Add a ContentSecurityPolicy datastructure

[pgjones]

This should help make CSP headers easier to construct and read, by
adding structure for the directives. It is based on today's version of
https://www.w3.org/TR/CSP3/ .

[davidism]

Nice! Is this something Flask-Talisman can take advantage of too? Is there anything in their implementation that would be useful here?

[pgjones]

I think it could be used by Flask-Talisman. I quite like the ability (in Flask-Talisman) to do something like csp.default_src = ["'self'", "something"] i.e. set a list. I thought about doing this in Werkzeug, but the complexity starts to grow very quickly - not every directive-value is a list, then 'unsafe-inline' is only valid in some directives etc... So I think this is a good place to start.

[pgjones]

@davidism are you happy with the API? (I plan to add the same API to Quart and hope to get Werkzeug sign-off).

[davidism]

Overall I'm fine with the design. Flask-Talisman has a few CSP features that I'd like to think about now even if they can be implemented later.

• The Content-Security-Policy-Report-Only header.
• Adding a per-response nonce to CSP sections.

[davidism]

@theacodes We're implementing a CSP header in Werkzeug, would love to hear any feedback you have.

[theacodes]

The API here looks fine for having a structured way of setting the CSP header.

Talisman can certainly be updated to use this, but I'd also be happy to see the need for Talisman either diminish or evaporate completely.

[pgjones]

@davidism I've added the Report-Only variant. This already allows a nonce to be set (although it requires some knowledge about how to format it), I think anything beyond this is best tied in with Flask (so as to inject the nonce into the HTML).

[pgjones]

🎉 thanks.

[jezdez]

Woah, I had missed this, super exciting @pgjones @theacodes! Thank you ❤️