def get(self):
"""Handle a get request."""
self.render(
'login.html', {
'apiKey': local_config.ProjectConfig().get('firebase.api_key'),
'authDomain': auth.auth_domain(),
'dest': self.request.get('dest'),
})
def get(self):
"""Handle a get request."""
dest = request.get('dest', DEFAULT_REDIRECT)
base_handler_flask.check_redirect_url(dest)
return self.render(
'login.html', {
'apiKey': local_config.ProjectConfig().get('firebase.api_key'),
'authDomain': auth.auth_domain(),
'dest': dest,
})
def get(self):
"""Handle a get request."""
dest = self.request.get('dest')
base_handler.check_redirect_url(dest)
self.render(
'login.html', {
'apiKey': local_config.ProjectConfig().get('firebase.api_key'),
'authDomain': auth.auth_domain(),
'dest': dest,
})
def get_default_builder():
"""Get a CSPBuilder object for the default policy.
Can be modified for specific pages if needed."""
builder = CSPBuilder()
# By default, disallow everything. Whitelist only features that are needed.
builder.add('default-src', 'none', quote=True)
# Allow various directives if sourced from self.
builder.add('font-src', 'self', quote=True)
builder.add('connect-src', 'self', quote=True)
builder.add('img-src', 'self', quote=True)
builder.add('manifest-src', 'self', quote=True)
# External scripts. Google analytics, charting libraries.
builder.add('script-src', 'www.google-analytics.com')
builder.add('script-src', 'www.gstatic.com')
builder.add('script-src', 'apis.google.com')
# Google Analytics also uses connect-src and img-src.
builder.add('connect-src', 'www.google-analytics.com')
builder.add('img-src', 'www.google-analytics.com')
# Firebase.
builder.add('img-src', 'www.gstatic.com')
builder.add('connect-src', 'securetoken.googleapis.com')
builder.add('connect-src', 'www.googleapis.com')
builder.add('frame-src', auth.auth_domain())
# External style. Used for fonts, charting libraries.
builder.add('style-src', 'fonts.googleapis.com')
builder.add('style-src', 'www.gstatic.com')
# External fonts.
builder.add('font-src', 'fonts.gstatic.com')
# Some upload forms require us to connect to the cloud storage API.
builder.add('connect-src', 'storage.googleapis.com')
# Mixed content is unexpected, but upgrade requests rather than block.
builder.add_sourceless('upgrade-insecure-requests')
# We don't expect object to be used, but it doesn't fall back to default-src.
builder.add('object-src', 'none', quote=True)
# We don't expect workers to be used, but they fall back to script-src.
builder.add('worker-src', 'none', quote=True)
# Add reporting so that violations don't break things silently.
builder.add('report-uri', '/report-csp-failure')
# TODO(mbarbella): Remove Google-specific cases by allowing configuration.
# Internal authentication.
builder.add('manifest-src', 'login.corp.google.com')
# TODO(mbarbella): Improve the policy by limiting the additions below.
# Because we use Polymer Bundler to create large files containing all of our
# scripts inline, our policy requires this (which weakens CSP significantly).
builder.add('script-src', 'unsafe-inline', quote=True)
# Some of the pages that read responses from json handlers require this.
builder.add('script-src', 'unsafe-eval', quote=True)
# Our Polymer Bundler usage also requires inline style.
builder.add('style-src', 'unsafe-inline', quote=True)
# Some fonts are loaded from data URIs.
builder.add('font-src', 'data:')
return builder