Hello,

We have a Flask app with Talisman and we initialize the app by default values:

csp = {
        'default-src': '\'self\'',
        'img-src': '\'self\' data:',
        'media-src': [
            '*',
        ],
        'style-src': '\'unsafe-inline\' \'self\'',
        'script-src': '\'unsafe-inline\' \'self\'',
        'font-src' : '*'
    }
    Talisman(app, content_security_policy=csp)

But sometimes, we are not sure why, it's hard to reproduce we have the following error and stacktrace :asd

Traceback (most recent call last):
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 2000, in __call__
    return self.wsgi_app(environ, start_response)
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1991, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1567, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1988, in wsgi_app
    response = self.full_dispatch_request()
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1643, in full_dispatch_request
    response = self.process_response(response)
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1862, in process_response
    response = handler(response)
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask_talisman/talisman.py", line 210, in _set_response_headers
    self._set_frame_options_headers(response.headers)
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask_talisman/talisman.py", line 217, in _set_frame_options_headers
    headers['X-Frame-Options'] = self.local_options.frame_options
  File "/root/19032018/asd/venv/lib/python3.6/site-packages/werkzeug/local.py", line 72, in __getattr__
    raise AttributeError(name)
AttributeError: frame_options

Can you help why this happens and why it happens at seemingly random times? Talisman version is 0.4.1

Thanks in advance!

The referrer policy security header tells the browser what information about your website (URL and possibly path) is sent to a linked site. See this blog/examples for more info.

There's also some useful information of the available directives from Mozilla. I've set the default to 'strict-origin-when-cross-origin', although it may want to be changed until Chrome adds handling for this (see this issue).

• Fixes #3
• I never released a package before.. so please verify which changes had to be flask_talisman and which ones flask-talisman
• Updated the version to 1.0.0
• Updated the URLs to flask-talisman in PyPi

This patch is so that when request.endpoint is None:

• Don't raise 500 error.
• Don't redirect to https.

Currently, a request to an endpoint that does not exist will cause an error. I noticed this when I migrated an app engine flexible environment application from vm: true to env: flex and the health checks (requests to /_ah/health) were resulting in errors. I think the expected behavior should be that these or other nonexistent endpoints simply return 404, so I also added to the list of criteria to exclude when forcing https.

Hi, I might be doing something really stupid but I can't find much documentation or examples, other than the main page on GitHub and the example about CSP.

My issue is that csp_nonce() is evaluating to an empty string. What am I doing wrong?

I include the relevant parts of my code (it is a much bigger project so I am trying to post only relevant parts, but if you need anything more, please let me know).

<!doctype html>
<html lang="en">
<head>
    [...]
    <link href="/static/css/main.68b8b5e7.chunk.css" rel="stylesheet">
</head>
<body>
<noscript>You need to enable JavaScript to run this app.</noscript>
<div id="root"></div>
<script>[...] </script>
<script src="/static/js/2.389a3736.chunk.js" nonce="{{ csp_nonce() }}"></script>
<script src="/static/js/main.f39b6155.chunk.js" nonce="{{ csp_nonce() }}"></script>
</body>
</html>

While the CSP header does contain the nonce:

Content-Security-Policy | style-src 'self' https://fonts.googleapis.com 'nonce-XleICcqjjVeXsgKoEn6gLA'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'nonce-XleICcqjjVeXsgKoEn6gLA'

Flask app:

man = Talisman()
man.init_app(app, content_security_policy={
            "style-src": ["\'self\'", 'https://fonts.googleapis.com'],
            "font-src": ["\'self\'", 'https://fonts.gstatic.com'],
            "img-src": "'self' data:",
            "script-src":  ["\'self\'"],
        }, content_security_policy_nonce_in=['script-src', 'style-src']) 

@app.route('/')
def index():
       return render_template('index.html')

Page in the browser (notice how the nonce is empty):

