upstream/ipython Commit - r21487:7222bd53

Merge branch csp into 3.x...

Min RK -

r21487:7222bd53

parent child

IPython/html/base/handlers.py

0 +33 -8

             class AuthenticatedHandler(web.RequestHandler):
                 """A RequestHandler with an authenticated user."""
+                @property
+                def content_security_policy(self):
+                    """The default Content-Security-Policy header
+                    Can be overridden by defining Content-Security-Policy in settings['headers']
+                    """
+                    return '; '.join([
+                        "frame-ancestors 'self'",
+                        # Make sure the report-uri is relative to the base_url
+                        "report-uri " + url_path_join(self.base_url, csp_report_uri),
+                    ])
                 def set_default_headers(self):
                     headers = self.settings.get('headers', {})
                     if "Content-Security-Policy" not in headers:
-                        headers["Content-Security-Policy"] = (
+                        headers["Content-Security-Policy"] = self.content_security_policy
-                                "frame-ancestors 'self'; "
-                                # Make sure the report-uri is relative to the base_url
-                                "report-uri " + url_path_join(self.base_url, csp_report_uri) + ";"
                     # Allow for overriding headers
                     for header_name,value in headers.items() :
                     self.write(html)
+            class APIHandler(IPythonHandler):
+                """Base class for API handlers"""
+                @property
+                def content_security_policy(self):
+                    csp = '; '.join([
+                            super(APIHandler, self).content_security_policy,
+                            "default-src 'none'",
+                        ])
+                    return csp
+                def finish(self, *args, **kwargs):
+                    self.set_header('Content-Type', 'application/json')
+                    return super(APIHandler, self).finish(*args, **kwargs)
             class Template404(IPythonHandler):
                 """Render our 404 template"""
                     try:
                         result = yield gen.maybe_future(method(self, *args, **kwargs))
                     except web.HTTPError as e:
+                        self.set_header('Content-Type', 'application/json')
                         status = e.status_code
                         message = e.log_message
                         self.log.warn(message)
                         reply = dict(message=message, reason=e.reason)
                         self.finish(json.dumps(reply))
                     except Exception:
+                        self.set_header('Content-Type', 'application/json')
                         self.log.error("Unhandled error in API request", exc_info=True)
                         status = 500
                         message = "Unknown server error"
             # to minimize subclass changes:
             HTTPError = web.HTTPError
-            class FileFindHandler(web.StaticFileHandler):
+            class FileFindHandler(IPythonHandler, web.StaticFileHandler):
                 """subclass of StaticFileHandler for serving files from a search path"""
                 # cache search results, don't search for files more than once
                     return super(FileFindHandler, self).validate_absolute_path(root, absolute_path)
-            class ApiVersionHandler(IPythonHandler):
+            class APIVersionHandler(APIHandler):
                 @json_errors
                 def get(self):
             default_handlers = [
                 (r".*/", TrailingSlashHandler),
-                (r"api", ApiVersionHandler)
+                (r"api", APIVersionHandler)
             ]

IPython/html/services/clusters/handlers.py

0 +4 -4

             from tornado import web
-            from ...base.handlers import IPythonHandler
+            from ...base.handlers import APIHandler
             #-----------------------------------------------------------------------------
             # Cluster handlers
             #-----------------------------------------------------------------------------
-            class MainClusterHandler(IPythonHandler):
+            class MainClusterHandler(APIHandler):
                 @web.authenticated
                 def get(self):
                     self.finish(json.dumps(self.cluster_manager.list_profiles()))
-            class ClusterProfileHandler(IPythonHandler):
+            class ClusterProfileHandler(APIHandler):
                 @web.authenticated
                 def get(self, profile):
                     self.finish(json.dumps(self.cluster_manager.profile_info(profile)))
-            class ClusterActionHandler(IPythonHandler):
+            class ClusterActionHandler(APIHandler):
                 @web.authenticated
                 def post(self, profile, action):

IPython/html/services/config/handlers.py

0 +2 -2

             from tornado import web
             from IPython.utils.py3compat import PY3
-            from ...base.handlers import IPythonHandler, json_errors
+            from ...base.handlers import APIHandler, json_errors
-            class ConfigHandler(IPythonHandler):
+            class ConfigHandler(APIHandler):
                 SUPPORTED_METHODS = ('GET', 'PUT', 'PATCH')
                 @web.authenticated

IPython/html/services/contents/handlers.py

0 +4 -4

             from IPython.utils.jsonutil import date_default
             from IPython.html.base.handlers import (
-                IPythonHandler, json_errors, path_regex,
+                IPythonHandler, APIHandler, json_errors, path_regex,
             )
                         )
-            class ContentsHandler(IPythonHandler):
+            class ContentsHandler(APIHandler):
                 SUPPORTED_METHODS = (u'GET', u'PUT', u'PATCH', u'POST', u'DELETE')
                     self.finish()
-            class CheckpointsHandler(IPythonHandler):
+            class CheckpointsHandler(APIHandler):
                 SUPPORTED_METHODS = ('GET', 'POST')
                     self.finish(data)
-            class ModifyCheckpointsHandler(IPythonHandler):
+            class ModifyCheckpointsHandler(APIHandler):
                 SUPPORTED_METHODS = ('POST', 'DELETE')

