Update.

2025-06-06 03:33:45 +02:00 · 2025-06-06 03:33:45 +02:00 · 58a951eec9
commit 58a951eec9
parent ef75cb3341
2 changed files with 15 additions and 2 deletions
--- a/src/snek/app.py
+++ b/src/snek/app.py
@ -28,7 +28,7 @@ from snek.service import get_services
 from snek.system import http
 from snek.system.cache import Cache
 from snek.system.markdown import MarkdownExtension
-from snek.system.middleware import auth_middleware, cors_middleware
+from snek.system.middleware import auth_middleware, cors_middleware, csp_middleware
 from snek.system.profiler import profiler_handler
 from snek.system.template import EmojiExtension, LinkifyExtension, PythonExtension
 from snek.view.about import AboutHTMLView, AboutMDView
@ -111,7 +111,8 @@ class Application(BaseApplication):
        middlewares = [
            cors_middleware,
            web.normalize_path_middleware(merge_slashes=True),
-            ip2location_middleware
+            ip2location_middleware,
+            csp_middleware
        ]
        self.template_path = pathlib.Path(__file__).parent.joinpath("templates")
        self.static_path = pathlib.Path(__file__).parent.joinpath("static")
--- a/src/snek/system/middleware.py
+++ b/src/snek/system/middleware.py
@ -7,7 +7,19 @@
 # MIT License: This code is distributed under the MIT License.

 from aiohttp import web
+import secrets

+def generate_nonce():
+    return secrets.token_hex(16)
+
+@web.middleware
+async def csp_middleware(app, handler):
+    async def middleware(request):
+        response = await handler(request)
+        nonce = generate_nonce()
+        response.headers['Content-Security-Policy'] = csp_policy.format(nonce=nonce)
+        return response
+    return middleware

@web.middleware
 async def no_cors_middleware(request, handler):