Content Security Policy for Morepath
Project description
Usage
To protect all views with a default content security policy:
from morepath import App
from more.content_security import ContentSecurityApp
from more.content_security import ContentSecurityPolicy
from more.content_security import SELF
class MyApp(App, ContentSecurityApp):
pass
@MyApp.setting('content_security_policy', 'default')
def default_policy():
return ContentSecurityPolicy(
default_src={SELF},
script_src={SELF, 'https://analytics.example.org'}
)
To extend the default policy for the default view of a model:
@MyApp.view(model=Document)
def view_document(self, request):
# the actual default policy is not modified here!
request.content_security_policy.script_src.add('https://cdnjs.com')
....
We can also use a completely different policy:
@MyApp.view(model=Document)
def view_document(self, request):
request.content_security_policy = ContentSecurityPolicy()
Additionally, we can use nonces in inline scripty/stylesheets. Those will automatically be added to the ‘script-src’, ‘style-src’ directives:
@MyApp.html(model=Document)
def view_document(self, request):
return """
<html>
...
<script nonce="{}">...</script>
</html>
""".format(request.content_security_policy_nonce('script'))
Note that we use a custom request class for nonces. If you have your own, you need to extend it as follows:
from morepath.request import Request
from more.content_security import ContentSecurityRequest
class CustomRequest(Request, ContentSecurityRequest):
pass
class MyApp(App, ContentSecurityApp):
request_class = CustomRequest
To only use the ‘ontent-Security-Policy-Report-Only’ header, use this:
@MyApp.setting('content_security_policy', 'default')
def default_policy():
return ContentSecurityPolicy(
report_only=True,
default_src={SELF}
)
Run the Tests
Install tox and run it:
pip install tox tox
Limit the tests to a specific python version:
tox -e py27
Conventions
more.content_security follows PEP8 as close as possible. To test for it run:
tox -e pep8
more.content_security uses Semantic Versioning
Build Status
Coverage
Latest PyPI Release
License
more.content_security is released unter the revised BSD license
Changelog
0.1.0 (2018-02-01)
Initial Release. [href]
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for more.content_security-0.1.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | a0252340accfc962059ce976d356c4bdd8366cbc7e185c5f93549cb034f5b0fb |
|
MD5 | 4e7b0ee2fa66b6f239fa16d3ceb5094b |
|
BLAKE2b-256 | b01f722e9bb4c2997492a67ffd00273ffb1b37b461b53470d99a020119491df6 |
Hashes for more.content_security-0.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 76378e408b5e12e643b231a34f76d47f193f9bec11e0d8afbbf9c9df9e7f445a |
|
MD5 | 368d21601e2fc9340bdd8fd17c5d43da |
|
BLAKE2b-256 | 17bbeb2ad12b9073ad0bfc4b2cb646838b153f75cf7357283e789baaa42caad3 |