Skip to content
This repository has been archived by the owner. It is now read-only.
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

fetch-metadata-asgi

Proof-of-concept ASGI middleware implementation of the Fetch Metadata specification for Python 3.6+.

The Fetch Metadata spec allows a server to reject a cross-origin request to protect clients from CSRF, XSSI and other bugs.

Important: this repo was created following a talk by Lukas Weichselbaum at PyConWeb 2019. It is NOT an official nor audited implementation of the Fetch-Metadata specification in any way. Feel free to fork it, copy-paste the code, or hack it away!

For more information:

Installation

HTTP header parsing is provided by Starlette:

pip install starlette

Usage

This middleware should be usable with any ASGI3-compliant application.

An example "Hello, World!" ASGI app wrapped by the FetchMetadataMiddleware is provided in example.py:

from fetch_metadata import FetchMetadataMiddleware
from starlette.responses import PlainTextResponse

async def app(scope, receive, send):
    assert scope["type"] == "http"
    response = PlainTextResponse("Hello, world!")
    await response(scope, receive, send)

app = FetchMetadataMiddleware(app)

Serve it using uvicorn or any other ASGI web server:

uvicorn example:app

Example allowed requests:

curl http://localhost:8000
curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: navigate"
curl http://localhost:8000 -H "Sec-Fetch-Site: same-site"

Example disallowed requests:

curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: cors"

About

PoC ASGI middleware implementation of the Fetch Metadata specification

Topics

Resources

License

Releases

No releases published

Packages

No packages published

Languages