def test_csp_header(self): csp = http.parse_csp_header( "default-src 'self'; script-src 'unsafe-inline' *; img-src" ) assert csp.default_src == "'self'" assert csp.script_src == "'unsafe-inline' *" assert csp.img_src is None
def content_security_policy(self) -> ContentSecurityPolicy: """The ``Content-Security-Policy`` header as a :class:`~werkzeug.datastructures.ContentSecurityPolicy` object. Available even if the header is not set. The Content-Security-Policy header adds an additional layer of security to help detect and mitigate certain types of attacks. """ def on_update(csp: ContentSecurityPolicy) -> None: if not csp: del self.headers["content-security-policy"] else: self.headers["Content-Security-Policy"] = csp.to_header() rv = parse_csp_header(self.headers.get("content-security-policy"), on_update) if rv is None: rv = ContentSecurityPolicy(None, on_update=on_update) return rv
def content_security_policy_report_only(self) -> ContentSecurityPolicy: """The ``Content-Security-policy-report-only`` header as a :class:`~werkzeug.datastructures.ContentSecurityPolicy` object. Available even if the header is not set. The Content-Security-Policy-Report-Only header adds a csp policy that is not enforced but is reported thereby helping detect certain types of attacks. """ def on_update(csp: ContentSecurityPolicy) -> None: if not csp: del self.headers["content-security-policy-report-only"] else: self.headers[ "Content-Security-policy-report-only"] = csp.to_header() rv = parse_csp_header( self.headers.get("content-security-policy-report-only"), on_update) if rv is None: rv = ContentSecurityPolicy(None, on_update=on_update) return rv
def content_security_policy_report_only(self) -> ContentSecurityPolicy: def on_update(content_security_policy: ContentSecurityPolicy) -> None: self.content_security_policy_report_only = content_security_policy return parse_csp_header( self.headers.get("Content-Security-Policy-Report-Only"), on_update)