Skip to main content

Content Security Policy for Morepath

Project description


To protect all views with a default content security policy:

from morepath import App
from more.content_security import ContentSecurityApp
from more.content_security import ContentSecurityPolicy
from more.content_security import SELF

class MyApp(App, ContentSecurityApp):

@MyApp.setting('content_security_policy', 'default')
def default_policy():
    return ContentSecurityPolicy(
        script_src={SELF, ''}

To extend the default policy for the default view of a model:

def view_document(self, request):

    # the actual default policy is not modified here!


We can also use a completely different policy:

def view_document(self, request):
    request.content_security_policy = ContentSecurityPolicy()

Additionally, we can use nonces in inline scripty/stylesheets. Those will automatically be added to the ‘script-src’, ‘style-src’ directives:

def view_document(self, request):
    return """

            <script nonce="{}">...</script>

Note that we use a custom request class for nonces. If you have your own, you need to extend it as follows:

from morepath.request import Request
from more.content_security import ContentSecurityRequest

class CustomRequest(Request, ContentSecurityRequest):

class MyApp(App, ContentSecurityApp):
    request_class = CustomRequest

To only use the ‘Content-Security-Policy-Report-Only’ header, use this:

@MyApp.setting('content_security_policy', 'default')
def default_policy():
    return ContentSecurityPolicy(

Run the Tests

Install tox and run it:

pip install tox

Limit the tests to a specific python version:

tox -e py27


more.content_security follows PEP8 as close as possible. To test for it run:

tox -e pep8

more.content_security uses Semantic Versioning

Build Status

Build Status


Project Coverage

Latest PyPI Release

Latest PyPI Release


more.content_security is released unter the revised BSD license


0.2.0 (2018-02-02)

  • Adds the ability to override the policy apply function. [href]
  • Adds missing UNSAFE_EVAL constant. [href]

0.1.0 (2018-02-01)

  • Initial Release. [href]

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
more.content_security-0.2.0-py3-none-any.whl (11.2 kB) Copy SHA256 hash SHA256 Wheel py3 Feb 2, 2018
more.content_security-0.2.0.tar.gz (7.0 kB) Copy SHA256 hash SHA256 Source None Feb 2, 2018

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page