HTTP Content-Security-Policy og Nikita
Aamot Engineering
post at as.engineering
Mon Nov 20 02:18:02 CET 2023
Har Dere sett koden for HTTP Content-Security-Policy i Python?
#!/usr/bin/env python3
from http.server import HTTPServer, BaseHTTPRequestHandler
from urllib.parse import *
class MyHTTPRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
o = urlparse(self.path)
f = open("." + o.path, 'rb')
self.send_response(200)
self.send_header('Content-Security-Policy',
"default-src 'self';"
"script-src 'self' *.oka.no:8000 'nonce-1rA2345' ")
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(f.read())
f.close()
httpd = HTTPServer(('127.0.0.1', 8000), MyHTTPRequestHandler)
httpd.serve_forever()
Regner med at Nikita også må ha en CSP nonce regel som eksplisitt tillater
ekskvering av JavaScript, men at denne koden må skrives i Java.
Se https://content-security-policy.com/nonce/ og
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Content-Security-Policy is *the name of a HTTP response header that modern
browsers use to enhance the security of the document (or web page)*. The
Content-Security-Policy header allows you to restrict which resources (such
as JavaScript, CSS, Images, etc.) can be loaded, and the URLs that they can
be loaded from.
--
Mvh,
Ole Aamot
Aamot Engineering
post at as.engineering
www.as.engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nuug.no/pipermail/nikita-noark/attachments/20231120/d4103c69/attachment.htm>
More information about the nikita-noark
mailing list