Proof-of-concept ASGI middleware implementation of the Fetch Metadata specification for Python 3.6+.
The Fetch Metadata spec allows a server to reject a cross-origin request to protect clients from CSRF, XSSI and other bugs.
Important: this repo was created following a talk by Lukas Weichselbaum at PyConWeb 2019. It is NOT an official nor audited implementation of the Fetch-Metadata specification in any way. Feel free to fork it, copy-paste the code, or hack it away!
For more information:
HTTP header parsing is provided by Starlette:
pip install starlette
This middleware should be usable with any ASGI3-compliant application.
An example "Hello, World!" ASGI app wrapped by the
FetchMetadataMiddleware is provided in
from fetch_metadata import FetchMetadataMiddleware from starlette.responses import PlainTextResponse async def app(scope, receive, send): assert scope["type"] == "http" response = PlainTextResponse("Hello, world!") await response(scope, receive, send) app = FetchMetadataMiddleware(app)
Serve it using uvicorn or any other ASGI web server:
Example allowed requests:
curl http://localhost:8000 curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: navigate" curl http://localhost:8000 -H "Sec-Fetch-Site: same-site"
Example disallowed requests:
curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: cors"