def test_replace_string(self): """ Demonstrate that GitHub issue #40 doesn't affect replacements """ policy = build_policy(replace={'img-src': 'example2.com'}) policy_eq("default-src 'self'; img-src example2.com", policy)
def process_response(self, request, response): if getattr(response, '_csp_exempt', False): return response # Check for ignored path prefix. prefixes = getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', ('/admin', )) if request.path_info.startswith(prefixes): return response # Check for debug view status_code = response.status_code if status_code == http_client.INTERNAL_SERVER_ERROR and settings.DEBUG: return response header = 'Content-Security-Policy' if getattr(settings, 'CSP_REPORT_ONLY', False): header += '-Report-Only' if header in response: # Don't overwrite existing headers. return response config = getattr(response, '_csp_config', None) update = getattr(response, '_csp_update', None) replace = getattr(response, '_csp_replace', None) response[header] = build_policy(config=config, update=update, replace=replace) return response
def test_replace_string(): """ Demonstrate that GitHub issue #40 doesn't affect replacements """ policy = build_policy(replace={'img-src': 'example2.com'}) policy_eq("default-src 'self'; img-src example2.com", policy)
def process_response(self, request, response): if getattr(response, '_csp_exempt', False): return response # Check for ignored path prefix. prefixes = getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', ('/admin',)) if request.path_info.startswith(prefixes): return response # Check for debug view status_code = response.status_code if status_code == http_client.INTERNAL_SERVER_ERROR and settings.DEBUG: return response header = 'Content-Security-Policy' if getattr(settings, 'CSP_REPORT_ONLY', False): header += '-Report-Only' if header in response: # Don't overwrite existing headers. return response config = getattr(response, '_csp_config', None) update = getattr(response, '_csp_update', None) replace = getattr(response, '_csp_replace', None) response[header] = build_policy(config=config, update=update, replace=replace) return response
def build_policy(self, request, response): config = getattr(response, '_csp_config', None) update = getattr(response, '_csp_update', None) replace = getattr(response, '_csp_replace', None) nonce = getattr(request, '_csp_nonce', None) return build_policy(config=config, update=update, replace=replace, nonce=nonce)
def test_update_string(): """ GitHub issue #40 - given project settings as a tuple, and an update/replace with a string, concatenate correctly. """ policy = build_policy(update={'img-src': 'example2.com'}) policy_eq("default-src 'self'; img-src example.com example2.com", policy)
def test_update_string(self): """ GitHub issue #40 - given project settings as a tuple, and an update/replace with a string, concatenate correctly. """ policy = build_policy(update={'img-src': 'example2.com'}) policy_eq("default-src 'self'; img-src example.com example2.com", policy)
def policy(request): """ Returns a valid policy-uri, as an alternative to putting the whole policy in the header. """ policy = build_policy() return HttpResponse(policy, mimetype='text/x-content-security-policy')
def build_policy(self, request, response): config = getattr(response, '_csp_config', None) update = getattr(response, '_csp_update', None) replace = getattr(response, '_csp_replace', {}) nonce = getattr(request, '_csp_nonce', None) report_percentage = getattr(settings, 'CSP_REPORT_PERCENTAGE') include_report_uri = random.random() < report_percentage if not include_report_uri: replace['report-uri'] = None return build_policy(config=config, update=update, replace=replace, nonce=nonce)
def process_response(self, request, response): if getattr(response, '_csp_exempt', False): return response # Check for ignored path prefix. for prefix in getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', []): if request.path_info.startswith(prefix): return response header = 'X-Content-Security-Policy' if getattr(settings, 'CSP_REPORT_ONLY', False): header = 'X-Content-Security-Policy-Report-Only' if header in response: # Don't overwrite existing headers. return response response[header] = build_policy() return response
def process_response(self, request, response): if getattr(response, '_csp_exempt', False): return response # Check for ignored path prefix. prefixes = getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', ('/admin',)) if request.path_info.startswith(prefixes): return response ua = request.META.get('HTTP_USER_AGENT', '') webkit = 'webkit' in ua.lower() header = 'X-WebKit-CSP' if webkit else 'X-Content-Security-Policy' if getattr(settings, 'CSP_REPORT_ONLY', False): header += '-Report-Only' patch_vary_headers(response, ['User-Agent']) if header in response: # Don't overwrite existing headers. return response response[header] = build_policy() return response
def test_script_src_elem(): policy = build_policy() policy_eq("default-src 'self'; script-src-elem example.com", policy)
def test_update_img(): policy = build_policy(update={'img-src': 'example2.com'}) policy_eq("default-src 'self'; img-src example.com example2.com", policy)
