From 58a951eec9ca8fd66ee1d938120461e51551dfd2 Mon Sep 17 00:00:00 2001 From: retoor Date: Fri, 6 Jun 2025 03:33:45 +0200 Subject: [PATCH] Update. --- src/snek/app.py | 5 +++-- src/snek/system/middleware.py | 12 ++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/src/snek/app.py b/src/snek/app.py index d759536..6a79592 100644 --- a/src/snek/app.py +++ b/src/snek/app.py @@ -28,7 +28,7 @@ from snek.service import get_services from snek.system import http from snek.system.cache import Cache from snek.system.markdown import MarkdownExtension -from snek.system.middleware import auth_middleware, cors_middleware +from snek.system.middleware import auth_middleware, cors_middleware, csp_middleware from snek.system.profiler import profiler_handler from snek.system.template import EmojiExtension, LinkifyExtension, PythonExtension from snek.view.about import AboutHTMLView, AboutMDView @@ -111,7 +111,8 @@ class Application(BaseApplication): middlewares = [ cors_middleware, web.normalize_path_middleware(merge_slashes=True), - ip2location_middleware + ip2location_middleware, + csp_middleware ] self.template_path = pathlib.Path(__file__).parent.joinpath("templates") self.static_path = pathlib.Path(__file__).parent.joinpath("static") diff --git a/src/snek/system/middleware.py b/src/snek/system/middleware.py index 3a9a055..13b6613 100644 --- a/src/snek/system/middleware.py +++ b/src/snek/system/middleware.py @@ -7,7 +7,19 @@ # MIT License: This code is distributed under the MIT License. from aiohttp import web +import secrets +def generate_nonce(): + return secrets.token_hex(16) + +@web.middleware +async def csp_middleware(app, handler): + async def middleware(request): + response = await handler(request) + nonce = generate_nonce() + response.headers['Content-Security-Policy'] = csp_policy.format(nonce=nonce) + return response + return middleware @web.middleware async def no_cors_middleware(request, handler):