-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a ContentSecurityPolicy datastructure #1617
Conversation
Nice! Is this something Flask-Talisman can take advantage of too? Is there anything in their implementation that would be useful here? |
I think it could be used by Flask-Talisman. I quite like the ability (in Flask-Talisman) to do something like |
@davidism are you happy with the API? (I plan to add the same API to Quart and hope to get Werkzeug sign-off). |
Overall I'm fine with the design. Flask-Talisman has a few CSP features that I'd like to think about now even if they can be implemented later.
|
@theacodes We're implementing a CSP header in Werkzeug, would love to hear any feedback you have. |
The API here looks fine for having a structured way of setting the CSP header. Talisman can certainly be updated to use this, but I'd also be happy to see the need for Talisman either diminish or evaporate completely. |
@davidism I've added the Report-Only variant. This already allows a nonce to be set (although it requires some knowledge about how to format it), I think anything beyond this is best tied in with Flask (so as to inject the nonce into the HTML). |
This should help make CSP headers easier to construct and read, by adding structure for the directives. It is based on today's version of https://w3c.github.io/webappsec-csp/ .
This follows the CSP header and allows for monitoring rather than enforcement of content security policies.
🎉 thanks. |
Woah, I had missed this, super exciting @pgjones @theacodes! Thank you ❤️ |
This should help make CSP headers easier to construct and read, by
adding structure for the directives. It is based on today's version of
https://www.w3.org/TR/CSP3/ .