Proof-of-concept ASGI middleware implementation of the Fetch Metadata specification for Python 3.6+.
The Fetch Metadata spec allows a server to reject a cross-origin request to protect clients from CSRF, XSSI and other bugs.
Important: this repo was created following a talk by Lukas Weichselbaum at PyConWeb 2019. It is NOT an official nor audited implementation of the Fetch-Metadata specification in any way. Feel free to fork it, copy-paste the code, or hack it away!
For more information:
HTTP header parsing is provided by Starlette:
pip install starletteThis middleware should be usable with any ASGI3-compliant application.
An example "Hello, World!" ASGI app wrapped by the FetchMetadataMiddleware is provided in example.py:
from fetch_metadata import FetchMetadataMiddleware
from starlette.responses import PlainTextResponse
async def app(scope, receive, send):
assert scope["type"] == "http"
response = PlainTextResponse("Hello, world!")
await response(scope, receive, send)
app = FetchMetadataMiddleware(app)Serve it using uvicorn or any other ASGI web server:
uvicorn example:appExample allowed requests:
curl http://localhost:8000
curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: navigate"
curl http://localhost:8000 -H "Sec-Fetch-Site: same-site"Example disallowed requests:
curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: cors"