mig5/cspresso
1
0
Fork 0
Code Issues Pull requests Projects Releases 4 Packages Wiki Activity Actions

Fix bug in mode, which would inject the CSP into third party domains, which they would then throw violations for and trip the result
Some checks failed
CI / test (push) Failing after 2m37s
Details
Lint / test (push) Successful in 29s
Details
Trivy / test (push) Successful in 23s
Details

Browse source
This commit is contained in:
Miguel Jacq 2026-01-06 09:07:21 +11:00
parent a4a15fba57
commit a8093975fd
Signed by: mig5
GPG key ID: 59B3F0C24135C6A9
3 changed files with 19 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -1,3 +1,7 @@
## 0.1.3
* Fix bug in `--evaluate` mode, which would inject the CSP into third party domains, which they would then throw violations for and trip the result
## 0.1.2
* Add `--bypass-csp` option to ignore an existing enforcing CSP to avoid it skewing results

2
pyproject.toml
View file

@ -1,6 +1,6 @@
[tool.poetry]
name = "cspresso"
version = "0.1.2"
version = "0.1.3"
description = "Crawl a website with a headless browser and generate a draft Content-Security-Policy (CSP)."
authors = ["Miguel Jacq <mig@mig5.net>"]
readme = "README.md"

14
src/cspresso/crawl.py
View file

@ -362,9 +362,23 @@ async def crawl_and_generate_csp(
if request.resource_type != "document":
return await route.continue_()
# IMPORTANT: Don't rewrite CSP on third-party iframe/object documents.
# Otherwise --evaluate / --bypass-csp will mutate embedded origins
# (e.g. asciinema.org) and produce bogus frame-ancestors violations.
req_origin = origin_of(request.url)
if not req_origin or req_origin != base_origin:
return await route.continue_()
resp = await route.fetch()
hdrs = {k.lower(): v for k, v in (resp.headers or {}).items()}
# Only treat actual HTML documents as candidates for CSP header rewriting.
# (Playwright classifies iframe navigations as "document" even when non-HTML.)
ct = (hdrs.get("content-type") or "").lower()
is_html = ("text/html" in ct) or ("application/xhtml+xml" in ct)
if not is_html:
return await route.fulfill(response=resp)
if bypass_csp:
hdrs.pop("content-security-policy", None)
hdrs.pop("content-security-policy-report-only", None)