def test_csp_header(self):
csp = http.parse_csp_header(
"default-src 'self'; script-src 'unsafe-inline' *; img-src"
)
assert csp.default_src == "'self'"
assert csp.script_src == "'unsafe-inline' *"
assert csp.img_src is None
def content_security_policy(self) -> ContentSecurityPolicy:
"""The ``Content-Security-Policy`` header as a
:class:`~werkzeug.datastructures.ContentSecurityPolicy` object. Available
even if the header is not set.
The Content-Security-Policy header adds an additional layer of
security to help detect and mitigate certain types of attacks.
"""
def on_update(csp: ContentSecurityPolicy) -> None:
if not csp:
del self.headers["content-security-policy"]
else:
self.headers["Content-Security-Policy"] = csp.to_header()
rv = parse_csp_header(self.headers.get("content-security-policy"), on_update)
if rv is None:
rv = ContentSecurityPolicy(None, on_update=on_update)
return rv
def content_security_policy_report_only(self) -> ContentSecurityPolicy:
"""The ``Content-Security-policy-report-only`` header as a
:class:`~werkzeug.datastructures.ContentSecurityPolicy` object. Available
even if the header is not set.
The Content-Security-Policy-Report-Only header adds a csp policy
that is not enforced but is reported thereby helping detect
certain types of attacks.
"""
def on_update(csp: ContentSecurityPolicy) -> None:
if not csp:
del self.headers["content-security-policy-report-only"]
else:
self.headers[
"Content-Security-policy-report-only"] = csp.to_header()
rv = parse_csp_header(
self.headers.get("content-security-policy-report-only"), on_update)
if rv is None:
rv = ContentSecurityPolicy(None, on_update=on_update)
return rv
def content_security_policy_report_only(self) -> ContentSecurityPolicy:
def on_update(content_security_policy: ContentSecurityPolicy) -> None:
self.content_security_policy_report_only = content_security_policy
return parse_csp_header(
self.headers.get("Content-Security-Policy-Report-Only"), on_update)
