def __call_

def call()

in Allura/allura/lib/custom_middleware.py [0:0]
44 lines of code
17 McCabe index (conditional complexity)

    def __call__(self, environ, start_response):
        req = Request(environ)
        resp = req.get_response(self.app)
        rules = set(resp.headers.getall('Content-Security-Policy'))
        report_rules = set(resp.headers.getall('Content-Security-Policy-Report-Only'))
        report_uri = self.config.get('csp.report_uri', None)
        report_uri_enforce = self.config.get('csp.report_uri_enforce', None)

        if rules:
            resp.headers.pop('Content-Security-Policy')

        if report_rules:
            resp.headers.pop('Content-Security-Policy-Report-Only')

        if self.config['base_url'].startswith('https'):
            rules.add('upgrade-insecure-requests')

        if self.config.get('csp.frame_sources'):
            frame_srcs = self.config['csp.frame_sources']
            if environ.get('csp_frame_domains'):
                frame_srcs += ' ' + ' '.join(environ['csp_frame_domains'])
            if asbool(self.config.get('csp.frame_sources_enforce', False)):
                rules.add(f"frame-src {frame_srcs}")
            else:
                report_rules.add(f"frame-src {frame_srcs}")

        if self.config.get('csp.fenced_frame_sources'):
            fenced_frame_srcs = self.config['csp.fenced_frame_sources']
            if asbool(self.config.get('csp.fenced_frame_sources_enforce', False)):
                rules.add(f"fenced-frame-src {fenced_frame_srcs}")
            else:
                report_rules.add(f"fenced-frame-src {fenced_frame_srcs}")

        if self.config.get('csp.form_action_urls'):
            srcs = self.config['csp.form_action_urls']
            if environ.get('csp_form_actions'):
                srcs += ' ' + ' '.join(environ['csp_form_actions'])

            oauth_endpoints = (
                '/auth/oauth2/authorize', '/auth/oauth2/do_authorize', '/rest/oauth/authorize', '/rest/oauth/do_authorize')
            if not req.path.startswith(oauth_endpoints):  # Do not enforce CSP for OAuth1 and OAuth2 authorization
                if asbool(self.config.get('csp.form_actions_enforce', False)):
                    rules.add(f"form-action {srcs}")
                else:
                    report_rules.add(f"form-action {srcs}")

        if self.config.get('csp.script_src'):
            script_srcs = self.config['csp.script_src']
            """
            Sometimes you might have the need to build custom values from inside a controller and pass it
            to the middleware. In this case we pass a custom list of domains from google that can't be built
            directly in here.
def __call__()

def call()
