705 lines
26 KiB
Python
705 lines
26 KiB
Python
|
import typing as t
|
||
|
from datetime import datetime
|
||
|
from datetime import timedelta
|
||
|
from datetime import timezone
|
||
|
from http import HTTPStatus
|
||
|
|
||
|
from .._internal import _to_str
|
||
|
from ..datastructures import Headers
|
||
|
from ..datastructures import HeaderSet
|
||
|
from ..http import dump_cookie
|
||
|
from ..http import HTTP_STATUS_CODES
|
||
|
from ..utils import get_content_type
|
||
|
from werkzeug.datastructures import CallbackDict
|
||
|
from werkzeug.datastructures import ContentRange
|
||
|
from werkzeug.datastructures import ContentSecurityPolicy
|
||
|
from werkzeug.datastructures import ResponseCacheControl
|
||
|
from werkzeug.datastructures import WWWAuthenticate
|
||
|
from werkzeug.http import COEP
|
||
|
from werkzeug.http import COOP
|
||
|
from werkzeug.http import dump_age
|
||
|
from werkzeug.http import dump_header
|
||
|
from werkzeug.http import dump_options_header
|
||
|
from werkzeug.http import http_date
|
||
|
from werkzeug.http import parse_age
|
||
|
from werkzeug.http import parse_cache_control_header
|
||
|
from werkzeug.http import parse_content_range_header
|
||
|
from werkzeug.http import parse_csp_header
|
||
|
from werkzeug.http import parse_date
|
||
|
from werkzeug.http import parse_options_header
|
||
|
from werkzeug.http import parse_set_header
|
||
|
from werkzeug.http import parse_www_authenticate_header
|
||
|
from werkzeug.http import quote_etag
|
||
|
from werkzeug.http import unquote_etag
|
||
|
from werkzeug.utils import header_property
|
||
|
|
||
|
|
||
|
def _set_property(name: str, doc: t.Optional[str] = None) -> property:
|
||
|
def fget(self: "Response") -> HeaderSet:
|
||
|
def on_update(header_set: HeaderSet) -> None:
|
||
|
if not header_set and name in self.headers:
|
||
|
del self.headers[name]
|
||
|
elif header_set:
|
||
|
self.headers[name] = header_set.to_header()
|
||
|
|
||
|
return parse_set_header(self.headers.get(name), on_update)
|
||
|
|
||
|
def fset(
|
||
|
self: "Response",
|
||
|
value: t.Optional[
|
||
|
t.Union[str, t.Dict[str, t.Union[str, int]], t.Iterable[str]]
|
||
|
],
|
||
|
) -> None:
|
||
|
if not value:
|
||
|
del self.headers[name]
|
||
|
elif isinstance(value, str):
|
||
|
self.headers[name] = value
|
||
|
else:
|
||
|
self.headers[name] = dump_header(value)
|
||
|
|
||
|
return property(fget, fset, doc=doc)
|
||
|
|
||
|
|
||
|
class Response:
|
||
|
"""Represents the non-IO parts of an HTTP response, specifically the
|
||
|
status and headers but not the body.
|
||
|
|
||
|
This class is not meant for general use. It should only be used when
|
||
|
implementing WSGI, ASGI, or another HTTP application spec. Werkzeug
|
||
|
provides a WSGI implementation at :cls:`werkzeug.wrappers.Response`.
|
||
|
|
||
|
:param status: The status code for the response. Either an int, in
|
||
|
which case the default status message is added, or a string in
|
||
|
the form ``{code} {message}``, like ``404 Not Found``. Defaults
|
||
|
to 200.
|
||
|
:param headers: A :class:`~werkzeug.datastructures.Headers` object,
|
||
|
or a list of ``(key, value)`` tuples that will be converted to a
|
||
|
``Headers`` object.
|
||
|
:param mimetype: The mime type (content type without charset or
|
||
|
other parameters) of the response. If the value starts with
|
||
|
``text/`` (or matches some other special cases), the charset
|
||
|
will be added to create the ``content_type``.
