GitLocker: The Coding Marketplace

Description:

pyramidcsp 0.1.0

pyramid-csp
pyramid-csp is a simple Pyramid add-on for adding a Content-Security-Policy header your HTTP responses
For more information on Content Security Policies, see https://content-security-policy.com/
Setup
There are two ways of including pyramid-csp in your application:
The first is adding pyramid_csp to the pyramid.includes section of your application settings.
[app:main]
pyramid.includes = pyramid_csp

The second is using the Configurator.include function.
config.include("pyramid.csp")

Basic Usage
The most basic usage of pyramid-csp is to set the csp.policy setting.
This setting should be a valid CSP and will be added to the response headers.
[app:main]
csp.policy = default-src https://example.com

>> curl -i http://localhost:8000
...
Content-Security-Policy: default-src https://example.com
...

You can also create a policy by programmatically adding sources with the add_csp_source configuration method.
(This will work in addition to the csp.policy setting.)
The first argument is the directive name
config.add_csp_source("default-src", "'self'")

>> curl -i http://localhost:8000
...
Content-Security-Policy: default-src https://example.com 'self'
...

The request object also contains an add_csp_source method,
which works the same as the configurator method but will only add the source for that request.
def myview(context, request):
nonce = secrets.token_urlsafe()
request.add_csp_source("default-src", f"'nonce-{nonce}'")
return Response(body="<h1>Hello</h1>", content_type="text/html")

Note: If no sources are defined for the default-src directive, 'none' is automatically added.
Preset Sources
pyramid-src provides the CSPSources object, which contains several preset sources.
For example:
from pyramid_csp import CSPSources

def includeme(config):
config.add_csp_source("default-src", CSPSources.UNSAFE_EVAL)

The CSPSources object has the following properties:

WILDCARD — *
NONE — 'none'
SELF — 'self'
DATA — data:
HTTPS — https:
UNSAFE_INLINE — 'unsafe-inline'
UNSAFE_EVAL — 'unsafe-eval'
STRICT_DYNAMIC — 'strict-dynamic'
UNSAFE_HASHES — 'unsafe-hashes'

The object also offers several methods for generating sources:

https(domain) — https://{domain}
nonce(nonce) — 'nonce-{nonce}'
hash(alg, h) — '{alg}-{h}'
(h should be a binary hash digest or a base64-encoded string.
If binary, it will be base64-encoded.)
sha256(h) — 'sha256-{h}'
sha384(h) — 'sha384-{h}'
sha512(h) — 'sha512-{h}'

Nonces
pyramid-csp adds a csp_nonce property to the request object,
containing a crytographically secure random nonce token.
If accessed, the nonce token will be added to the CSP.
def myview(context, request):
body = '<script nonce="{ request.csp_nonce }">alert("Hello!");</script>'
return Response(body=body, content_type="text/html")

>> curl -i http://localhost:8000/
...
Content-Security-Policy: default-src 'nonce-ZtynG2MXgOPkqWgHyqf8wrR8jOeprIA2qDMKJuOfEXw'
...
<script nonce="ZtynG2MXgOPkqWgHyqf8wrR8jOeprIA2qDMKJuOfEXw">alert("Hello!")</script>

By default, the nonce will only be added to the default-src directive.
To add it to a different directive, use the csp.nonce_directives setting.
Multiple directives can be separated with a comma.
[app:main]
csp.nonce_directives = script-src, style-src

def myview(context, request):
body = '<script nonce="{ request.csp_nonce }">alert("Hello!");</script>'
return Response(body=body, content_type="text/html")

>> curl -i http://localhost:8000/
...
Content-Security-Policy: default-src 'none'; script-src 'nonce-vyjGpdvTnH6x7-eL-RvVMmxx4KNMTfX9WoLdmgijv2c'; script-src 'nonce-vyjGpdvTnH6x7-eL-RvVMmxx4KNMTfX9WoLdmgijv2c'
...
<script nonce="vyjGpdvTnH6x7-eL-RvVMmxx4KNMTfX9WoLdmgijv2c">alert("Hello!")</script>

For more information CSP nonces, see https://content-security-policy.com/nonce/