make content_security_policy a property

and *add* `default-src: 'none'` to API handlers custom CSP applies to all handlers
2025-01-30 12:11:32 +08:00 · 2015-06-20 12:55:52 -07:00 · 2015-06-20 12:55:52 -07:00 · 5403d2479d
commit 5403d2479d
parent 709ed0d04b
2 changed files with 26 additions and 8 deletions
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@ -41,15 +41,23 @@ sys_info = json.dumps(get_sys_info())
 class AuthenticatedHandler(web.RequestHandler):
    """A RequestHandler with an authenticated user."""
    
+    @property
+    def content_security_policy(self):
+        """The default Content-Security-Policy header
+        
+        Can be overridden by defining Content-Security-Policy in settings['headers']
+        """
+        return '; '.join([
+            "frame-ancestors 'self'",
+            # Make sure the report-uri is relative to the base_url
+            "report-uri " + url_path_join(self.base_url, csp_report_uri),
+        ])
+
    def set_default_headers(self):
        headers = self.settings.get('headers', {})

        if "Content-Security-Policy" not in headers:
-            headers["Content-Security-Policy"] = (
-                    "frame-ancestors 'self'; "
-                    # Make sure the report-uri is relative to the base_url
-                    "report-uri " + url_path_join(self.base_url, csp_report_uri) + ";"
-            )
+            headers["Content-Security-Policy"] = self.content_security_policy

        # Allow for overriding headers
        for header_name,value in headers.items() :
@ -305,8 +313,16 @@ class IPythonHandler(AuthenticatedHandler):

 class APIHandler(IPythonHandler):
    """Base class for API handlers"""
+    
+    @property
+    def content_security_policy(self):
+        csp = '; '.join([
+                super(APIHandler, self).content_security_policy,
+                "default-src 'none'",
+            ])
+        return csp
+    
    def finish(self, *args, **kwargs):
-        self.set_header('Content-Security-Policy', "default-src 'none'")
        self.set_header('Content-Type', 'application/json')
        return super(APIHandler, self).finish(*args, **kwargs)

--- a/notebook/services/kernels/tests/test_kernels_api.py
+++ b/notebook/services/kernels/tests/test_kernels_api.py
@ -69,7 +69,8 @@ class KernelAPITest(NotebookTestBase):

        self.assertEqual(r.headers['Content-Security-Policy'], (
                            "frame-ancestors 'self'; "
-                            "report-uri /api/security/csp-report;"
+                            "report-uri /api/security/csp-report; "
+                            "default-src 'none'"
        ))

    def test_main_kernel_handler(self):
@ -82,7 +83,8 @@ class KernelAPITest(NotebookTestBase):

        self.assertEqual(r.headers['Content-Security-Policy'], (
                            "frame-ancestors 'self'; "
-                            "report-uri /api/security/csp-report;"
+                            "report-uri /api/security/csp-report; "
+                            "default-src 'none'"
        ))

        # GET request