|
||
|
:param content_type: The full content type of the response.
|
||
|
Overrides building the value from ``mimetype``.
|
||
|
|
||
|
.. versionadded:: 2.0
|
||
|
"""
|
||
|
|
||
|
#: the charset of the response.
|
||
|
charset = "utf-8"
|
||
|
|
||
|
#: the default status if none is provided.
|
||
|
default_status = 200
|
||
|
|
||
|
#: the default mimetype if none is provided.
|
||
|
default_mimetype = "text/plain"
|
||
|
|
||
|
#: Warn if a cookie header exceeds this size. The default, 4093, should be
|
||
|
#: safely `supported by most browsers <cookie_>`_. A cookie larger than
|
||
|
#: this size will still be sent, but it may be ignored or handled
|
||
|
#: incorrectly by some browsers. Set to 0 to disable this check.
|
||
|
#:
|
||
|
#: .. versionadded:: 0.13
|
||
|
#:
|
||
|
#: .. _`cookie`: http://browsercookielimits.squawky.net/
|
||
|
max_cookie_size = 4093
|
||
|
|
||
|
# A :class:`Headers` object representing the response headers.
|
||
|
headers: Headers
|
||
|
|
||
|
def __init__(
|
||
|
self,
|
||
|
status: t.Optional[t.Union[int, str, HTTPStatus]] = None,
|
||
|
headers: t.Optional[
|
||
|
t.Union[
|
||
|
t.Mapping[str, t.Union[str, int, t.Iterable[t.Union[str, int]]]],
|
||
|
t.Iterable[t.Tuple[str, t.Union[str, int]]],
|
||
|
]
|
||
|
] = None,
|
||
|
mimetype: t.Optional[str] = None,
|
||
|
content_type: t.Optional[str] = None,
|
||
|
) -> None:
|
||
|
if isinstance(headers, Headers):
|
||
|
self.headers = headers
|
||
|
elif not headers:
|
||
|
self.headers = Headers()
|
||
|
else:
|
||
|
self.headers = Headers(headers)
|
||
|
|
||
|
if content_type is None:
|
||
|
if mimetype is None and "content-type" not in self.headers:
|
||
|
mimetype = self.default_mimetype
|
||
|
if mimetype is not None:
|
||
|
mimetype = get_content_type(mimetype, self.charset)
|
||
|
content_type = mimetype
|
||
|
if content_type is not None:
|
||
|
self.headers["Content-Type"] = content_type
|
||
|
if status is None:
|
||
|
status = self.default_status
|
||
|
self.status = status # type: ignore
|
||
|
|
||
|
def __repr__(self) -> str:
|
||
|
return f"<{type(self).__name__} [{self.status}]>"
|
||
|
|
||
|
@property
|
||
|
def status_code(self) -> int:
|
||
|
"""The HTTP status code as a number."""
|
||
|
return self._status_code
|
||
|
|
||
|
@status_code.setter
|
||
|
def status_code(self, code: int) -> None:
|
||
|
self.status = code # type: ignore
|
||
|
|
||
|
@property
|
||
|
def status(self) -> str:
|
||
|
"""The HTTP status code as a string."""
