flask-wtf
flask-wtf copied to clipboard
wtforms
Allow nonce in reCaptcha
Issue: #311
This adds a nonce attribute to script tag, which can be set via
RecaptchaField(nonce='<nonce>')
In order to use this, Flask app has to provide the nonce value via header. Example:
Content-Security-Policy: object-src 'none'; script-src 'nonce-<nonce>'
Codecov Report
Merging #312 into master will increase coverage by
<.01%. The diff coverage is100%.
@@ Coverage Diff @@
## master #312 +/- ##
==========================================
+ Coverage 99.66% 99.66% +<.01%
==========================================
Files 18 18
Lines 894 908 +14
Branches 74 75 +1
==========================================
+ Hits 891 905 +14
Misses 3 3
| Impacted Files | Coverage Δ | |
|---|---|---|
| tests/test_recaptcha.py | 100% <100%> (ø) |
:arrow_up: |
| flask_wtf/recaptcha/fields.py | 100% <100%> (ø) |
:arrow_up: |
| flask_wtf/recaptcha/widgets.py | 100% <100%> (ø) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing dataPowered by Codecov. Last update 6d4c1dc...09fb2b6. Read the comment docs.
Hi @kesara, I was looking at this patch to integrate it in a small project of mine that uses nonce-based CSP. I was wondering, why is the nonce parameter to RecaptchaField used as a string rather than being a callable?
I'm using custom code to generate the nonce, but from what I see also popular extensions such as flask-talisman generate the nonce as a parameter of request, so the value of the nonce is not available when instantiating the class (and it shouldn't be, as the nonce changes for every request), as it would be accessed outside Flask's request context.
Perhaps I'm missing something... how do you generate the CSP nonce to use your patch?
Hi @pogliamarci, I totally forgot that this PR is hanging. :( In my use case we end up, allowing everything required for reCaptcha in CSP rules. IIRC initial idea was to generate the nonce for every request (anyway you like) and pass it to the headers
Your plan to use flask-tailsman makes more sense, but that also means flask-wtf will have to add flask-talisman as a dependency? May be introduce a new configuration option and use flask-tailsman if that present?
Hi @kesara, what do you mean by “allowing everything required for recaptcha in CSP rules”?
I was using your patch, but, when I instantiate a ReCaptchaField, I’m outside the request context, but the nonce is generated once per request (thus in the request context). So I would need to pass callable instead of a string to ReCaptchaField.
I used flask-talisman as an example, although in my project I’m not using this extension (I have some custom code that generates the nonce in @app.before_request and puts it into request.csp_nonce). But I think that passing a function to ReCaptchaField that then grabs the CSP nonce from the right attribute of the request context should be general enough.
(that said, I’m not a maintainer of this project, I just stumbled upon your PR that was useful for a project of mine)
On 4 Apr 2019, at 22:44, Kesara Rathnayake [email protected] wrote:
Hi @pogliamarci https://github.com/pogliamarci, I totally forgot that this PR is hanging. :( In my use case we end up, allowing everything required for reCaptcha in CSP rules. IIRC initial idea was to generate the nonce for every request (anyway you like) and pass it to the headers
Your plan to use flask-tailsman makes more sense, but that also means flask-wtf will have to add flask-talisman as a dependency? May be introduce a new configuration option and use flask-tailsman if that present?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/lepture/flask-wtf/pull/312#issuecomment-480056607, or mute the thread https://github.com/notifications/unsubscribe-auth/ABaM_KDVfrvOsUeQGtcq2QspYGn-IgQJks5vdmQ5gaJpZM4QELXQ.