<html lang="en">
<head>
    <link href="/static/css/main.68b8b5e7.chunk.css" rel="stylesheet">
<style data-jss="" data-meta="MuiGrid" nonce=""> [...]</style>
<style data-jss="" data-meta="MuiBox" nonce=""></style>
<style data-jss="" data-meta="MuiBox" nonce=""></style>
<style data-jss="" data-meta="makeStyles" nonce="">[...]</style>
</head>
<body>
<div id="root"></div>
<script nonce="">[...]</script>
<script src="/static/js/2.389a3736.chunk.js" nonce=""></script>
<script src="/static/js/main.f39b6155.chunk.js" nonce=""></script>
</body></html>

Feature-Policy has been split into Permissions-Policy and Document-Policy. Although these are not supported in browsers yet, it is likely that they will be at some point in the not too distant future.

In addition the popular SecurityHeaders.com tool has started flagging when Permissions-Policy header is not being sent which is likely to increase interest in publishing a Permissions-Policy alongside the original Feature-Policy header.

This PR adds support for both headers, though does not set them by default, nor does it retire Feature-Policy.

x-content-security-policy was previously supported by some browsers before content-security-policy was fully supported. It is poorly documented and does not support the full feature-set of the standardised content-security-policy.

IE11 is the only commonly in use browser now supporting this, however it only support the sandbox attribute.

We don't support X-Webkit-CSP which was the other older name used by Safari.

I think it's wrong to have this turned on by default and to use the same CSP as the standardised one. Website owners may not notice it's on by default, may assume it has same support as CSP, and will be less likely to test older browsers to see if it breaks.

I'd suggest removing it from the code completely as the standard CSP header is now well supported and standardised. We could also leave it there but in but with a default off status, but I'd really question the value of this. The alternative would be to be able to specify its setting separately to CSP but again I think it's of little value so I say get rid.

This would technically be a breaking change, in that anyone depending on this header will need to change their config to enable it. However, given its poor support, its complete lack of documentation and, the fact that CSP is used in preference to it anyway on any browser that supports that, I think the risk is low and it's preferable to leaving it in place.

Happy to submit a PR for this but wanted to open an issue for discussion first in case anyone disagreed.

I hope there is a parameter that I'm missing to fix this or I may be doing something wrong, but I don't believe that Flask Talisman works when making post(), put(), or delete() requests with the Flask test_client(). If that is the case, please consider this as a feature request if you deem it appropriate behavior for Flask Talisman.

I have observed that after adding Taliasman(app) to my Flask app I had to change all of my test cases to follow_redirects=True because apparently Talisman redirects every request. The problem is that it breaks all POST, PUT, and DELETE requests which get redirect and become GET requests.

Sample that shows problem

Given this simple Flask app: (app.py)

from flask import Flask, jsonify

app = Flask(__name__)

@app.route('/test1', methods=['GET'])
def get_test():
    return jsonify(message='200 OK'), 200

@app.route('/test2', methods=['POST'])
def create_test():
    return jsonify(message='201 Created'), 201

and these test cases: (test_case.py

from unittest import TestCase
from app import app

class TalismanTestCase(TestCase):
    def setUp(self):
        self.client = app.test_client()

    def test_get(self):
        resp = self.client.get('/test1')
        self.assertEqual(resp.status_code, 200)

    def test_post(self):
        resp = self.client.post('/test2')
        self.assertEqual(resp.status_code, 201)

When I run the tests, they execute correctly as expected:

$ python -m unittest -v test_case.py 
test_get (test_case.TalismanTestCase) ... ok
test_post (test_case.TalismanTestCase) ... ok

----------------------------------------------------------------------
Ran 2 tests in 0.004s

OK

However when I add Talisman(app) to my code:

from flask import Flask, jsonify
from flask_talisman import Talisman

app = Flask(__name__)

Talisman(app)

... same code here ...

