304-response.py (1275B)
1 def main(request, response): 2 if request.headers.get(b"If-None-Match"): 3 # we are now receing the second request, we will send back a different CSP 4 # with the 304 response 5 response.status = 304 6 headers = [(b"Content-Type", b"text/html"), 7 (b"Content-Security-Policy", b"script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw='"), 8 (b"Cache-Control", b"private, max-age=0, must-revalidate"), 9 (b"ETag", b"123456")] 10 return headers, u"" 11 else: 12 headers = [(b"Content-Type", b"text/html"), 13 (b"Content-Security-Policy", b"script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw='"), 14 (b"Cache-Control", b"private, max-age=0, must-revalidate"), 15 (b"Etag", b"123456")] 16 return headers, u''' 17 <!DOCTYPE html> 18 <html> 19 <head> 20 <script> 21 window.addEventListener("securitypolicyviolation", function(e) { 22 top.postMessage(e.originalPolicy, '*'); 23 }); 24 </script> 25 <script nonce="abc"> 26 top.postMessage('abc_executed', '*'); 27 </script> 28 <script nonce="def"> 29 top.postMessage('def_executed', '*'); 30 </script> 31 </head> 32 </html> 33 '''