From 13eb3cbe48a1e3c12e686af2bfb058cfc055f214 Mon Sep 17 00:00:00 2001 From: Jannis Leidel Date: Fri, 5 Oct 2018 21:49:10 +0200 Subject: [PATCH] Fix handling policy directives with multiple sources. (#32) --- flask_talisman/talisman.py | 2 +- flask_talisman/talisman_test.py | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py index 7ebbad4..c332d8b 100644 --- a/flask_talisman/talisman.py +++ b/flask_talisman/talisman.py @@ -245,7 +245,7 @@ def _parse_policy(self, policy): for policy_part in policy_string.split(';'): policy_parts = policy_part.strip().split(' ') - policy[policy_parts[0]] = "".join(policy_parts[1:]) + policy[policy_parts[0]] = " ".join(policy_parts[1:]) policies = [] for section, content in iteritems(policy): diff --git a/flask_talisman/talisman_test.py b/flask_talisman/talisman_test.py index 6c91a38..7a1bd7c 100644 --- a/flask_talisman/talisman_test.py +++ b/flask_talisman/talisman_test.py @@ -148,10 +148,10 @@ def testContentSecurityPolicyOptions(self): self.assertIn('image-src \'self\' example.com', csp) # string policy - self.talisman.content_security_policy = 'default-src example.com' + self.talisman.content_security_policy = 'default-src \'foo\' spam.eggs' response = self.client.get('/', environ_overrides=HTTPS_ENVIRON) self.assertEqual(response.headers['Content-Security-Policy'], - 'default-src example.com') + 'default-src \'foo\' spam.eggs') # no policy self.talisman.content_security_policy = False @@ -160,10 +160,10 @@ def testContentSecurityPolicyOptions(self): # string policy at initialization app = flask.Flask(__name__) - Talisman(app, content_security_policy='default-src spam.eggs') + Talisman(app, content_security_policy='default-src \'foo\' spam.eggs') response = app.test_client().get('/', environ_overrides=HTTPS_ENVIRON) self.assertIn( - 'default-src spam.eggs', + 'default-src \'foo\' spam.eggs', response.headers['Content-Security-Policy'] )