Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a ContentSecurityPolicy datastructure #1617

Merged
merged 3 commits into from
Sep 5, 2019
Merged

Conversation

pgjones
Copy link
Member

@pgjones pgjones commented Jul 22, 2019

This should help make CSP headers easier to construct and read, by
adding structure for the directives. It is based on today's version of
https://www.w3.org/TR/CSP3/ .

@davidism
Copy link
Member

Nice! Is this something Flask-Talisman can take advantage of too? Is there anything in their implementation that would be useful here?

@pgjones
Copy link
Member Author

pgjones commented Jul 23, 2019

I think it could be used by Flask-Talisman. I quite like the ability (in Flask-Talisman) to do something like csp.default_src = ["'self'", "something"] i.e. set a list. I thought about doing this in Werkzeug, but the complexity starts to grow very quickly - not every directive-value is a list, then 'unsafe-inline' is only valid in some directives etc... So I think this is a good place to start.

@pgjones
Copy link
Member Author

pgjones commented Aug 4, 2019

@davidism are you happy with the API? (I plan to add the same API to Quart and hope to get Werkzeug sign-off).

@davidism
Copy link
Member

davidism commented Aug 5, 2019

Overall I'm fine with the design. Flask-Talisman has a few CSP features that I'd like to think about now even if they can be implemented later.

  • The Content-Security-Policy-Report-Only header.
  • Adding a per-response nonce to CSP sections.

@davidism
Copy link
Member

davidism commented Aug 5, 2019

@theacodes We're implementing a CSP header in Werkzeug, would love to hear any feedback you have.

@theacodes
Copy link

The API here looks fine for having a structured way of setting the CSP header.

Talisman can certainly be updated to use this, but I'd also be happy to see the need for Talisman either diminish or evaporate completely.

@pgjones
Copy link
Member Author

pgjones commented Aug 8, 2019

@davidism I've added the Report-Only variant. This already allows a nonce to be set (although it requires some knowledge about how to format it), I think anything beyond this is best tied in with Flask (so as to inject the nonce into the HTML).

pgjones and others added 3 commits September 5, 2019 06:12
This should help make CSP headers easier to construct and read, by
adding structure for the directives. It is based on today's version of
https://w3c.github.io/webappsec-csp/ .
This follows the CSP header and allows for monitoring rather than
enforcement of content security policies.
@davidism davidism added this to the 1.0.0 milestone Sep 5, 2019
@davidism davidism merged commit e76aac8 into pallets:master Sep 5, 2019
@pgjones
Copy link
Member Author

pgjones commented Sep 5, 2019

🎉 thanks.

@pgjones pgjones deleted the csp branch September 5, 2019 13:42
@jezdez
Copy link

jezdez commented May 21, 2020

Woah, I had missed this, super exciting @pgjones @theacodes! Thank you ❤️

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants