1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
def main(request, response):
if request.headers.get(b"If-None-Match"):
# we are now receing the second request, we will send back a different CSP
# with the 304 response
response.status = 304
headers = [(b"Content-Type", b"text/html"),
(b"Content-Security-Policy", b"script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"),
(b"Cache-Control", b"private, max-age=0, must-revalidate"),
(b"ETag", b"123456")]
return headers, u""
else:
headers = [(b"Content-Type", b"text/html"),
(b"Content-Security-Policy", b"script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"),
(b"Cache-Control", b"private, max-age=0, must-revalidate"),
(b"Etag", b"123456")]
return headers, u'''
<!DOCTYPE html>
<html>
<head>
<script>
window.addEventListener("securitypolicyviolation", function(e) {
top.postMessage(e.originalPolicy, '*');
});
</script>
<script nonce="abc">
top.postMessage('abc_executed', '*');
</script>
<script nonce="def">
top.postMessage('def_executed', '*');
</script>
</head>
</html>
'''
|
