Skip to content

Commit

Permalink
using flask-talisman feature-policy
Browse files Browse the repository at this point in the history 
Signed-off-by: chang-ning <[email protected]>
  • Loading branch information
@crazyguitar
crazyguitar committed Oct 10, 2018
1 parent 83de0b7 commit b4db0e4
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 18 deletions.
17 changes: 9 additions & 8 deletions app.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ def find_key(token):
"frame-ancestors": "'none'",
"object-src": "'none'",
}

feature_policy = {"geolocation": "'none'"}

app = Flask(__name__, template_folder=ROOT)
app.config["SECRET_KEY"] = os.urandom(16)
app.config["SESSION_COOKIE_NAME"] = "__Secure-session"
Expand All @@ -47,7 +50,12 @@ def find_key(token):
app.config["CSRF_COOKIE_HTTPONLY"] = True
app.config["CSRF_COOKIE_SECURE"] = True
csrf = SeaSurf(app)
talisman = Talisman(app, force_https=False, content_security_policy=csp)
talisman = Talisman(
app,
force_https=False,
content_security_policy=csp,
feature_policy=feature_policy,
)

if "DYNO" in os.environ:
sslify = SSLify(app, skips=[".well-known"])
Expand All @@ -59,13 +67,6 @@ def page_not_found(e):
return render_template("404.html"), 404


@app.after_request
def add_feature_policy(response):
"""Add feature policy."""
response.headers["Feature-Policy"] = "geolocation 'none'"
return response


@app.route("/<path:path>")
def static_proxy(path):
"""Find static files."""
Expand Down
12 changes: 2 additions & 10 deletions app_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,7 @@
from werkzeug.exceptions import NotFound
from flask_testing import LiveServerTestCase

from app import (
acme,
find_key,
static_proxy,
index_redirection,
add_feature_policy,
page_not_found,
)
from app import acme, find_key, static_proxy, index_redirection, page_not_found

from app import ROOT
from app import app
Expand Down Expand Up @@ -49,6 +42,7 @@ def check_security_headers(self, resp):
self.assertTrue("X-Content-Type-Options" in headers)
self.assertTrue("Content-Security-Policy" in headers)
self.assertTrue("Feature-Policy" in headers)
self.assertEqual(headers["Feature-Policy"], "geolocation 'none'")
self.assertEqual(headers["X-Frame-Options"], "SAMEORIGIN")

def check_csrf_cookies(self, resp):
Expand Down Expand Up @@ -125,7 +119,6 @@ def test_acme(self):
def test_index_redirection(self):
"""Test index page redirection."""
resp = index_redirection()
add_feature_policy(resp)
self.assertEqual(resp.status_code, 200)
resp.close()

Expand All @@ -136,7 +129,6 @@ def test_static_proxy(self):
for h in htmls:
u = "notes/" + h
resp = static_proxy(u)
add_feature_policy(resp)
self.assertEqual(resp.status_code, 200)
resp.close()

Expand Down

0 comments on commit b4db0e4

Please sign in to comment.