|
||
|
return self._status
|
||
|
|
||
|
@status.setter
|
||
|
def status(self, value: t.Union[str, int, HTTPStatus]) -> None:
|
||
|
if not isinstance(value, (str, bytes, int, HTTPStatus)):
|
||
|
raise TypeError("Invalid status argument")
|
||
|
|
||
|
self._status, self._status_code = self._clean_status(value)
|
||
|
|
||
|
def _clean_status(self, value: t.Union[str, int, HTTPStatus]) -> t.Tuple[str, int]:
|
||
|
if isinstance(value, HTTPStatus):
|
||
|
value = int(value)
|
||
|
status = _to_str(value, self.charset)
|
||
|
split_status = status.split(None, 1)
|
||
|
|
||
|
if len(split_status) == 0:
|
||
|
raise ValueError("Empty status argument")
|
||
|
|
||
|
if len(split_status) > 1:
|
||
|
if split_status[0].isdigit():
|
||
|
# code and message
|
||
|
return status, int(split_status[0])
|
||
|
|
||
|
# multi-word message
|
||
|
return f"0 {status}", 0
|
||
|
|
||
|
if split_status[0].isdigit():
|
||
|
# code only
|
||
|
status_code = int(split_status[0])
|
||
|
|
||
|
try:
|
||
|
status = f"{status_code} {HTTP_STATUS_CODES[status_code].upper()}"
|
||
|
except KeyError:
|
||
|
status = f"{status_code} UNKNOWN"
|
||
|
|
||
|
return status, status_code
|
||
|
|
||
|
# one-word message
|
||
|
return f"0 {status}", 0
|
||
|
|
||
|
def set_cookie(
|
||
|
self,
|
||
|
key: str,
|
||
|
value: str = "",
|
||
|
max_age: t.Optional[t.Union[timedelta, int]] = None,
|
||
|
expires: t.Optional[t.Union[str, datetime, int, float]] = None,
|
||
|
path: t.Optional[str] = "/",
|
||
|
domain: t.Optional[str] = None,
|
||
|
secure: bool = False,
|
||
|
httponly: bool = False,
|
||
|
samesite: t.Optional[str] = None,
|
||
|
) -> None:
|
||
|
"""Sets a cookie.
|
||
|
|
||
|
A warning is raised if the size of the cookie header exceeds
|
||
|
:attr:`max_cookie_size`, but the header will still be set.
|
||
|
|
||
|
:param key: the key (name) of the cookie to be set.
|
||
|
:param value: the value of the cookie.
|
||
|
:param max_age: should be a number of seconds, or `None` (default) if
|
||
|
the cookie should last only as long as the client's
|
||
|
browser session.
|
||
|
:param expires: should be a `datetime` object or UNIX timestamp.
|
||
|
:param path: limits the cookie to a given path, per default it will
|
||
|
span the whole domain.
|
||
|
:param domain: if you want to set a cross-domain cookie. For example,
|
||
|
``domain=".example.com"`` will set a cookie that is
|
||
|
readable by the domain ``www.example.com``,
|
||
|
``foo.example.com`` etc. Otherwise, a cookie will only
|
||
|
be readable by the domain that set it.
|
||
|
:param secure: If ``True``, the cookie will only be available
|
||
|
via HTTPS.
|
||
|
:param httponly: Disallow JavaScript access to the cookie.
|
||
|
:param samesite: Limit the scope of the cookie to only be
|
||
|
attached to requests that are "same-site".
|
||
|
"""
|
||
|
self.headers.add(
|
||
|
"Set-Cookie",
|
||
|
dump_cookie(
|
||
|
key,
|
||
|
value=value,
|
||
|
max_age=max_age,
|
||
|
expires=expires,
|
||
|
path=path,
|
||
|
domain=domain,
|
||
|
secure=secure,
|
||
|
httponly=httponly,
|
||
|
charset=self.charset,
|
||
|
max_size=self.max_cookie_size,
|
||
|
samesite=samesite,
|
||
|
),
|
||
|
)
|
||
|
|
||
|
def delete_cookie(
|
||
|
self,
|
||
|
key: str,
|
||
|
path: str = "/",
|
||
|
domain: t.Optional[str] = None,
|
||
|
secure: bool = False,
|
||
|
httponly: bool = False,
|
||
|
samesite: t.Optional[str] = None,
|
||
|
) -> None:
|
||
|
"""Delete a cookie. Fails silently if key doesn't exist.
|
||
|
|
||
|
:param key: the key (name) of the cookie to be deleted.
|
||
|
:param path: if the cookie that should be deleted was limited to a
|
||
|
path, the path has to be defined here.
|
||
|
:param domain: if the cookie that should be deleted was limited to a
|
||
|
domain, that domain has to be defined here.
|
||
|
:param secure: If ``True``, the cookie will only be available
|
||
|
via HTTPS.
|
||
|
:param httponly: Disallow JavaScript access to the cookie.
|
||
|
:param samesite: Limit the scope of the cookie to only be
|
||
|
attached to requests that are "same-site".
|
||
|
"""
|
||
|
self.set_cookie(
|
||
|
key,
|
||
|
expires=0,
|
||
|
max_age=0,
|
||
|
path=path,
|
||
|
domain=domain,
|
||
|
secure=secure,
|
||
|
httponly=httponly,
|
||
|
samesite=samesite,
|
||
|
)
|
||
|
|
||
|
@property
|
||
|
def is_json(self) -> bool:
|
||
|
"""Check if the mimetype indicates JSON data, either
|
||
|
:mimetype:`application/json` or :mimetype:`application/*+json`.
|
||
|
"""
|
||
|
mt = self.mimetype
|
||
|
return mt is not None and (
|
||
|
mt == "application/json"
|
||
|
or mt.startswith("application/")
|
||
|
and mt.endswith("+json")
|
||
|
)
|
||
|
|
||
|
# Common Descriptors
|
||
|
|
||
|
@property
|
||
|
def mimetype(self) -> t.Optional[str]:
|
||
|
"""The mimetype (content type without charset etc.)"""
|
||
|
ct = self.headers.get("content-type")
|
||
|
|
||
|
if ct:
|
||
|
return ct.split(";")[0].strip()
|
||
|
else:
|
||
|
return None
|
||
|
|
||
|
@mimetype.setter
|
||
|
def mimetype(self, value: str) -> None:
|
||
|
self.headers["Content-Type"] = get_content_type(value, self.charset)
|
||
|
|
||
|
@property
|
||
|
def mimetype_params(self) -> t.Dict[str, str]:
|
||
|
"""The mimetype parameters as dict. For example if the
|
||
|
content type is ``text/html; charset=utf-8`` the params would be
|
||
|
``{'charset': 'utf-8'}``.
|
||
|
|
||
|
.. versionadded:: 0.5
|
||
|
"""
|
||
|
|
||
|
def on_update(d: CallbackDict) -> None:
|
||
|
self.headers["Content-Type"] = dump_options_header(self.mimetype, d)
|
||
|
|
||
|
d = parse_options_header(self.headers.get("content-type", ""))[1]
|
||
|
return CallbackDict(d, on_update)
|
||
|
|
||
|
location = header_property[str](
|
||
|
"Location",
|
||
|
doc="""The Location response-header field is used to redirect
|
||
|
the recipient to a location other than the Request-URI for
|
||
|
completion of the request or identification of a new
|
||
|
resource.""",
|
||
|
)
|
||
|
age = header_property(
|
||
|
"Age",
|
||
|
None,
|
||
|
parse_age,
|
||
|
dump_age, # type: ignore
|
||
|
doc="""The Age response-header field conveys the sender's
|
||
|
estimate of the amount of time since the response (or its
|
||
|
revalidation) was generated at the origin server.
