示例#1
0
    def test_report_uri(self):
        self.assertEqual(
            CSPCompiler({
                'report-uri': '/dev/null',
            }).compile(), "report-uri /dev/null")

        with self.assertRaises(InvalidCSPError):
            CSPCompiler({'report-uri': []}).compile()
示例#2
0
    def test_upgrade_insecure_requests(self):
        self.assertEqual(
            CSPCompiler({
                'upgrade-insecure-requests': True,
            }).compile(), "upgrade-insecure-requests")

        self.assertEqual(
            CSPCompiler({
                'upgrade-insecure-requests': False,
            }).compile(), '')
示例#3
0
    def test_fetch(self):
        self.assertEqual(
            CSPCompiler({
                'script-src': ['self', 'https://dmoj.ca', 'nonce-123'],
            }).compile(), "script-src 'self' https://dmoj.ca 'nonce-123'")

        with self.assertRaises(InvalidCSPError):
            CSPCompiler({
                'script-src': 'https://dmoj.ca',
            }).compile()
示例#4
0
    def test_require_sri_for(self):
        self.assertEqual(
            CSPCompiler({
                'require-sri-for': 'script style',
            }).compile(), "require-sri-for script style")

        with self.assertRaises(InvalidCSPError):
            CSPCompiler({'require-sri-for': []}).compile()

        with self.assertRaises(InvalidCSPError):
            CSPCompiler({'require-sri-for': 'bad'}).compile()
示例#5
0
    def test_sandbox(self):
        self.assertEqual(
            CSPCompiler({
                'sandbox': ['allow-same-origin', 'allow-scripts'],
            }).compile(), "sandbox allow-same-origin allow-scripts")

        with self.assertRaises(InvalidCSPError):
            CSPCompiler({
                'sandbox': ['allow-invalid', 'allow-scripts'],
            }).compile()

        with self.assertRaises(InvalidCSPError):
            CSPCompiler({
                'sandbox': 'allow-scripts',
            }).compile()
示例#6
0
    def add_csp_header(self, request, response, header, base, can_call, is_str, attrs):
        if header in response:
            return
        if is_str:
            response[header] = base
            return
        csp = call_csp_dict(base, request, response) if can_call else base

        for attr in attrs:
            update = getattr(response, attr, None)
            if update is not None:
                if update.pop('override', False):
                    csp = update
                else:
                    csp = merge_csp_dict(csp, update)
                break

        if not csp:
            return

        try:
            policy = CSPCompiler(csp).compile()
        except InvalidCSPError:
            log.exception('Invalid CSP on page: %s', request.get_full_path())
            return
        response[header] = policy
示例#7
0
 def test_integration(self):
     self.assertEqual(
         CSPCompiler(
             OrderedDict([('style-src', ['self']),
                          ('script-src', ['self', 'https://dmoj.ca']),
                          ('frame-src', ['none']),
                          ('plugin-types', ['application/pdf']),
                          ('block-all-mixed-content', True),
                          ('upgrade-insecure-requests', False),
                          ('sandbox', ['allow-scripts']),
                          ('report-uri', '/dev/null')])).compile(),
         "style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; "
         "plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; "
         "report-uri /dev/null")