Exemple #1
0
def policy(request):
    """
    Returns a valid policy-uri, as an alternative to putting the whole
    policy in the header.

    """

    policy = build_policy()

    return HttpResponse(policy, mimetype='text/x-content-security-policy')
Exemple #2
0
    def process_response(self, request, response):
        header = 'X-Content-Security-Policy'
        if getattr(settings, 'CSP_REPORT_ONLY', False):
            header = 'X-Content-Security-Policy-Report-Only'

        if header in response:
            # Don't overwrite existing headers.
            return response

        if getattr(settings, 'CSP_POLICY_URI', False):
            policy = 'policy-uri ' + settings.CSP_POLICY_URI
        else:
            policy = build_policy()
        response[header] = policy
        return response
Exemple #3
0
    def process_response(self, request, response):
        if getattr(response, '_csp_exempt', False):
            return response

        # Check for ignored path prefix.
        for prefix in getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', []):
            if request.path_info.startswith(prefix):
                return response

        header = 'X-Content-Security-Policy'
        if getattr(settings, 'CSP_REPORT_ONLY', False):
            header = 'X-Content-Security-Policy-Report-Only'

        if header in response:
            # Don't overwrite existing headers.
            return response

        if getattr(settings, 'CSP_POLICY_URI', False):
            policy = 'policy-uri ' + settings.CSP_POLICY_URI
        else:
            policy = build_policy()
        response[header] = policy
        return response