Skip to main content

Content Security Policy for Morepath

Project description

Usage

To protect all views with a default content security policy:

from morepath import App
from more.content_security import ContentSecurityApp
from more.content_security import ContentSecurityPolicy
from more.content_security import SELF

class MyApp(App, ContentSecurityApp):
    pass

@MyApp.setting('content_security_policy', 'default')
def default_policy():
    return ContentSecurityPolicy(
        default_src={SELF},
        script_src={SELF, 'https://analytics.example.org'}
    )

To extend the default policy for the default view of a model:

@MyApp.view(model=Document)
def view_document(self, request):

    # the actual default policy is not modified here!
    request.content_security_policy.script_src.add('https://cdnjs.com')

    ....

We can also use a completely different policy:

@MyApp.view(model=Document)
def view_document(self, request):
    request.content_security_policy = ContentSecurityPolicy()

Additionally, we can use nonces in inline scripty/stylesheets. Those will automatically be added to the ‘script-src’, ‘style-src’ directives:

@MyApp.html(model=Document)
def view_document(self, request):
    return """
        <html>
            ...

            <script nonce="{}">...</script>
        </html>
    """.format(request.content_security_policy_nonce('script'))

Note that we use a custom request class for nonces. If you have your own, you need to extend it as follows:

from morepath.request import Request
from more.content_security import ContentSecurityRequest

class CustomRequest(Request, ContentSecurityRequest):
    pass

class MyApp(App, ContentSecurityApp):
    request_class = CustomRequest

To only use the ‘Content-Security-Policy-Report-Only’ header, use this:

@MyApp.setting('content_security_policy', 'default')
def default_policy():
    return ContentSecurityPolicy(
        report_only=True,
        default_src={SELF}
    )

Run the Tests

Install tox and run it:

pip install tox
tox

Limit the tests to a specific python version:

tox -e py27

Conventions

more.content_security follows PEP8 as close as possible. To test for it run:

tox -e pep8

more.content_security uses Semantic Versioning

Build Status

Build Status

Coverage

Project Coverage

Latest PyPI Release

Latest PyPI Release

License

more.content_security is released unter the revised BSD license

Changelog

0.2.0 (2018-02-02)

  • Adds the ability to override the policy apply function. [href]

  • Adds missing UNSAFE_EVAL constant. [href]

0.1.0 (2018-02-01)

  • Initial Release. [href]

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

more.content_security-0.2.0.tar.gz (7.0 kB view hashes)

Uploaded Source

Built Distribution

more.content_security-0.2.0-py3-none-any.whl (11.2 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page