|
||
|
|
||
|
Age values are non-negative decimal integers, representing time
|
||
|
in seconds.""",
|
||
|
)
|
||
|
content_type = header_property[str](
|
||
|
"Content-Type",
|
||
|
doc="""The Content-Type entity-header field indicates the media
|
||
|
type of the entity-body sent to the recipient or, in the case of
|
||
|
the HEAD method, the media type that would have been sent had
|
||
|
the request been a GET.""",
|
||
|
)
|
||
|
content_length = header_property(
|
||
|
"Content-Length",
|
||
|
None,
|
||
|
int,
|
||
|
str,
|
||
|
doc="""The Content-Length entity-header field indicates the size
|
||
|
of the entity-body, in decimal number of OCTETs, sent to the
|
||
|
recipient or, in the case of the HEAD method, the size of the
|
||
|
entity-body that would have been sent had the request been a
|
||
|
GET.""",
|
||
|
)
|
||
|
content_location = header_property[str](
|
||
|
"Content-Location",
|
||
|
doc="""The Content-Location entity-header field MAY be used to
|
||
|
supply the resource location for the entity enclosed in the
|
||
|
message when that entity is accessible from a location separate
|
||
|
from the requested resource's URI.""",
|
||
|
)
|
||
|
content_encoding = header_property[str](
|
||
|
"Content-Encoding",
|
||
|
doc="""The Content-Encoding entity-header field is used as a
|
||
|
modifier to the media-type. When present, its value indicates
|
||
|
what additional content codings have been applied to the
|
||
|
entity-body, and thus what decoding mechanisms must be applied
|
||
|
in order to obtain the media-type referenced by the Content-Type
|
||
|
header field.""",
|
||
|
)
|
||
|
content_md5 = header_property[str](
|
||
|
"Content-MD5",
|
||
|
doc="""The Content-MD5 entity-header field, as defined in
|
||
|
RFC 1864, is an MD5 digest of the entity-body for the purpose of
|
||
|
providing an end-to-end message integrity check (MIC) of the
|
||
|
entity-body. (Note: a MIC is good for detecting accidental
|
||
|
modification of the entity-body in transit, but is not proof
|
||
|
against malicious attacks.)""",
|
||
|
)
|
||
|
date = header_property(
|
||
|
"Date",
|
||
|
None,
|
||
|
parse_date,
|
||
|
http_date,
|
||
|
doc="""The Date general-header field represents the date and
|
||
|
time at which the message was originated, having the same
|
||
|
semantics as orig-date in RFC 822.
|
||
|
|
||
|
.. versionchanged:: 2.0
|
||
|
The datetime object is timezone-aware.
|
||
|
""",
|
||
|
)
|
||
|
expires = header_property(
|
||
|
"Expires",
|
||
|
None,
|
||
|
parse_date,
|
||
|
http_date,
|
||
|
doc="""The Expires entity-header field gives the date/time after
|
||
|
which the response is considered stale. A stale cache entry may
|
||
|
not normally be returned by a cache.
|
||
|
|
||
|
.. versionchanged:: 2.0
|
||
|
The datetime object is timezone-aware.
|
||
|
""",
|
||
|
)
|
||
|
last_modified = header_property(
|
||
|
"Last-Modified",
|
||
|
None,
|
||
|
parse_date,
|
||
|
http_date,
|
||
|
doc="""The Last-Modified entity-header field indicates the date
|
||
|
and time at which the origin server believes the variant was
|
||
|
last modified.
|
||
|
|
||
|
.. versionchanged:: 2.0
|
||
|
The datetime object is timezone-aware.
|
||
|
""",
|
||
|
)
|
||
|
|
||
|
@property
|
||
|
def retry_after(self) -> t.Optional[datetime]:
|
||
|
"""The Retry-After response-header field can be used with a
|
||
|
503 (Service Unavailable) response to indicate how long the
|
||
|
service is expected to be unavailable to the requesting client.
|
||
|
|
||
|
Time in seconds until expiration or date.
|
||
|
|
||
|
.. versionchanged:: 2.0
|
||
|
The datetime object is timezone-aware.
|
||
|
"""
|
||
|
value = self.headers.get("retry-after")
|
||
|
if value is None:
|
||
|
return None
|
||
|
elif value.isdigit():
|
||
|
return datetime.now(timezone.utc) + timedelta(seconds=int(value))
|
||
|
return parse_date(value)
|
||
|
|
||
|
@retry_after.setter
|
||
|
def retry_after(self, value: t.Optional[t.Union[datetime, int, str]]) -> None:
|
||
|
if value is None:
|
||
|
if "retry-after" in self.headers:
|
||
|
del self.headers["retry-after"]
|
||
|
return
|
||
|
elif isinstance(value, datetime):
|
||
|
value = http_date(value)
|
||
|
else:
|
||
|
value = str(value)
|
||
|
self.headers["Retry-After"] = value
|
||
|
|
||
|
vary = _set_property(
|
||
|
"Vary",
|
||
|
doc="""The Vary field value indicates the set of request-header
|
||
|
fields that fully determines, while the response is fresh,
|
||
|
whether a cache is permitted to use the response to reply to a
|
||
|
subsequent request without revalidation.""",
|
||
|
)
|
||
|
content_language = _set_property(
|
||
|
"Content-Language",
|
||
|
doc="""The Content-Language entity-header field describes the
|
||
|
natural language(s) of the intended audience for the enclosed
|
||
|
entity. Note that this might not be equivalent to all the
|
||
|
languages used within the entity-body.""",
|
||
|
)
|
||
|
allow = _set_property(
|
||
|
"Allow",
|
||
|
doc="""The Allow entity-header field lists the set of methods
|
||
|
supported by the resource identified by the Request-URI. The
|
||
|
purpose of this field is strictly to inform the recipient of
|
||
|
valid methods associated with the resource. An Allow header
|
||
|
field MUST be present in a 405 (Method Not Allowed)
|
||
|
response.""",
|
||
|
)
|
||
|
|
||
|
# ETag
|
||
|
|
||
|
@property
|
||
|
def cache_control(self) -> ResponseCacheControl:
|
||
|
"""The Cache-Control general-header field is used to specify
|
||
|
directives that MUST be obeyed by all caching mechanisms along the
|
||
|
request/response chain.
|
||
|
"""
|
||
|
|
||
|
def on_update(cache_control: ResponseCacheControl) -> None:
|
||
|
if not cache_control and "cache-control" in self.headers:
|
||
|
del self.headers["cache-control"]
|
||
|
elif cache_control:
|
||
|
self.headers["Cache-Control"] = cache_control.to_header()
|
||
|
|
||
|
return parse_cache_control_header(
|
||
|
self.headers.get("cache-control"), on_update, ResponseCacheControl
|
||
|
)
|
||
|
|
||
|
def set_etag(self, etag: str, weak: bool = False) -> None:
|
||
|
"""Set the etag, and override the old one if there was one."""
|
||
|
self.headers["ETag"] = quote_etag(etag, weak)
|
||
|
|
||
|
def get_etag(self) -> t.Union[t.Tuple[str, bool], t.Tuple[None, None]]:
|
||
|
"""Return a tuple in the form ``(etag, is_weak)``. If there is no
|
||
|
ETag the return value is ``(None, None)``.
|
||
|
"""
|
||
|
return unquote_etag(self.headers.get("ETag"))
|
||
|
|
||
|
accept_ranges = header_property[str](
|
||
|
"Accept-Ranges",
|
||
|
doc="""The `Accept-Ranges` header. Even though the name would
|
||
|
indicate that multiple values are supported, it must be one
|
||
|
string token only.
|
||
|
|
||
|
The values ``'bytes'`` and ``'none'`` are common.
|
||
|
|
||
|
.. versionadded:: 0.7""",
|
||
|
)
|
||
|
|
||
|
@property
|
||
|
def content_range(self) -> ContentRange:
|
||
|
"""The ``Content-Range`` header as a
|
||
|
:class:`~werkzeug.datastructures.ContentRange` object. Available
|
||
|
even if the header is not set.
|
||
|
|
||
|
.. versionadded:: 0.7
|
||
|
"""
|
||
|
|
||
|
def on_update(rng: ContentRange) -> None:
|
||
|
if not rng:
|
||
|
del self.headers["content-range"]
|
||
|
else:
|
||
|
self.headers["Content-Range"] = rng.to_header()
|
||
|
|
||
|
rv = parse_content_range_header(self.headers.get("content-range"), on_update)
|
||
|
# always provide a content range object to make the descriptor
|
||
|
# more user friendly. It provides an unset() method that can be
|
||
|
# used to remove the header quickly.
|
||
|
if rv is None:
|
||
|
rv = ContentRange(None, None, None, on_update=on_update)
|
||
|
return rv
|
||
|
|
||
|
@content_range.setter
|
||
|
def content_range(self, value: t.Optional[t.Union[ContentRange, str]]) -> None:
|
||
|
if not value:
|
||
|
del self.headers["content-range"]
|
||
|
elif isinstance(value, str):
|
||
|
self.headers["Content-Range"] = value
|
||
|
else:
|
||
|
self.headers["Content-Range"] = value.to_header()
|
||
|
|
||
|
# Authorization
|
||
|
|
||
|
@property
|
||
|
def www_authenticate(self) -> WWWAuthenticate:
|
||
|
"""The ``WWW-Authenticate`` header in a parsed form."""
|
||
|
|
||
|
def on_update(www_auth: WWWAuthenticate) -> None:
|
||
|
if not www_auth and "www-authenticate" in self.headers:
|
||
|
del self.headers["www-authenticate"]
|
||
|
elif www_auth:
|
||
|
self.headers["WWW-Authenticate"] = www_auth.to_header()
|
||
|
|
||
|
header = self.headers.get("www-authenticate")
|
||
|
return parse_www_authenticate_header(header, on_update)
|
||
|
|
||
|
# CSP
|
||
|
|
||
|
@property
|
||
|
def content_security_policy(self) -> ContentSecurityPolicy:
|
||
|
"""The ``Content-Security-Policy`` header as a
|
||
|
:class:`~werkzeug.datastructures.ContentSecurityPolicy` object. Available
|
||
|
even if the header is not set.
|
||
|
|
||
|
The Content-Security-Policy header adds an additional layer of
|
||
|
security to help detect and mitigate certain types of attacks.
|
||
|
"""
|
||
|
|
||
|
def on_update(csp: ContentSecurityPolicy) -> None:
|
||
|
if not csp:
|
||
|
del self.headers["content-security-policy"]
|
||
|
else:
|
||
|
self.headers["Content-Security-Policy"] = csp.to_header()
|
||
|
|
||
|
rv = parse_csp_header(self.headers.get("content-security-policy"), on_update)
|
||
|
if rv is None:
|
||
|
rv = ContentSecurityPolicy(None, on_update=on_update)
|
||
|
return rv
|
||
|
|
||
|
@content_security_policy.setter
|
||
|
def content_security_policy(
|
||
|
self, value: t.Optional[t.Union[ContentSecurityPolicy, str]]
|
||
|
) -> None:
|
||
|
if not value:
|
||
|
del self.headers["content-security-policy"]
|
||
|
elif isinstance(value, str):
|
||
|
self.headers["Content-Security-Policy"] = value
|
||
|
else:
|
||
|
self.headers["Content-Security-Policy"] = value.to_header()
|
||
|
|
||
|
@property
|
||
|
def content_security_policy_report_only(self) -> ContentSecurityPolicy:
|
||
|
"""The ``Content-Security-policy-report-only`` header as a
|
||
|
:class:`~werkzeug.datastructures.ContentSecurityPolicy` object. Available
|
||
|
even if the header is not set.
|
||
|
|
||
|
The Content-Security-Policy-Report-Only header adds a csp policy
|
||
|
that is not enforced but is reported thereby helping detect
|
||
|
certain types of attacks.
