34 lines
1.6 KiB
Python
34 lines
1.6 KiB
Python
'''
|
|
SRI Message Signature helper for `accept-signature` header validation for
|
|
<script> element requests.
|
|
|
|
It compares the `accept-signature` header delivered with a request to a
|
|
`header` GET parameter. If they match, a `matched` attribute on the current
|
|
script element will be set to true.
|
|
'''
|
|
def main(request, response):
|
|
actual_header = request.headers.get(b'accept-signature', b'')
|
|
expected_header = request.GET.first(b'header', b'')
|
|
|
|
# Set common aspects of the response:
|
|
response.status = 200
|
|
response.headers.set(b'content-type', b'application/json')
|
|
response.headers.set(b'access-control-allow-origin', b'*')
|
|
response.headers.set(b'signature-input', \
|
|
b'signature=("unencoded-digest";sf); ' \
|
|
b'keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs="; ' \
|
|
b'tag="sri"')
|
|
|
|
# Do the exciting and complicated matching calculation:
|
|
body = b'document.currentScript.setAttribute(`matched`, false);'
|
|
digest = b'es+3YnsBqgi4mkbDZd3Vghz6PsqpNeg5CEJn7WOKzJI='
|
|
signature = b'y91SB5QNcqsZBd0XOnuf83W1FOgTWYOP+0gJZ+Lj3JahopKDedZDne9LsJ1KmV4JnjpF8LF5jJzbOO5snLidAg=='
|
|
if actual_header == expected_header:
|
|
body = b'document.currentScript.setAttribute(`matched`, true);'
|
|
digest = b'dq6r7uJehA7JvZk7hczA4TM0uQ5Ad9WkKKihnuQ+B3c='
|
|
signature = b'93PZphf5q5GJ0esZxDk/RJTG5WcExWsRAYSPgXdiQDQVyOH33qgwi0nvon9kQj7jdtoLg7uEOceGv/DBTAbRDQ=='
|
|
|
|
# Then set those bits.
|
|
response.content = body
|
|
response.headers.set(b'unencoded-digest', b'sha-256=:%s:' % digest)
|
|
response.headers.set(b'signature', b'signature=:%s:' % signature)
|