSecurityApp
from more.content_security import ContentSecurityPolicy
from more.content_security import SELF
class MyApp(App, ContentSecurityApp):
pass
@MyApp.setting('content_security_policy', 'default')
def default_policy():
return ContentSecurityPolicy(
default_src={SELF},
script_src={SELF, 'https://analytics.example.org'}
)To extend the default policy for the default view of a model:
@MyApp.view(model=Document)
def view_document(self, request):
# the actual default policy is not modified here!
request.content_security_policy.script_src.add('https://cdnjs.com')
....We can also use a completely different policy:
@MyApp.view(model=Document)
def view_document(self, request):
request.content_security_policy = ContentSecurityPolicy()Additionally, we can use nonces in inline scripty/stylesheets. Those will automatically be added to the ‘script-src’, ‘style-src’ directives:
@MyApp.html(model=Document)
def view_document(self, request):
return """
<html>
...
<script nonce="{}">...</script>
</html>
""".format(request.content_security_policy_nonce('script'))Note that we use a custom request class for nonces. If you have your own, you need to extend it as follows:
from morepath.request import Request
from more.content_security import ContentSecurityRequest
class CustomRequest(Request, ContentSecurityRequest):
pass
class MyApp(App, ContentSecurityApp):
request_class = CustomRequestTo only use the ‘Content-Security-Policy-Report-Only’ header, use this:
@MyApp.setting('content_security_policy', 'default')
def default_policy():
return ContentSecurityPolicy(
report_only=True,
default_src={SELF}
)Run the Tests
Install tox and run it:
pip install tox tox
Limit the tests to a specific python version:
tox -e py27
Conventions
more.content_security follows PEP8 as close as possible. To test for it run:
tox -e pep8
more.content_security uses Semantic Versioning
Build Status
Coverage
Latest PyPI Release
License
more.content_security is released unter the revised BSD license
Changelog
0.2.0 (2018-02-02)
Adds the ability to override the policy apply function. [href]
Adds missing UNSAFE_EVAL constant. [href]
0.1.0 (2018-02-01)
Initial Release. [href]
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file more.content_security-0.2.0.tar.gz.
File metadata
- Download URL: more.content_security-0.2.0.tar.gz
- Upload date:
- Size: 7.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6a58d8213bb52acfae6399aa7ffd5f6a32e72aa76dcdbdf6394d37dce4c2f98b |
|
| MD5 | 739783e00247957201ad601c459bf083 |
|
| BLAKE2b-256 | 5768dcaec1cc884a3defb15b793ab70ea0c7cb195d0a0c994b47fde2c2be54ae |
File details
Details for the file more.content_security-0.2.0-py3-none-any.whl.
File metadata
- Download URL: more.content_security-0.2.0-py3-none-any.whl
- Upload date:
- Size: 11.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f3c7d4a732e2e655d5e641e519713014b675a5e0bbe81f7a91e012db6b60cde3 |
|
| MD5 | 087f4a6b81029d1289c6317e09c057a5 |
|
| BLAKE2b-256 | 2bf206a5a4f91787609186e991e22cfb14e05eed560cafe451772986c6bcd3c2 |