|
||
|
"""
|
||
|
|
||
|
def on_update(csp: ContentSecurityPolicy) -> None:
|
||
|
if not csp:
|
||
|
del self.headers["content-security-policy-report-only"]
|
||
|
else:
|
||
|
self.headers["Content-Security-policy-report-only"] = csp.to_header()
|
||
|
|
||
|
rv = parse_csp_header(
|
||
|
self.headers.get("content-security-policy-report-only"), on_update
|
||
|
)
|
||
|
if rv is None:
|
||
|
rv = ContentSecurityPolicy(None, on_update=on_update)
|
||
|
return rv
|
||
|
|
||
|
@content_security_policy_report_only.setter
|
||
|
def content_security_policy_report_only(
|
||
|
self, value: t.Optional[t.Union[ContentSecurityPolicy, str]]
|
||
|
) -> None:
|
||
|
if not value:
|
||
|
del self.headers["content-security-policy-report-only"]
|
||
|
elif isinstance(value, str):
|
||
|
self.headers["Content-Security-policy-report-only"] = value
|
||
|
else:
|
||
|
self.headers["Content-Security-policy-report-only"] = value.to_header()
|
||
|
|
||
|
# CORS
|
||
|
|
||
|
@property
|
||
|
def access_control_allow_credentials(self) -> bool:
|
||
|
"""Whether credentials can be shared by the browser to
|
||
|
JavaScript code. As part of the preflight request it indicates
|
||
|
whether credentials can be used on the cross origin request.
|
||
|
"""
|
||
|
return "Access-Control-Allow-Credentials" in self.headers
|
||
|
|
||
|
@access_control_allow_credentials.setter
|
||
|
def access_control_allow_credentials(self, value: t.Optional[bool]) -> None:
|
||
|
if value is True:
|
||
|
self.headers["Access-Control-Allow-Credentials"] = "true"
|
||
|
else:
|
||
|
self.headers.pop("Access-Control-Allow-Credentials", None)
|
||
|
|
||
|
access_control_allow_headers = header_property(
|
||
|
"Access-Control-Allow-Headers",
|
||
|
load_func=parse_set_header,
|
||
|
dump_func=dump_header,
|
||
|
doc="Which headers can be sent with the cross origin request.",
|
||
|
)
|
||
|
|
||
|
access_control_allow_methods = header_property(
|
||
|
"Access-Control-Allow-Methods",
|
||
|
load_func=parse_set_header,
|
||
|
dump_func=dump_header,
|
||
|
doc="Which methods can be used for the cross origin request.",
|
||
|
)
|
||
|
|
||
|
access_control_allow_origin = header_property[str](
|
||
|
"Access-Control-Allow-Origin",
|
||
|
doc="The origin or '*' for any origin that may make cross origin requests.",
|
||
|
)
|
||
|
|
||
|
access_control_expose_headers = header_property(
|
||
|
"Access-Control-Expose-Headers",
|
||
|
load_func=parse_set_header,
|
||
|
dump_func=dump_header,
|
||
|
doc="Which headers can be shared by the browser to JavaScript code.",
|
||
|
)
|
||
|
|
||
|
access_control_max_age = header_property(
|
||
|
"Access-Control-Max-Age",
|
||
|
load_func=int,
|
||
|
dump_func=str,
|
||
|
doc="The maximum age in seconds the access control settings can be cached for.",
|
||
|
)
|
||
|
|
||
|
cross_origin_opener_policy = header_property[COOP](
|
||
|
"Cross-Origin-Opener-Policy",
|
||
|
load_func=lambda value: COOP(value),
|
||
|
dump_func=lambda value: value.value,
|
||
|
default=COOP.UNSAFE_NONE,
|
||
|
doc="""Allows control over sharing of browsing context group with cross-origin
|
||
|
documents. Values must be a member of the :class:`werkzeug.http.COOP` enum.""",
|
||
|
)
|
||
|
|
||
|
cross_origin_embedder_policy = header_property[COEP](
|
||
|
"Cross-Origin-Embedder-Policy",
|
||
|
load_func=lambda value: COEP(value),
|
||
|
dump_func=lambda value: value.value,
|
||
|
default=COEP.UNSAFE_NONE,
|
||
|
doc="""Prevents a document from loading any cross-origin resources that do not
|
||
|
explicitly grant the document permission. Values must be a member of the
|
||
|
:class:`werkzeug.http.COEP` enum.""",
|
||
|
)
|