Nonce based CSP not supported in Safari yet
This commit is contained in:
parent
c92c840c41
commit
511a5c0d1f
1 changed files with 11 additions and 1 deletions
|
@ -229,6 +229,16 @@ class UiRequest(object):
|
|||
else:
|
||||
return referer
|
||||
|
||||
def isScriptNonceSupported(self):
|
||||
user_agent = self.env.get("HTTP_USER_AGENT")
|
||||
if "Edge/" in user_agent:
|
||||
is_script_nonce_supported = False
|
||||
elif "Safari/" in user_agent and "Chrome/" not in user_agent:
|
||||
is_script_nonce_supported = False
|
||||
else:
|
||||
is_script_nonce_supported = True
|
||||
return is_script_nonce_supported
|
||||
|
||||
# Send response headers
|
||||
def sendHeader(self, status=200, content_type="text/html", noscript=False, allow_ajax=False, script_nonce=None, extra_headers=[]):
|
||||
headers = {}
|
||||
|
@ -241,7 +251,7 @@ class UiRequest(object):
|
|||
|
||||
if noscript:
|
||||
headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src 'self'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline';"
|
||||
elif script_nonce and "Edge/" not in self.env.get("HTTP_USER_AGENT"):
|
||||
elif script_nonce and self.isScriptNonceSupported():
|
||||
headers["Content-Security-Policy"] = "default-src 'none'; script-src 'nonce-{0}'; img-src 'self'; style-src 'self' 'unsafe-inline'; connect-src *; frame-src 'self'".format(script_nonce)
|
||||
|
||||
if allow_ajax:
|
||||
|
|
Loading…
Reference in a new issue