def test_nonce(): policy = build_policy(nonce='abc123') policy_eq("default-src 'self' 'nonce-abc123'", policy)
def test_nonce_include_in_absent(): del settings.CSP_INCLUDE_NONCE_IN policy = build_policy(nonce='abc123') policy_eq("default-src 'self' 'nonce-abc123'", policy)
def test_connect_src(): policy = build_policy() policy_eq("default-src 'self'; connect-src example.com", policy)
def test_upgrade_insecure_requests(): policy = build_policy() policy_eq("default-src 'self'; upgrade-insecure-requests", policy)
def test_sandbox(self): policy = build_policy() policy_eq("default-src 'self'; sandbox allow-scripts", policy)
def test_style_src(): policy = build_policy() policy_eq("default-src 'self'; style-src example.com", policy)
def test_font_src(self): policy = build_policy() policy_eq("default-src 'self'; font-src example.com", policy)
def test_connect_src(self): policy = build_policy() policy_eq("default-src 'self'; connect-src example.com", policy)
def test_media_src(self): policy = build_policy() policy_eq("default-src 'self'; media-src example.com", policy)
def test_img_src(self): policy = build_policy() policy_eq("default-src 'self'; img-src example.com", policy)
def test_style_src(self): policy = build_policy() policy_eq("default-src 'self'; style-src example.com", policy)
def test_replace_missing_setting(): """replace should work even if the setting is not defined.""" policy = build_policy(replace={'img-src': 'example.com'}) policy_eq("default-src 'self'; img-src example.com", policy)
def test_sandbox_empty(self): policy = build_policy() policy_eq("default-src 'self'; sandbox ", policy)
def test_default_src(self): policy = build_policy() eq_('default-src example.com example2.com', policy)
def test_report_uri(self): policy = build_policy() policy_eq("default-src 'self'; report-uri /foo", policy)
def test_media_src(): policy = build_policy() policy_eq("default-src 'self'; media-src example.com", policy)
def test_update_img(self): policy = build_policy(update={'img-src': 'example2.com'}) policy_eq("default-src 'self'; img-src example.com example2.com", policy)
def test_config(self): policy = build_policy( config={'default-src': ["'none'"], 'img-src': ["'self'"]}) policy_eq("default-src 'none'; img-src 'self'", policy)
def test_replace_img(self): policy = build_policy(replace={'img-src': 'example2.com'}) policy_eq("default-src 'self'; img-src example2.com", policy)
def test_block_all_mixed_content(): policy = build_policy() policy_eq("default-src 'self'; block-all-mixed-content", policy)
def test_replace_missing_setting(self): """replace should work even if the setting is not defined.""" policy = build_policy(replace={'img-src': 'example.com'}) policy_eq("default-src 'self'; img-src example.com", policy)
def test_nonce_include_in(): policy = build_policy(nonce='abc123') policy_eq(("default-src 'self'; " "script-src 'nonce-abc123'; " "style-src 'nonce-abc123'"), policy)
def test_frame_src(): policy = build_policy() policy_eq("default-src 'self'; frame-src example.com", policy)
def test_script_src_attr(): policy = build_policy() policy_eq("default-src 'self'; script-src-attr example.com", policy)
def test_empty_policy(): policy = build_policy() assert "default-src 'self'" == policy
def test_prefetch_src(): policy = build_policy() policy_eq("default-src 'self'; prefetch-src example.com", policy)
def test_form_action(): policy = build_policy() policy_eq("default-src 'self'; form-action example.com", policy)
def test_replace_img(): policy = build_policy(replace={'img-src': 'example2.com'}) policy_eq("default-src 'self'; img-src example2.com", policy)
def test_frame_ancestors(): policy = build_policy() policy_eq("default-src 'self'; frame-ancestors example.com", policy)
def test_config(): policy = build_policy(config={ 'default-src': ["'none'"], 'img-src': ["'self'"] }) policy_eq("default-src 'none'; img-src 'self'", policy)
def test_empty_policy(self): policy = build_policy() eq_("default-src 'self'", policy)
def test_child_src(): policy = build_policy() policy_eq("default-src 'self'; child-src example.com", policy)
def test_object_src(): policy = build_policy() policy_eq("default-src 'self'; object-src example.com", policy)
def test_base_uri(): policy = build_policy() policy_eq("default-src 'self'; base-uri example.com", policy)
def test_sandbox_empty(): policy = build_policy() policy_eq("default-src 'self'; sandbox ", policy)
def test_default_src(): policy = build_policy() assert 'default-src example.com example2.com' == policy
def test_img_src(): policy = build_policy() policy_eq("default-src 'self'; img-src example.com", policy)
def test_script_src(): policy = build_policy() policy_eq("default-src 'self'; script-src example.com", policy)
def test_font_src(): policy = build_policy() policy_eq("default-src 'self'; font-src example.com", policy)
def test_sandbox(): policy = build_policy() policy_eq("default-src 'self'; sandbox allow-scripts", policy)
def test_report_uri_lazy(): policy = build_policy() policy_eq("default-src 'self'; report-uri /foo", policy)