IPython/html/services/kernels/handlers.py

0 +4 -4

             from IPython.utils.py3compat import cast_unicode
             from IPython.html.utils import url_path_join, url_escape
-            from ...base.handlers import IPythonHandler, json_errors
+            from ...base.handlers import IPythonHandler, APIHandler, json_errors
             from ...base.zmqhandlers import AuthenticatedZMQStreamHandler, deserialize_binary_message
             from IPython.core.release import kernel_protocol_version
-            class MainKernelHandler(IPythonHandler):
+            class MainKernelHandler(APIHandler):
                 @web.authenticated
                 @json_errors
                     self.finish(json.dumps(model))
-            class KernelHandler(IPythonHandler):
+            class KernelHandler(APIHandler):
                 SUPPORTED_METHODS = ('DELETE', 'GET')
                     self.finish()
-            class KernelActionHandler(IPythonHandler):
+            class KernelActionHandler(APIHandler):
                 @web.authenticated
                 @json_errors

IPython/html/services/kernels/tests/test_kernels_api.py

0 +2 0

                     self.assertEqual(r.headers['Content-Security-Policy'], (
                                         "frame-ancestors 'self'; "
                                         "report-uri /api/security/csp-report; "
+                                        "default-src 'none'"
                     ))
                 def test_main_kernel_handler(self):
                     self.assertEqual(r.headers['Content-Security-Policy'], (
                                         "frame-ancestors 'self'; "
                                         "report-uri /api/security/csp-report; "
+                                        "default-src 'none'"
                     ))
                     # GET request

IPython/html/services/kernelspecs/handlers.py

0 +3 -3

             from tornado import web
-            from ...base.handlers import IPythonHandler, json_errors
+            from ...base.handlers import APIHandler, json_errors
             from ...utils import url_path_join
             def kernelspec_model(handler, name):
                     )
                 return d
-            class MainKernelSpecHandler(IPythonHandler):
+            class MainKernelSpecHandler(APIHandler):
                 SUPPORTED_METHODS = ('GET',)
                 @web.authenticated
                     self.finish(json.dumps(model))
-            class KernelSpecHandler(IPythonHandler):
+            class KernelSpecHandler(APIHandler):
                 SUPPORTED_METHODS = ('GET',)
                 @web.authenticated

IPython/html/services/nbconvert/handlers.py

0 +2 -2

             from tornado import web
-            from ...base.handlers import IPythonHandler, json_errors
+            from ...base.handlers import APIHandler, json_errors
-            class NbconvertRootHandler(IPythonHandler):
+            class NbconvertRootHandler(APIHandler):
                 SUPPORTED_METHODS = ('GET',)
                 @web.authenticated

IPython/html/services/security/handlers.py

0 +2 -2

             from tornado import gen, web
-            from ...base.handlers import IPythonHandler, json_errors
+            from ...base.handlers import APIHandler, json_errors
             from . import csp_report_uri
-            class CSPReportHandler(IPythonHandler):
+            class CSPReportHandler(APIHandler):
                 '''Accepts a content security policy violation report'''
                 @web.authenticated
                 @json_errors

IPython/html/services/sessions/handlers.py

0 +3 -3

             from tornado import web
-            from ...base.handlers import IPythonHandler, json_errors
+            from ...base.handlers import APIHandler, json_errors
             from IPython.utils.jsonutil import date_default
             from IPython.html.utils import url_path_join, url_escape
             from IPython.kernel.kernelspec import NoSuchKernel
-            class SessionRootHandler(IPythonHandler):
+            class SessionRootHandler(APIHandler):
                 @web.authenticated
                 @json_errors
                     self.set_status(201)
                     self.finish(json.dumps(model, default=date_default))
-            class SessionHandler(IPythonHandler):
+            class SessionHandler(APIHandler):
                 SUPPORTED_METHODS = ('GET', 'PATCH', 'DELETE')

IPython/html/terminal/api_handlers.py

0 +3 -3

             import json
             from tornado import web, gen
-            from ..base.handlers import IPythonHandler, json_errors
+            from ..base.handlers import APIHandler, json_errors
             from ..utils import url_path_join
-            class TerminalRootHandler(IPythonHandler):
+            class TerminalRootHandler(APIHandler):
                 @web.authenticated
                 @json_errors
                 def get(self):
                     self.finish(json.dumps({'name': name}))
-            class TerminalHandler(IPythonHandler):
+            class TerminalHandler(APIHandler):
                 SUPPORTED_METHODS = ('GET', 'DELETE')
                 @web.authenticated

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages