Show More
@@ -42,16 +42,24 b' sys_info = json.dumps(get_sys_info())' | |||
|
42 | 42 | |
|
43 | 43 | class AuthenticatedHandler(web.RequestHandler): |
|
44 | 44 | """A RequestHandler with an authenticated user.""" |
|
45 | ||
|
46 | @property | |
|
47 | def content_security_policy(self): | |
|
48 | """The default Content-Security-Policy header | |
|
49 | ||
|
50 | Can be overridden by defining Content-Security-Policy in settings['headers'] | |
|
51 | """ | |
|
52 | return '; '.join([ | |
|
53 | "frame-ancestors 'self'", | |
|
54 | # Make sure the report-uri is relative to the base_url | |
|
55 | "report-uri " + url_path_join(self.base_url, csp_report_uri), | |
|
56 | ]) | |
|
45 | 57 | |
|
46 | 58 | def set_default_headers(self): |
|
47 | 59 | headers = self.settings.get('headers', {}) |
|
48 | 60 | |
|
49 | 61 | if "Content-Security-Policy" not in headers: |
|
50 |
headers["Content-Security-Policy"] = |
|
|
51 | "frame-ancestors 'self'; " | |
|
52 | # Make sure the report-uri is relative to the base_url | |
|
53 | "report-uri " + url_path_join(self.base_url, csp_report_uri) + ";" | |
|
54 | ) | |
|
62 | headers["Content-Security-Policy"] = self.content_security_policy | |
|
55 | 63 | |
|
56 | 64 | # Allow for overriding headers |
|
57 | 65 | for header_name,value in headers.items() : |
@@ -311,8 +319,16 b' class IPythonHandler(AuthenticatedHandler):' | |||
|
311 | 319 | |
|
312 | 320 | class APIHandler(IPythonHandler): |
|
313 | 321 | """Base class for API handlers""" |
|
322 | ||
|
323 | @property | |
|
324 | def content_security_policy(self): | |
|
325 | csp = '; '.join([ | |
|
326 | super(APIHandler, self).content_security_policy, | |
|
327 | "default-src 'none'", | |
|
328 | ]) | |
|
329 | return csp | |
|
330 | ||
|
314 | 331 | def finish(self, *args, **kwargs): |
|
315 | self.set_header('Content-Security-Policy', "default-src 'none'") | |
|
316 | 332 | self.set_header('Content-Type', 'application/json') |
|
317 | 333 | return super(APIHandler, self).finish(*args, **kwargs) |
|
318 | 334 |
@@ -67,7 +67,8 b' class KernelAPITest(NotebookTestBase):' | |||
|
67 | 67 | |
|
68 | 68 | self.assertEqual(r.headers['Content-Security-Policy'], ( |
|
69 | 69 | "frame-ancestors 'self'; " |
|
70 | "report-uri /api/security/csp-report;" | |
|
70 | "report-uri /api/security/csp-report; " | |
|
71 | "default-src 'none'" | |
|
71 | 72 | )) |
|
72 | 73 | |
|
73 | 74 | def test_main_kernel_handler(self): |
@@ -80,7 +81,8 b' class KernelAPITest(NotebookTestBase):' | |||
|
80 | 81 | |
|
81 | 82 | self.assertEqual(r.headers['Content-Security-Policy'], ( |
|
82 | 83 | "frame-ancestors 'self'; " |
|
83 | "report-uri /api/security/csp-report;" | |
|
84 | "report-uri /api/security/csp-report; " | |
|
85 | "default-src 'none'" | |
|
84 | 86 | )) |
|
85 | 87 | |
|
86 | 88 | # GET request |
General Comments 0
You need to be logged in to leave comments.
Login now