o ;hB@sddlmZddlZdZdZdZdZdZdd d Zd Z d d ddd ddZ ddiZ iZ iZ dZGdddeZz ddlZddZWdSey[ddlZddlZeZddZYdSw)) OrderedDictNDENY SAMEORIGINz ALLOW-FROMi>zstrict-origin-when-cross-originz'self'z'none') default-src object-srcZLaxz1'self' themes.googleusercontent.com *.gstatic.comz%'self' www.google.com www.youtube.comzG'self' ajax.googleapis.com *.googleanalytics.com *.google-analytics.comz='self' ajax.googleapis.com fonts.googleapis.com *.gstatic.comz'self' *.gstatic.com)zfont-srcz frame-srcz script-srcz style-srcrrzbrowsing-topicsz() c@seZdZdZd'ddZeeedddeddde de ddde dde ddfddZ d d Zd d Zd dZddZddZddZddZddZddZddZddZdd Zd!d"Zd#d$Zd%d&ZdS)(TalismanzB Talisman is a Flask extension for HTTP security headers. NcKs"|dur|j|fi|dSdSN)init_app)selfappkwargsrJ/var/www/html/venv/lib/python3.10/site-packages/flask_talisman/talisman.py__init__CszTalisman.__init__TFcCs@t|tr t||_n||_t|trt||_n||_t|tr't||_n||_||_||_||_| |_ | |_ | |_ | |_ | |_ t|trMt||_n||_||_||_|jrb|jdurbtd|peg|_|j|jjd<||_||_||jd<|rd|jd<||_||_||_||_||j||j| |j!dS)a Initialization. Args: app: A Flask application. feature_policy: A string or dictionary describing the feature policy for the response. permissions_policy: A string or dictionary describing the permissions policy for the response. document_policy: A string or dictionary describing the document policy for the response. force_https: Redirects non-http requests to https, disabled in debug mode. force_https_permanent: Uses 301 instead of 302 redirects. frame_options: Sets the X-Frame-Options header, defaults to SAMEORIGIN. frame_options_allow_from: Used when frame_options is set to ALLOW_FROM and is a string of domains to allow frame embedding. strict_transport_security: Sets HSTS headers. strict_transport_security_preload: Enables HSTS preload. See https://hstspreload.org. strict_transport_security_max_age: How long HSTS headers are honored by the browser. strict_transport_security_include_subdomains: Whether to include all subdomains when setting HSTS. content_security_policy: A string or dictionary describing the content security policy for the response. content_security_policy_report_uri: A string indicating the report URI used for CSP violation reports content_security_policy_report_only: Whether to set the CSP header as "report-only", which disables the enforcement by the browser and requires a "report-uri" parameter with a backend to receive the POST data content_security_policy_nonce_in: A list of csp sections to include a per-request nonce value in referrer_policy: A string describing the referrer policy for the response. session_cookie_secure: Forces the session cookie to only be sent over https. Disabled in debug mode. session_cookie_http_only: Prevents JavaScript from reading the session cookie. session_cookie_samesite: Sets samesite parameter on session cookie force_file_save: Prevents the user from opening a file download directly on >= IE 8 x_content_type_options: Prevents MIME type sniffing x_xss_protection: Prevents the page from loading when the browser detects reflected cross-site scripting attacks See README.rst for a detailed description of each option. Nz}Setting content_security_policy_report_only to True also requires a URI to be specified in content_security_policy_report_uri csp_nonceZSESSION_COOKIE_SAMESITETZSESSION_COOKIE_HTTPONLY)" isinstancedictrfeature_policypermissions_policydocument_policy force_httpsforce_https_permanent frame_optionsframe_options_allow_fromstrict_transport_security!strict_transport_security_preload!strict_transport_security_max_age,strict_transport_security_include_subdomainscontent_security_policy"content_security_policy_report_uri#content_security_policy_report_only ValueError content_security_policy_nonce_in _get_nonceZ jinja_envglobalsreferrer_policysession_cookie_secureconfigforce_file_savex_content_type_optionsx_xss_protectionr Zbefore_request _force_https _make_nonceZ after_request_set_response_headers)r r rrrrrr)rrrrrrrr r!r#r&r'Zsession_cookie_http_onlyZsession_cookie_samesiter*r+rrrr Gs^ K            zTalisman.init_appcCstjjtjj}t|di}|d|j|d|j |d|j |d|j |d|j |d|j |d|j|d |j|S) Ntalisman_view_optionsrrrrr#rrr)flaskZ current_appZview_functionsgetrequestZendpointgetattr setdefaultrrrrr#rrr)r Z view_functionZ view_optionsrrr_get_local_optionss8zTalisman._get_local_optionscCs|jr |jjs d|jjd<|jjtjjtjjdddkg}| }|drJt |sLtjj drNtjj ddd }d }|jrAd }tj||d }|Sd Sd Sd S)zZRedirect any non-https requests to https. Based largely on flask-sslify. TZSESSION_COOKIE_SECUREX-Forwarded-Protohttphttpsrzhttp://zhttps://i.i-)codeN)r'r debugr(r0r2 is_secureheadersr1r5anyurl startswithreplacerredirect)r criteria local_optionsr?r:rrrrr,s$ zTalisman._force_httpscCsj|}||j|||j|||j|||j|||j|||j||j|S)z5Applies all configured headers to the given response.) r5_set_feature_policy_headersr=_set_permissions_policy_headers_set_document_policy_headers_set_frame_options_headers$_set_content_security_policy_headers_set_hsts_headers_set_referrer_policy_headers)r responseoptionsrrrr. s  zTalisman._set_response_headerscCsB|}|dr|drttjddstttj_dSdSdSdS)Nrr#r)r5r3r0r2get_random_string NONCE_LENGTHr)r rDrrrr-s  zTalisman._make_noncecCsttjddS)Nr)r3r0r2)r rrrr$ zTalisman._get_noncecCsHt|tr|Sg}|D]\}}d||}||q d|}|S)Nz{}={}z, )rstritemsformatappendjoin)r policypoliciessectioncontent policy_partrrr_parse_structured_header_policy#s    z(Talisman._parse_structured_header_policyc Cs|}t|tr*|}t}|dD]}|d}d|dd||d<qg}|D].\}}t|ts>d|}d||}t t j drY||dvrY|dt j j 7}| |q0d |}|S) N; r9rz{} {}rr#z 'nonce-{}'z; )r5rrSrsplitstriprWrTrUhasattrr0r2rrV) r rXrDZ policy_stringr\Z policy_partsrYrZr[rrr _parse_policy1s&        zTalisman._parse_policycC*|dsdS|d}||}||d<dS)NrzFeature-Policy)rcr r=rNrXrrrrFM   z$Talisman._set_feature_policy_headerscCrd)NrzPermissions-Policyr]rerrrrGVrfz(Talisman._set_permissions_policy_headerscCrd)NrzDocument-PolicyrgrerrrrH_rfz%Talisman._set_document_policy_headerscCsF|dsdS|d|d<|dtkr!|dd|d7<dSdS)NrzX-Frame-Optionsz {}r) ALLOW_FROMrU)r r=rNrrrrIhs    z#Talisman._set_frame_options_headerscCs|jrd|d<|jrd|d<|jrd|d<|dsdS|d}||}|jr2d|vr2|d |j7}d }|jr;|d 7}|||<dS) Nz 1; mode=blockzX-XSS-ProtectionZnosniffzX-Content-Type-OptionsZnoopenzX-Download-Optionsrz report-uriz ; report-uri zContent-Security-Policyz -Report-Only)r+r*r)rcr r!)r r=rNrXZ csp_headerrrrrJqs"  z-Talisman._set_content_security_policy_headerscCsbtjjtjjdddkg}|jrt|sdSd|j}|j r$|d7}|j r+|d7}||d<dS)Nr6r7r8z max-age={}z; includeSubDomainsz ; preloadzStrict-Transport-Security) r0r2r<r=r1rr>rUrrr)r r=rCvaluerrrrKs  zTalisman._set_hsts_headerscCs|j|d<dS)NzReferrer-Policy)r&)r r=rrrrLrRz%Talisman._set_referrer_policy_headersc sfdd}|S)aUse talisman as a decorator to configure options for a particular view. Only force_https, frame_options, frame_options_allow_from, content_security_policy, content_security_policy_nonce_in and feature_policy can be set on a per-view basis. Example: app = Flask(__name__) talisman = Talisman(app) @app.route('/normal') def normal(): return 'Normal' @app.route('/embeddable') @talisman(frame_options=ALLOW_FROM, frame_options_allow_from='*') def embeddable(): return 'Embeddable' cst|d|S)Nr/)setattr)fr rr decorators z$Talisman.__call__..decoratorr)r r rmrrlr__call__s zTalisman.__call__r )__name__ __module__ __qualname____doc__rDEFAULT_FEATURE_POLICYDEFAULT_PERMISSIONS_POLICYDEFAULT_DOCUMENT_POLICYrONE_YEAR_IN_SECSDEFAULT_CSP_POLICYDEFAULT_REFERRER_POLICYDEFAULT_SESSION_COOKIE_SAMESITEr r5r,r.r-r$r]rcrFrGrHrIrJrKrLrnrrrrr>sT        rcCst|d|Sr )secretsZ token_urlsafelengthrrrrOsrOcs.tjtjtjdfddt|DS)NrQc3s|]}tVqdSr )rndchoice).0_ allowed_charsrr s  z$get_random_string..)stringascii_lowercaseascii_uppercasedigitsrWranger{rrrrOs) collectionsrr0rrrhrvrxrwryZGOOGLE_CSP_POLICYrtrursrPobjectrrzrO ImportErrorrandomr SystemRandomr}rrrrsH