Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds the option to disable the x-content-type-options header #75

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Adds the option to disable the x-content-type-options header #75

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
fca6534
Allows X-Content-Type-Options to be disabled
ezelbanaan May 20, 2021
d3ac51e
X-Content-Type-Options added in options
ezelbanaan May 20, 2021
3382c25
Update README.rst
ezelbanaan May 20, 2021
692edba
Update talisman.py
ezelbanaan May 20, 2021
aa13c1e
Fixed 2 whitespace error's
ezelbanaan May 21, 2021
da913c3
Added the option for X-XSS-Protection to be disabled
ezelbanaan May 21, 2021
fee7c2e
Update README.rst
ezelbanaan May 21, 2021
e23c150
Update talisman_test.py
ezelbanaan May 21, 2021
bc73c6f
Update talisman.py
ezelbanaan May 21, 2021
04265af
Removed python 3.4
ezelbanaan May 21, 2021
9268388
Removed python version 3.4
ezelbanaan May 21, 2021
ce3e8f8
Removed python 3.4
ezelbanaan May 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ Options
`X-Download-Options <https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/jj542450(v=vs.85)?redirectedfrom=MSDN>`_
header to ``noopen`` to prevent IE >= 8 to from opening file downloads
directly and only save them instead.
- ``x_content_type_options``, default ``True``, Protects against MIME sniffing vulnerabilities.
- ``x_xss_protection``, default ``True``, Protects against cross-site scripting (XSS) attacks.


Per-view options
~~~~~~~~~~~~~~~~
Expand Down
18 changes: 15 additions & 3 deletions flask_talisman/talisman.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,9 @@ def init_app(
content_security_policy_nonce_in=None,
referrer_policy=DEFAULT_REFERRER_POLICY,
session_cookie_secure=True,
session_cookie_http_only=True):
session_cookie_http_only=True,
x_content_type_options=True,
x_xss_protection=True):
"""
Initialization.

Expand Down Expand Up @@ -116,6 +118,9 @@ def init_app(
session cookie.
force_file_save: Prevents the user from opening a file download
directly on >= IE 8
x_content_type_options: Prevents MIME type sniffing
x_xss_protection: Prevents the page from loading when the browser
detects reflected cross-site scripting attacks

See README.rst for a detailed description of each option.
"""
Expand Down Expand Up @@ -166,6 +171,10 @@ def init_app(

self.force_file_save = force_file_save

self.x_content_type_options = x_content_type_options

self.x_xss_protection = x_xss_protection

self.app = app

app.before_request(self._force_https)
Expand Down Expand Up @@ -284,8 +293,11 @@ def _set_frame_options_headers(self, headers, options):
options['frame_options_allow_from'])

def _set_content_security_policy_headers(self, headers, options):
headers['X-XSS-Protection'] = '1; mode=block'
headers['X-Content-Type-Options'] = 'nosniff'
if self.x_xxs_protection:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if self.x_xxs_protection:
if self.x_xss_protection:

headers['X-XSS-Protection'] = '1; mode=block'

if self.x_content_type_options:
headers['X-Content-Type-Options'] = 'nosniff'

if self.force_file_save:
headers['X-Download-Options'] = 'noopen'
Expand Down