Merge ce3e8f8 into 0040966

.travis.yml

@@ -7,8 +7,6 @@ matrix:
     env: NOXSESSION=lint
   - python: 3.6
     env: NOXSESSION=tests-2.7
-  - python: 3.4
-    env: NOXSESSION=tests-3.4
   - python: 3.5
     env: NOXSESSION=tests-3.5
   - python: 3.6

README.rst

@@ -113,6 +113,9 @@ Options
    `X-Download-Options <https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/jj542450(v=vs.85)?redirectedfrom=MSDN>`_
    header to ``noopen`` to prevent IE >= 8 to from opening file downloads
    directly and only save them instead.
+-  ``x_content_type_options``, default ``True``, Protects against MIME sniffing vulnerabilities.
+-  ``x_xss_protection``, default ``True``, Protects against cross-site scripting (XSS) attacks.
+
 
 Per-view options
 ~~~~~~~~~~~~~~~~

flask_talisman/talisman.py

@@ -76,7 +76,9 @@ def init_app(
             content_security_policy_nonce_in=None,
             referrer_policy=DEFAULT_REFERRER_POLICY,
             session_cookie_secure=True,
-            session_cookie_http_only=True):
+            session_cookie_http_only=True,
+            x_content_type_options=True,
+            x_xss_protection=True):
         """
         Initialization.
 
@@ -116,6 +118,9 @@ def init_app(
                 session cookie.
             force_file_save: Prevents the user from opening a file download
                 directly on >= IE 8
+            x_content_type_options: Prevents MIME type sniffing
+            x_xss_protection: Prevents the page from loading when the browser
+                detects reflected cross-site scripting attacks
 
         See README.rst for a detailed description of each option.
         """
@@ -166,6 +171,10 @@ def init_app(
 
         self.force_file_save = force_file_save
 
+        self.x_content_type_options = x_content_type_options
+
+        self.x_xss_protection = x_xss_protection
+
         self.app = app
 
         app.before_request(self._force_https)
@@ -284,8 +293,11 @@ def _set_frame_options_headers(self, headers, options):
                 options['frame_options_allow_from'])
 
     def _set_content_security_policy_headers(self, headers, options):
-        headers['X-XSS-Protection'] = '1; mode=block'
-        headers['X-Content-Type-Options'] = 'nosniff'
+        if self.x_xss_protection:
+            headers['X-XSS-Protection'] = '1; mode=block'
+
+        if self.x_content_type_options:
+            headers['X-Content-Type-Options'] = 'nosniff'
 
         if self.force_file_save:
             headers['X-Download-Options'] = 'noopen'

flask_talisman/talisman_test.py

@@ -165,6 +165,18 @@ def testContentSecurityPolicyOptions(self):
             response.headers['Content-Security-Policy']
         )
 
+        # x-content-type-options disabled
+        app = flask.Flask(__name__)
+        Talisman(app, x_content_type_options=False)
+        response = app.test_client().get('/', environ_overrides=HTTPS_ENVIRON)
+        self.assertNotIn('X-Content-Type-Options', response.headers)
+
+        # x-xss-protection disabled
+        app = flask.Flask(__name__)
+        Talisman(app, x_xss_protection=False)
+        response = app.test_client().get('/', environ_overrides=HTTPS_ENVIRON)
+        self.assertNotIn('X-XSS-Protection', response.headers)
+
     def testContentSecurityPolicyOptionsReport(self):
         # report-only policy
         self.talisman.content_security_policy_report_only = True

noxfile.py

@@ -12,7 +12,7 @@ def lint(session):
     session.run('flake8', '--import-order-style=google', 'flask_talisman')
 
 
-@nox.session(python=['2.7', '3.4', '3.5', '3.6'])
+@nox.session(python=['2.7', '3.5', '3.6'])
 def tests(session):
     """Run the test suite"""
     session.install('flask', 'mock', 'pytest', 'pytest-cov')

setup.py

@@ -47,7 +47,6 @@
         'Programming Language :: Python :: 2',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 2.7',
-        'Programming Language :: Python :: 3.4',
         'Programming Language :: Python :: 3.5',
         'Programming Language :: Python :: 3.6',