diff options
author | Felix Hammerl <fhammerl@thoughtworks.com> | 2016-02-26 18:27:13 +0100 |
---|---|---|
committer | Felix Hammerl <fhammerl@thoughtworks.com> | 2016-03-09 15:35:28 +0100 |
commit | ca3a3817c7c5de0b89e5105adb88a0f7419df8e1 (patch) | |
tree | f35d394074500f5464c47df6bb731aa4f895249a /service/pixelated/resources/sandbox_resource.py | |
parent | 281f88ba668e38883e822ea5bd96134ad3a3aa6c (diff) |
Issue #617: Serve content from Sandbox resource
Diffstat (limited to 'service/pixelated/resources/sandbox_resource.py')
-rw-r--r-- | service/pixelated/resources/sandbox_resource.py | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/service/pixelated/resources/sandbox_resource.py b/service/pixelated/resources/sandbox_resource.py new file mode 100644 index 00000000..28e8c9be --- /dev/null +++ b/service/pixelated/resources/sandbox_resource.py @@ -0,0 +1,34 @@ +# +# Copyright (c) 2016 ThoughtWorks, Inc. +# +# Pixelated is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Pixelated is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Pixelated. If not, see <http://www.gnu.org/licenses/>. + +from twisted.web.static import File + + +class SandboxResource(File): + CSP_HEADER_VALUES = "sandbox allow-popups allow-scripts;" \ + "default-src 'self';" \ + "style-src *;" \ + "script-src *;" \ + "font-src *;" \ + "img-src *;" \ + "object-src 'none';" \ + "connect-src 'none';" + + def render_GET(self, request): + request.setHeader('Content-Security-Policy', self.CSP_HEADER_VALUES) + request.setHeader('X-Content-Security-Policy', self.CSP_HEADER_VALUES) + request.setHeader('X-Webkit-CSP', self.CSP_HEADER_VALUES) + return super(SandboxResource, self).render_GET(request) |