Proof-of-concept ASGI middleware implementation of the Fetch Metadata specification for Python 3.6+.
The Fetch Metadata spec allows a server to reject a cross-origin request to protect clients from CSRF, XSSI and other bugs.
Important: this repo was created following a talk by Lukas Weichselbaum at PyConWeb 2019. It is NOT an official nor audited implementation of the Fetch-Metadata specification in any way. Feel free to fork it, copy-paste the code, or hack it away!
For more information:
HTTP header parsing is provided by Starlette:
pip install starlette
This middleware should be usable with any ASGI3-compliant application.
An example "Hello, World!" ASGI app wrapped by the FetchMetadataMiddleware
is provided in example.py
:
from fetch_metadata import FetchMetadataMiddleware
from starlette.responses import PlainTextResponse
async def app(scope, receive, send):
assert scope["type"] == "http"
response = PlainTextResponse("Hello, world!")
await response(scope, receive, send)
app = FetchMetadataMiddleware(app)
Serve it using uvicorn or any other ASGI web server:
uvicorn example:app
Example allowed requests:
curl http://localhost:8000
curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: navigate"
curl http://localhost:8000 -H "Sec-Fetch-Site: same-site"
Example disallowed requests:
curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: cors"