Flask的内容安全策略标头支持
Add a Content Security Policy header to your Flask application.
More information on CSP:
Install the extension with using pip, or easy_install. Pypi Link
$ pip install flask-csp
Add the csp_header(…) decorator after the app.route(…) decorator to create a csp header on each route. The decorator can either be passed no value (Add default policies) or custom values by a dict (Add custom policies). For more information on the default policies see “Change Default Policies” below.
from flask_csp.csp import csp_header...@app.route('/')@csp_header()
Pass the csp_header wrapper a dict with the policies to change:
from flask_csp.csp import csp_header...@app.route('/')@csp_header({'default-src':"'none'",'script-src':"'self'"})
Notes:
To set the header to “Report only” pass the key/value pair ‘report-only’:True to the custom header dict:
from flask_csp.csp import csp_header...@app.route('/')@csp_header({'report-only':True})
The default policies are as follows:
{"default-src": "'self'","script-src": "","img-src": "","object-src": "","plugin-src": "","style-src": "","media-src": "","child-src": "","connect-src": "","base-uri": "","report-uri": "/csp_report"}
Edit default policies via command line:
>>> from flask_csp.csp import csp_default>>> h = csp_default()>>> h.update({'child-src':"'self'"})
Edit default policies on flask app:
from flask_csp.csp import csp_header, csp_defaulth = csp_default()h.update({'script-src':"'self' code.jquery.com"})
To view the default policies:
>>> from flask_csp.csp import csp_default>>> h = csp_default()>>> h.read()
Note:
Based on the default settings, reports will be sent to the route ‘csp_report’ through a POST request. This is totally customizable but here is a very simplistic example of handling these reports:
@app.route('/csp_report',methods=['POST'])def csp_report():with open('/var/log/csp/csp_reports', "a") as fh:fh.write(request.data.decode()+"\n")return 'done'