o 2h*@sdZddlZddlmZddlmZddlmZddlm Z e Z dZ dZ d d gd d gd gd gd ZejddGdddZddZGdddZdS)z0Validates responses and their security features.N) Collection)Headers)http) tb_loggingz text/htmlz default-srcz'unsafe-inline'zdata:zblob:z 'unsafe-eval')z style-srczimg-srcz script-srczfont-srcT)frozenc@s&eZdZUdZeed<eeed<dS) DirectivezContent security policy directive. Loosely follow vocabulary from https://www.w3.org/TR/CSP/#framework-directives. Attributes: name: A non-empty string. value: A collection of non-empty strings. namevalueN)__name__ __module__ __qualname____doc__str__annotations__rrra/var/www/html/chatgem/venv/lib/python3.10/site-packages/tensorboard/backend/security_validator.pyr,s  rcCstd|dS)Nz-In 3.0, this warning will become an error: %s)loggerwarning) error_msgrrr_maybe_raise_value_error;src@sPeZdZdZddZddZddZdd Zd d Zd d Z ddZ ddZ dS)SecurityValidatorMiddlewareaWSGI middleware validating security on response. It validates: - responses have Content-Type - responses have X-Content-Type-Options: nosniff - text/html responses have CSP header. It also validates whether the CSP headers pass basic requirement. e.g., default-src should be present, cannot use "*" directive, and others. For more complete list, please refer to _validate_csp_policies. Instances of this class are WSGI applications (see PEP 3333). cCs ||_dS)zInitializes an `SecurityValidatorMiddleware`. Args: application: The WSGI application to wrap (see PEP 3333). N _application)self applicationrrr__init__Ns z$SecurityValidatorMiddleware.__init__csdfdd }||S)Ncs||||SN)_validate_headers)statusheadersexc_inforstart_responserrstart_response_proxyWs  zBSecurityValidatorMiddleware.__call__..start_response_proxyrr)renvironr"r#rr!r__call__Vs z$SecurityValidatorMiddleware.__call__cCs*t|}||||||dSr)r_validate_content_type _validate_x_content_type_options_validate_csp_headers)r headers_listrrrrr]s  z-SecurityValidatorMiddleware._validate_headerscCs|drdStddS)N Content-Typez&Content-Type is required on a Responsegetr)rrrrrr&cs  z2SecurityValidatorMiddleware._validate_content_typecCs"|d}|dkr dStddS)NzX-Content-Type-Optionsnosniffz2X-Content-Type-Options is required to be "nosniff"r+)rroptionrrrr'is zs$