I get these test results:

python -m unittest -v test_case.py 
test_get (test_case.TalismanTestCase) ... FAIL
test_post (test_case.TalismanTestCase) ... FAIL

======================================================================
FAIL: test_get (test_case.TalismanTestCase)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/rofrano/tmp/talisman-test/test_case.py", line 13, in test_get
    self.assertEqual(resp.status_code, 200)
AssertionError: 302 != 200

======================================================================
FAIL: test_post (test_case.TalismanTestCase)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/rofrano/tmp/talisman-test/test_case.py", line 18, in test_post
    self.assertEqual(resp.status_code, 201)
AssertionError: 302 != 201

----------------------------------------------------------------------
Ran 2 tests in 0.006s

FAILED (failures=2)

So I tell the Flask test_client() to follow redirects by adding the following to my test cases:

    def test_get(self):
        resp = self.client.get('/test1', follow_redirects=True)
        self.assertEqual(resp.status_code, 200)

    def test_post(self):
        resp = self.client.post('/test2', follow_redirects=True)
        self.assertEqual(resp.status_code, 201)

and now I get the following test results:

$ python -m unittest -v test_case.py 
test_get (test_case.TalismanTestCase) ... ok
test_post (test_case.TalismanTestCase) ... FAIL

======================================================================
FAIL: test_post (test_case.TalismanTestCase)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/rofrano/tmp/talisman-test/test_case.py", line 18, in test_post
    self.assertEqual(resp.status_code, 201)
AssertionError: 405 != 201

----------------------------------------------------------------------
Ran 2 tests in 0.009s

FAILED (failures=1)

The first test case passed because the redirect performed a GET on the Location header that was returned but the second test failed because the POST was turned into a GET which returned a 405 Method Not Allowed. I don't know if this is something the Flask test_client() should fix but using curl I observed the same behavior.

Impact to developers

This makes it impossible to post form data in a test case when Talisman is being used. Do you consider this a bug or a limitation? If a limitation can I request that this capability be added? Thanks!

Since the frame-ancestors directive in CSP 2 allows basically the same thing and setting the X-Frame-Options header with allow-from isn't supported by Chrome and Safari anyway, we might as well allow disabling it completely.

the header x-content-security-policy is deprecated and it is know to have unexpected behavior when having both content-security-policy and x-content-security-policy

source : https://content-security-policy.com/

This is kind of a big deal as it prevents the extension to correctly generate policy directives when multiple sources are used. (for when the policy is provided as a string, e.g. from an env var)

Since the primary maintainer of this repository is no longer at Google and there hasn't been any activity on this repository in over a year, myself and several contributors have forked the project over to wntrblm/flask-talisman. We will continue to maintain it there.

If you're a Googler with access to this repository, you are welcome to update the README to point to the community fork and archive this repository. Or don't, I'm a random person on the internet, not your manager. 😛

I'm currently using talisman to set CSP, but I need to have X-Content-Type-Options disabled/not set. In the current version it is always set to 'nosniff'.

Just discovered there is a huge information leak in the Response Header:

Server: Werkzeug/0.0.1 Python/3.1.7

Please add option to drop this, or maybe to modify it.

Something like

@app.after_request def add_header(response): response.headers['Server'] = 'dummy' return response

I tried the following in my app.py:

from flask_talisman import Talisman
from flask_main import create_app

app = create_app()
Talisman(app)

if __name__ == "main":
    app.run()

It still does not work. Any request coming to https:// returns SSL_ERROR_RX_RECORD_TOO_LONG. I've tried both commands to start the app: flask run and python app.py, nothing changes.

Per this issue #66, doing this in create_app won't work.

from flask import Flask
from flask_talisman import Talisman
from flask_main.configuration import Configuration

talisman = Talisman()

def create_app():
    app = Flask(__name__)
    app.config.from_object(Configuration)
    talisman.init_app(app)

Is there any way to make flask-talisman work with application factory pattern?