vbatts/microblog.pub
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Implement CSP

Browse source
This commit is contained in:
hiromi-mi 2020-06-19 21:34:09 +09:00
parent 8df0ddb03a
commit b4a24ea169
6 changed files with 21 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

15
app.py
View file

@ -29,6 +29,7 @@ from little_boxes.errors import Error
from little_boxes.httpsig import verify_request from little_boxes.httpsig import verify_request
from little_boxes.webfinger import get_remote_follow_template from little_boxes.webfinger import get_remote_follow_template
from werkzeug.exceptions import InternalServerError from werkzeug.exceptions import InternalServerError
from flask_talisman import Talisman
import blueprints.admin import blueprints.admin
import blueprints.indieauth import blueprints.indieauth
@ -93,7 +94,21 @@ app.register_blueprint(blueprints.indieauth.blueprint)
app.register_blueprint(blueprints.tasks.blueprint) app.register_blueprint(blueprints.tasks.blueprint)
app.register_blueprint(blueprints.well_known.blueprint) app.register_blueprint(blueprints.well_known.blueprint)
app.config.update(WTF_CSRF_CHECK_DEFAULT=False) app.config.update(WTF_CSRF_CHECK_DEFAULT=False)
app.config.update(SESSION_COOKIE_SECURE=True if config.SCHEME == "https" else False)
csp = {
"default-src": "'self'",
"script-src": "'self'",
"style-src-attr": "'unsafe-inline'",
}
csrf.init_app(app) csrf.init_app(app)
talisman = Talisman(
app,
content_security_policy=csp,
force_https=False,
content_security_policy_nonce_in=["script-src", "style-src"],
)
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)

1
requirements.txt
View file

@ -25,3 +25,4 @@ pillow
emoji-unicode emoji-unicode
html5lib html5lib
Pygments Pygments
flask-talisman

2
templates/layout.html
View file

@ -12,7 +12,7 @@
{% if not request.args.get("older_than") and not request.args.get("previous_than") %}<link rel="canonical" href="https://{{ config.DOMAIN }}{{ request.path }}">{% endif %} {% if not request.args.get("older_than") and not request.args.get("previous_than") %}<link rel="canonical" href="https://{{ config.DOMAIN }}{{ request.path }}">{% endif %}
{% block links %}{% endblock %} {% block links %}{% endblock %}
{% if config.THEME_COLOR %}<meta name="theme-color" content="{{ config.THEME_COLOR }}">{% endif %} {% if config.THEME_COLOR %}<meta name="theme-color" content="{{ config.THEME_COLOR }}">{% endif %}
<style>{{ config.CSS | safe }} <style nonce="{{ csp_nonce() }}">{{ config.CSS | safe }}
.icon { color: #555; } .icon { color: #555; }
.emoji { .emoji {
width: 20px; width: 20px;

4
templates/login.html
View file

@ -2,7 +2,7 @@
{% import 'utils.html' as utils %} {% import 'utils.html' as utils %}
{% block title %}Login - {{ config.NAME }}{% endblock %} {% block title %}Login - {{ config.NAME }}{% endblock %}
{% block header %} {% block header %}
<style> <style nonce="{{ csp_nonce() }}">
#login-container { #login-container {
height: 90%; height: 90%;
display: grid; display: grid;
@ -28,7 +28,7 @@ display:inline;
</div> </div>
{% if u2f_enabled %} {% if u2f_enabled %}
<script> <script nonce="{{ csp_nonce() }}">
var p = {{ payload | tojson }}; var p = {{ payload | tojson }};
if (p) { if (p) {
u2f.sign(p.appId, p.challenge, p.registeredKeys, function(resp) { u2f.sign(p.appId, p.challenge, p.registeredKeys, function(resp) {

2
templates/new.html
View file

@ -90,7 +90,7 @@
</div> </div>
</div> </div>
<script> <script nonce="{{ csp_nonce() }}">
// The new post textarea // The new post textarea
var ta = document.getElementsByTagName("textarea")[0]; var ta = document.getElementsByTagName("textarea")[0];
// Helper for inserting text (emojis) in the textarea // Helper for inserting text (emojis) in the textarea

2
templates/u2f.html
View file

@ -12,7 +12,7 @@
</form> </form>
</div> </div>
<script> <script nonce="{{ csp_nonce() }}">
var p= {{ payload | tojson }}; var p= {{ payload | tojson }};
//setTimeout(function() { //setTimeout(function() {
u2f.register(p.appId, p.registerRequests, p.registeredKeys, function(resp) { u2f.register(p.appId, p.registerRequests, p.registeredKeys, function(resp) {