echo-required-csp.py (1546B)
1 import json 2 3 from wptserve.utils import isomorphic_decode 4 5 def main(request, response): 6 message = {} 7 8 header = request.headers.get(b"Test-Header-Injection"); 9 message[u'test_header_injection'] = isomorphic_decode(header) if header else None 10 11 header = request.headers.get(b"Sec-Required-CSP"); 12 message[u'required_csp'] = isomorphic_decode(header) if header else None 13 14 second_level_iframe_code = u"" 15 if b"include_second_level_iframe" in request.GET: 16 if b"second_level_iframe_csp" in request.GET and request.GET[b"second_level_iframe_csp"] != b"": 17 second_level_iframe_code = u'''<script> 18 var i2 = document.createElement('iframe'); 19 i2.src = 'echo-required-csp.py'; 20 i2.csp = "{0}"; 21 document.body.appendChild(i2); 22 </script>'''.format(isomorphic_decode(request.GET[b"second_level_iframe_csp"])) 23 else: 24 second_level_iframe_code = u'''<script> 25 var i2 = document.createElement('iframe'); 26 i2.src = 'echo-required-csp.py'; 27 document.body.appendChild(i2); 28 </script>''' 29 30 return [(b"Content-Type", b"text/html"), (b"Allow-CSP-From", b"*")], u''' 31 <!DOCTYPE html> 32 <html> 33 <head> 34 <!--{2}--> 35 <script> 36 window.addEventListener('message', function(e) {{ 37 window.parent.postMessage(e.data, '*'); 38 }}); 39 40 window.parent.postMessage({0}, '*'); 41 </script> 42 </head> 43 <body> 44 {1} 45 </body> 46 </html> 47 '''.format(json.dumps(message), second_level_iframe_code, str(request.headers))