Skip to main content
Help improve PyPI by participating in a 5-minute user interface survey!

Content Security Policy for Morepath

Project Description

Usage

To protect all views with a default content security policy:

from morepath import App
from more.content_security import ContentSecurityApp
from more.content_security import ContentSecurityPolicy
from more.content_security import SELF

class MyApp(App, ContentSecurityApp):
    pass

@MyApp.setting('content_security_policy', 'default')
def default_policy():
    return ContentSecurityPolicy(
        default_src={SELF},
        script_src={SELF, 'https://analytics.example.org'}
    )

To extend the default policy for the default view of a model:

@MyApp.view(model=Document)
def view_document(self, request):

    # the actual default policy is not modified here!
    request.content_security_policy.script_src.add('https://cdnjs.com')

    ....

We can also use a completely different policy:

@MyApp.view(model=Document)
def view_document(self, request):
    request.content_security_policy = ContentSecurityPolicy()

Additionally, we can use nonces in inline scripty/stylesheets. Those will automatically be added to the ‘script-src’, ‘style-src’ directives:

@MyApp.html(model=Document)
def view_document(self, request):
    return """
        <html>
            ...

            <script nonce="{}">...</script>
        </html>
    """.format(request.content_security_policy_nonce('script'))

Note that we use a custom request class for nonces. If you have your own, you need to extend it as follows:

from morepath.request import Request
from more.content_security import ContentSecurityRequest

class CustomRequest(Request, ContentSecurityRequest):
    pass

class MyApp(App, ContentSecurityApp):
    request_class = CustomRequest

To only use the ‘Content-Security-Policy-Report-Only’ header, use this:

@MyApp.setting('content_security_policy', 'default')
def default_policy():
    return ContentSecurityPolicy(
        report_only=True,
        default_src={SELF}
    )

Run the Tests

Install tox and run it:

pip install tox
tox

Limit the tests to a specific python version:

tox -e py27

Conventions

more.content_security follows PEP8 as close as possible. To test for it run:

tox -e pep8

more.content_security uses Semantic Versioning

Build Status

Build Status

Coverage

Project Coverage

Latest PyPI Release

Latest PyPI Release

License

more.content_security is released unter the revised BSD license

Changelog

0.2.0 (2018-02-02)

  • Adds the ability to override the policy apply function. [href]
  • Adds missing UNSAFE_EVAL constant. [href]

0.1.0 (2018-02-01)

  • Initial Release. [href]

Release history Release notifications

This version
History Node

0.2.0

History Node

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
more.content_security-0.2.0-py3-none-any.whl (11.2 kB) Copy SHA256 hash SHA256 Wheel py3 Feb 2, 2018
more.content_security-0.2.0.tar.gz (7.0 kB) Copy SHA256 hash SHA256 Source None Feb 2, 2018

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging CloudAMQP CloudAMQP RabbitMQ AWS AWS Cloud computing Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page