Skip to content
PoC ASGI middleware implementation of the Fetch Metadata specification
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
LICENSE
README.md
example.py
fetch_metadata.py

README.md

fetch-metadata-asgi

Proof-of-concept ASGI middleware implementation of the Fetch Metadata specification for Python 3.6+.

The Fetch Metadata spec allows a server to reject a cross-origin request to protect clients from CSRF, XSSI and other bugs.

Important: this repo was created following a talk by Lukas Weichselbaum at PyConWeb 2019. It is NOT an official nor audited implementation of the Fetch-Metadata specification in any way. Feel free to fork it, copy-paste the code, or hack it away!

For more information:

Installation

HTTP header parsing is provided by Starlette:

pip install starlette

Usage

This middleware should be usable with any ASGI3-compliant application.

An example "Hello, World!" ASGI app wrapped by the FetchMetadataMiddleware is provided in example.py:

from fetch_metadata import FetchMetadataMiddleware
from starlette.responses import PlainTextResponse

async def app(scope, receive, send):
    assert scope["type"] == "http"
    response = PlainTextResponse("Hello, world!")
    await response(scope, receive, send)

app = FetchMetadataMiddleware(app)

Serve it using uvicorn or any other ASGI web server:

uvicorn example:app

Example allowed requests:

curl http://localhost:8000
curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: navigate"
curl http://localhost:8000 -H "Sec-Fetch-Site: same-site"

Example disallowed requests:

curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: cors"
You can’t perform that action at this time.