B !`@sdZddlmZddlmZddlmZddlZddlmZddlm Z ddl m Z e d d d gZ e Zd Zd ZddgddgdgdgdZddZGdddeZdS)z0Validates responses and their security features.)absolute_import)division)print_functionN)Headers)http) tb_logging Directivenamevaluez text/htmlz default-srcz'unsafe-inline'zdata:zblob:z 'unsafe-eval')z style-srczimg-srcz script-srczfont-srccCstd|dS)Nz-In 3.0, this warning will become an error: %s)loggerwarning) error_msgrU/home/dcms/DCMS/lib/python3.7/site-packages/tensorboard/backend/security_validator.py_maybe_raise_value_error0src@sPeZdZdZddZddZddZdd Zd d Zd d Z ddZ ddZ dS)SecurityValidatorMiddlewareaWSGI middleware validating security on response. It validates: - responses have Content-Type - responses have X-Content-Type-Options: nosniff - text/html responses have CSP header. It also validates whether the CSP headers pass basic requirement. e.g., default-src should be present, cannot use "*" directive, and others. For more complete list, please refer to _validate_csp_policies. Instances of this class are WSGI applications (see PEP 3333). cCs ||_dS)zInitializes an `SecurityValidatorMiddleware`. Args: application: The WSGI application to wrap (see PEP 3333). N) _application)selfZ applicationrrr__init__Csz$SecurityValidatorMiddleware.__init__csdfdd }||S)Ncs||||S)N)_validate_headers)statusheadersexc_info)rstart_responserrstart_response_proxyLs zBSecurityValidatorMiddleware.__call__..start_response_proxy)N)r)renvironrrr)rrr__call__Ksz$SecurityValidatorMiddleware.__call__cCs*t|}||||||dS)N)r_validate_content_type _validate_x_content_type_options_validate_csp_headers)rZ headers_listrrrrrRs  z-SecurityValidatorMiddleware._validate_headerscCs|drdStddS)Nz Content-Typez&Content-Type is required on a Response)getr)rrrrrrXs z2SecurityValidatorMiddleware._validate_content_typecCs"|d}|dkrdStddS)NzX-Content-Type-OptionsZnosniffz2X-Content-Type-Options is required to be "nosniff")r r)rroptionrrrr^s  zs"