def test_incs001_csp_hashes_inline_scripts(dash_duo, add_hashes, hash_algorithm, expectation): app = Dash(__name__) app.layout = html.Div([ dcc.Input(id="input_element", type="text"), html.Div(id="output_element") ]) app.clientside_callback( """ function(input) { return input; } """, Output("output_element", "children"), [Input("input_element", "value")], ) with expectation: csp = { "default-src": "'self'", "script-src": ["'self'"] + (app.csp_hashes(hash_algorithm) if add_hashes else []), } flask_talisman.Talisman(app.server, content_security_policy=csp, force_https=False) dash_duo.start_server(app) dash_duo.find_element("#input_element").send_keys("xyz") assert dash_duo.wait_for_element("#output_element").text == "xyz"
def setup_application(app): flask_talisman.Talisman(app, content_security_policy=None) Bootstrap(app) boltons.fileutils.mkdir_p(app.instance_path) _register_views(app) _setup_login_manager(app)
def create_app(*args, **kwargs) -> flask.Flask: """Create a Flask app with secure default behaviours. :return: A Flask application. :rtype: Flask """ app = flask.Flask(*args, **kwargs) configure_app(app) # Both these extensions can be used as view decorators. Bit worried that # this circular reference will cause memory leaks. talisman_kwargs = get_talisman_config(app.config) app.talisman = flask_talisman.Talisman(app, **talisman_kwargs) app.csrf = flask_seasurf.SeaSurf(app) return app
def build_flask_app(project_name, app_name, openapi): """ Create a new Flask backend application app_name is the Python application name, used as Flask import_name project_name is a "nice" name, used to identify the application """ assert os.path.exists(openapi), "Missing openapi file {}".format(openapi) logger.debug("Initializing", app=app_name, openapi=openapi) # Start OpenAPI app app = connexion.App(import_name=app_name) app.name = project_name app.add_api(openapi) # Enable security security = flask_talisman.Talisman() security.init_app(app.app, **TALISMAN_CONFIG) # Enable wildcard CORS cors = flask_cors.CORS() cors.init_app(app.app, origins=["*"]) # Add exception Json renderer for code, exception in werkzeug.exceptions.default_exceptions.items(): app.app.register_error_handler(exception, handle_default_exceptions) # Redirect root to API app.add_url_rule( "/", "root", lambda: flask.redirect(app.options.openapi_console_ui_path)) # Dockerflow checks app.add_url_rule("/__heartbeat__", view_func=heartbeat_response) app.add_url_rule("/__lbheartbeat__", view_func=lbheartbeat_response) app.add_url_rule("/__version__", view_func=get_version) logger.debug("Initialized", app=app.name) return app
def init_app(app): allow_from = app.config.get('TALISMAN_FRAME_OPTIONS_ALLOW_FROM', None) if isinstance(allow_from, (list, tuple)): allow_from = " ".join(allow_from) if allow_from: frame_options = flask_talisman.ALLOW_FROM else: frame_options = flask_talisman.SAMEORIGIN flask_talisman.Talisman( app, content_security_policy=app.config.get( 'TALISMAN_CONTENT_SECURITY_POLICY', flask_talisman.DEFAULT_CSP_POLICY), force_https_permanent=app.config.get( 'TALISMAN_FORCE_HTTPS_PERMANENT', True, ), frame_options=frame_options, frame_options_allow_from=allow_from, )
#!/usr/bin/env python3 ### # arberweb # Arber Xhindoli github:@arberx ### import flask import flask_talisman import arberweb.config # app is a single object used by all the code modules in this package app = flask.Flask(__name__) # pylint: disable=invalid-name # enforce https, currently allow fetching of all external resources # TODO: stricter csp: https://github.com/GoogleCloudPlatform/flask-talisman flask_talisman.Talisman(app, content_security_policy=None) # Read settings from config module (arberweb/config.py) app.config.from_object('arberweb.config') # Overlay settings read from file specified by environment variable. This is # useful for using different on development and production machines. # Reference: http://flask.pocoo.org/docs/0.12/config/ app.config.from_envvar('ARBERWEB_SETTINGS', silent=True) # (Reference http://flask.pocoo.org/docs/0.12/patterns/packages/) import arberweb.views # noqa: E402 pylint: disable=wrong-import-position
'script-src': '\'self\' \'unsafe-inline\'', 'style-src': '\'self\' \'unsafe-inline\'', 'img-src': '\'self\'', 'connect-src': '\'self\'', } DEFAULT_CONFIG = dict( force_https=True, force_https_permanent=False, force_file_save=False, frame_options=flask_talisman.talisman.SAMEORIGIN, frame_options_allow_from=None, strict_transport_security=True, strict_transport_security_preload=False, strict_transport_security_max_age=flask_talisman.talisman.ONE_YEAR_IN_SECS, strict_transport_security_include_subdomains=True, content_security_policy=DEFAULT_CSP_POLICY, content_security_policy_report_uri=None, content_security_policy_report_only=False, session_cookie_secure=True, session_cookie_http_only=True, ) security = flask_talisman.Talisman() def init_app(app): config = app.config.get('SECURITY', DEFAULT_CONFIG) security.init_app(app, **config) return security
from __future__ import absolute_import from flask_caching import Cache from flask_limiter import Limiter from flask_limiter.util import get_remote_address import flask_marshmallow import flask_migrate import flask_sqlalchemy import flask_talisman cache = Cache() db = flask_sqlalchemy.SQLAlchemy() limiter = Limiter(key_func=get_remote_address) ma = flask_marshmallow.Marshmallow() migrate = flask_migrate.Migrate() talisman = flask_talisman.Talisman()
flask_talisman.Talisman( app, content_security_policy={ "default-src": ["'self'"], "script-src": [ "'self'", "www.gstatic.com", "cdn.firebase.com", "apis.google.com", "use.fontawesome.com", ], "style-src": [ "'self'", "fonts.googleapis.com", "cdn.firebase.com", "cdnjs.cloudflare.com", "use.fontawesome.com", ], "font-src": ["fonts.gstatic.com"], "img-src": [ "'self'", "www.gstatic.com", # Required for user avatars from GitHub, Google. "*.githubusercontent.com", "*.googleusercontent.com", ], "connect-src": ["'self'", "www.googleapis.com"], "frame-src": ["https://conducthotline-fb.firebaseapp.com/"], }, )