&Vf*dZddlZddlmZddlmZddlmZddlm Z e j Z dZ dZ d d gd d gd gd gd ZejdGddZdZGddZdS)z0Validates responses and their security features.N) Collection)Headers)http) tb_loggingz text/htmlz default-srcz'unsafe-inline'zdata:zblob:z 'unsafe-eval')z style-srczimg-srcz script-srczfont-srcT)frozenc4eZdZUdZeed<eeed<dS) DirectivezContent security policy directive. Loosely follow vocabulary from https://www.w3.org/TR/CSP/#framework-directives. Attributes: name: A non-empty string. value: A collection of non-empty strings. namevalueN)__name__ __module__ __qualname____doc__str__annotations__rc/var/www/html/software/conda/lib/python3.11/site-packages/tensorboard/backend/security_validator.pyr r ,s7 III c?rr c@td|zdS)Nz-In 3.0, this warning will become an error: %s)loggerwarning) error_msgs r_maybe_raise_value_errorr;s  NNCiOPPPPPrcBeZdZdZdZdZdZdZdZdZ dZ d Z d S) SecurityValidatorMiddlewareaWSGI middleware validating security on response. It validates: - responses have Content-Type - responses have X-Content-Type-Options: nosniff - text/html responses have CSP header. It also validates whether the CSP headers pass basic requirement. e.g., default-src should be present, cannot use "*" directive, and others. For more complete list, please refer to _validate_csp_policies. Instances of this class are WSGI applications (see PEP 3333). c||_dS)zInitializes an `SecurityValidatorMiddleware`. Args: application: The WSGI application to wrap (see PEP 3333). N _application)self applications r__init__z$SecurityValidatorMiddleware.__init__Ns (rc@dfd }||S)NcH||||SN)_validate_headers)statusheadersexc_inforstart_responses rstart_response_proxyzBSecurityValidatorMiddleware.__call__..start_response_proxyWs+  " "7 + + +!>&'8<< ???rct|}||||||dSr$)r_validate_content_type _validate_x_content_type_options_validate_csp_headers)r headers_listr's rr%z-SecurityValidatorMiddleware._validate_headers]sQ,'' ##G,,, --g666 ""7+++++rcR|drdStddS)N Content-Typez&Content-Type is required on a Responsegetr)rr's rr.z2SecurityValidatorMiddleware._validate_content_typecs0 ;;~ & &  F !IJJJJJrc^|d}|dkrdStddS)NzX-Content-Type-Optionsnosniffz2X-Content-Type-Options is required to be "nosniff"r4)rr'options rr/z> ! = =H 228<< z2SecurityValidatorMiddleware._validate_csp_policiess? ! ' 'I>D" ' '"1"MT=M5MKOOD"5555X%%((''11)'' 33)KRRUS!!#&&&&5 '8    B     < $TYYz%:%: ; ; ; ; ; < >#&& % %EKKMME T1--Ja=D&)*oo&:&:Z]]F::<r=rrrrr@s  (((@@@,,, KKK     . . .(<(<(rfs<76++++++''''''    $W-!##    d###       $# QQQ KKKKKKKKKKr