apifrom.security.trusted_types

Trusted Types implementation for APIFromAnything.

This module provides utilities for implementing Trusted Types, a web platform feature that helps prevent DOM-based Cross-Site Scripting (XSS) attacks by restricting the strings that can be passed to DOM injection sinks.

Overview

Classes

BaseMiddleware
Request
Response
TrustedTypesBuilder
TrustedTypesMiddleware
TrustedTypesPolicy
TrustedTypesViolationReporter

Classes

BaseMiddleware(**options):bases: abc.ABC

Base middleware class for APIFromAnything.

This abstract class defines the interface for middleware components. Middleware components can process requests and responses.

apifrom.security.trusted_types.options

Options for the middleware.

Type:

dict

Initialize a new BaseMiddleware instance.

param **options:

Options for the middleware.

class apifrom.security.trusted_types.Request(request=None, path_params=None, method=None, path=None, query_params=None, headers=None, body=None, client_ip=None)[source]

Parameters:

request (Optional[starlette.requests.Request])
path_params (Optional[dict[Any, Any]])
method (Optional[str])
path (Optional[str])
query_params (Optional[dict[Any, Any]])
headers (Optional[dict[Any, Any]])
body (Optional[Union[str, bytes]])
client_ip (Optional[str])

Request class for APIFromAnything.

This class wraps a Starlette request and provides methods for accessing request data in a convenient way.

apifrom.security.trusted_types._request

The underlying Starlette request.

apifrom.security.trusted_types.path_params

Path parameters extracted from the URL.

apifrom.security.trusted_types.query_params

Query parameters extracted from the URL.

apifrom.security.trusted_types.headers

HTTP headers.

apifrom.security.trusted_types.method

HTTP method.

apifrom.security.trusted_types.path

Request path.

apifrom.security.trusted_types._body

Cached request body.

Initialize a new Request instance.

param request:

The underlying Starlette request.

param path_params:

Path parameters extracted from the URL.

param method:

The HTTP method.

param path:

The request path.

param query_params:

Query parameters.

param headers:

HTTP headers.

param body:

Request body.

param client_ip:

Client IP address.

class apifrom.security.trusted_types.Response(content=None, status_code=200, headers=None, content_type='application/json')[source]

Parameters:

content (Any)
status_code (int)
headers (Optional[Dict[str, str]])
content_type (str)

Response class for APIFromAnything.

This class represents an HTTP response and provides methods for setting response data, status code, and headers.

apifrom.security.trusted_types.content

The response content.

apifrom.security.trusted_types.status_code

The HTTP status code.

apifrom.security.trusted_types.headers

HTTP headers.

apifrom.security.trusted_types.content_type

The content type of the response.

Initialize a new Response instance.

param content:

The response content.

param status_code:

The HTTP status code.

param headers:

HTTP headers.

param content_type:

The content type of the response.

class apifrom.security.trusted_types.TrustedTypesBuilder[source]

Helper class for building Trusted Types policies.

apifrom.security.trusted_types.create_default_policy()

:staticmethod:

Create a default Trusted Types policy.

returns:

A default Trusted Types policy

apifrom.security.trusted_types.create_escape_policy()

:staticmethod:

Create a Trusted Types policy that escapes HTML.

returns:

A Trusted Types policy that escapes HTML

apifrom.security.trusted_types.create_sanitize_policy()

:staticmethod:

Create a Trusted Types policy that sanitizes HTML.

returns:

A Trusted Types policy that sanitizes HTML

apifrom.security.trusted_types.create_url_policy()

:staticmethod:

Create a Trusted Types policy for URLs.

returns:

A Trusted Types policy for URLs

TrustedTypesMiddleware(policies = None, require_for_script = True, allow_duplicates = False, report_only = False, report_uri = None, exempt_paths = None):bases: apifrom.middleware.base.BaseMiddleware

Middleware for adding Trusted Types headers and scripts to responses.

This middleware adds the Content-Security-Policy header with the require-trusted-types-for directive to enforce Trusted Types for script execution, and injects a script to create Trusted Types policies.

Initialize the Trusted Types middleware.

param policies:

List of Trusted Types policies to create

param require_for_script:

Whether to require Trusted Types for script execution

param allow_duplicates:

Whether to allow duplicate policy names

param report_only:

Whether to use report-only mode

param report_uri:

URI to report violations to

param exempt_paths:

Paths exempt from Trusted Types

apifrom.security.trusted_types._generate_policy_script()

Generate a script to create Trusted Types policies.

returns:

A script element with the policy creation code

apifrom.security.trusted_types._get_csp_header_name()

Get the CSP header name based on the mode.

returns:

The CSP header name

apifrom.security.trusted_types._get_csp_header_value()

Get the CSP header value for Trusted Types.

returns:

The CSP header value

apifrom.security.trusted_types._inject_policy_script(response)

Inject the policy script into HTML content.

param response:

The response or HTML content to modify

returns:

The modified response or HTML content

apifrom.security.trusted_types._is_exempt(request)

Check if a request is exempt from Trusted Types.

param request:

The request to check

returns:

True if the request is exempt, False otherwise

apifrom.security.trusted_types.process_request(request)

:async:

Process a request through the Trusted Types middleware.

param request:

The request to process

returns:

The processed request

apifrom.security.trusted_types.process_response(response)

:async:

Process a response through the Trusted Types middleware.

param response:

The response to process

returns:

The processed response

class apifrom.security.trusted_types.TrustedTypesPolicy(name, enforce=True)[source]

Parameters:

name (str)
enforce (bool)

Policy for configuring Trusted Types.

This class represents a Trusted Types policy that can be used to create trusted values for various DOM sinks.

Initialize the Trusted Types policy.

param name:

The name of the policy

param enforce:

Whether to enforce the policy

apifrom.security.trusted_types.add_html_handler(handler)

Add an HTML handler.

param handler:

The handler function

returns:

The policy instance for chaining

apifrom.security.trusted_types.add_script_handler(handler)

Add a script handler.

param handler:

The handler function

returns:

The policy instance for chaining

apifrom.security.trusted_types.add_script_url_handler(handler)

Add a script URL handler.

param handler:

The handler function

returns:

The policy instance for chaining

apifrom.security.trusted_types.add_url_handler(handler)

Add a URL handler.

param handler:

The handler function

returns:

The policy instance for chaining

apifrom.security.trusted_types.create_html(html)

Create trusted HTML.

param html:

The HTML to create

returns:

The trusted HTML

apifrom.security.trusted_types.create_script(script)

Create a trusted script.

param script:

The script to create

returns:

The trusted script

apifrom.security.trusted_types.create_script_url(url)

Create a trusted script URL.

param url:

The URL to create

returns:

The trusted script URL

apifrom.security.trusted_types.create_url(url)

Create a trusted URL.

param url:

The URL to create

returns:

The trusted URL

apifrom.security.trusted_types.to_js()

Convert the policy to JavaScript code.

returns:

JavaScript code for creating the policy

class apifrom.security.trusted_types.TrustedTypesViolationReporter(report_uri, callback=None)[source]

Parameters:

report_uri (str)
callback (Optional[Callable[[Dict[str, Any]], None]])

Reporter for Trusted Types violations.

This class provides utilities for handling Trusted Types violation reports.

Initialize the Trusted Types violation reporter.

param report_uri:

The URI to send violation reports to

param callback:

A callback function to handle violation reports