Allow loading fonts from google, remove flask-seasurf

requirements.txt

@@ -8,14 +8,10 @@ brotli==1.0.9
  # via strong-but-simple-passwords (setup.py)
 click==7.1.2
  # via flask
-flask-seasurf==0.3.0
- # via strong-but-simple-passwords (setup.py)
 flask-talisman==0.7.0
  # via strong-but-simple-passwords (setup.py)
 flask==1.1.2
- # via
- # flask-seasurf
- # strong-but-simple-passwords (setup.py)
+ # via strong-but-simple-passwords (setup.py)
 gunicorn==20.0.4
  # via strong-but-simple-passwords (setup.py)
 itsdangerous==1.1.0

setup.py

@@ -8,7 +8,6 @@
  install_requires=[
  "flask",
  "flask-talisman",
- "flask-seasurf",
  "whitenoise",
  "brotli",
  "gunicorn",

strong_but_simple_passwords/__init__.py

@@ -1,6 +1,5 @@
 from flask import Flask
 from flask_talisman import Talisman
-from flask_seasurf import SeaSurf
 from whitenoise import WhiteNoise
 from pathlib import Path
 from .config import get_config_from_env_vars
@@ -18,15 +17,16 @@ def create_app(config=None):
 
  app.add_url_rule("/", "index", view_func=views.index, methods=("GET", "POST"))
 
- # add CSRF protection
- SeaSurf(app)
-
  # use whitenoise to serve static files
  static_root = Path(__file__).parent / "static/"
  app.wsgi_app = WhiteNoise(app.wsgi_app, root=static_root, prefix="static/")
 
  # disable force_https during testing
  force_https = not app.config["TESTING"]
- Talisman(app, force_https=force_https)
+
+ # allow to load fonts from google
+ csp = {"default-src": ["'self'", "*.googleapis.com", "*.gstatic.com"]}
+
+ Talisman(app, force_https=force_https, content_security_policy=csp)
 
  return app

strong_but_simple_passwords/templates/index.html

@@ -44,7 +44,6 @@ <h3>2. Only keep the first 3 letters of each word</h3>
  <h3>3. Put a random symbol somewhere in between</h3>
  </li>
  </ol>
- <input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
  <button type="submit">Generate password!</button>
  </form>
  </main>