Skip to content

Instantly share code, notes, and snippets.

@disconnect3d
Last active September 1, 2016 12:46
Show Gist options
  • Save disconnect3d/f8d12ced78be749be70f14dcbcfe0967 to your computer and use it in GitHub Desktop.
Save disconnect3d/f8d12ced78be749be70f14dcbcfe0967 to your computer and use it in GitHub Desktop.
Disabling inline Javascript using CSP (Content-Security-Policy) header
from flask import Flask, make_response
app = Flask(__name__)
send_csp = True
csp = 'script-src'
html = """
Hello
<script>alert('xs')</script>
world
<button onclick="alert('xss')" text="click me">
"""
@app.route('/')
def hello_world():
resp = make_response(html, 200)
if send_csp:
resp.headers['Content-Security-Policy'] = csp
return resp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment