Pyramid-weblayer

Latest version: v0.14.7

Safety actively analyzes 685670 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 5

0.14.1

Bump to remove `src/*.egg-info` directory from PyPI distribution.

0.14

Fix CSRF validation for CORS requests using `withCredentials`.

0.13.2

Allow configuration `registry` to be passed into `main.make_wsgi_app`.

0.13

Noop tracking in `development` and `testing` modes.

0.12.5

Update the mako monkey patching in `patch.py` to work with both the old
`pyramid.mako_templating` module and the new `pyramid_mako` library
introduced with Pyramid 1.5.

0.12

Breaking change: update CSRF machinery to also protect AJAX requests, as per
[this security advice][].

Previously, requests with an `X-Requested-With` header value of `XMLHttpRequest`
were not validated against a CSRF token. Now, they are. This will break existing
applications that rely on the previous behaviour: they will see `403 Forbidden`
responses to XHR requests that were previously working -- when those requests
use methods that can have side effects, i.e.: `POST`, `PUT` and `DELETE`.

The new CSRF validator for `XMLHttpRequest`s first looks for a `_csrf` token in
the request params (as per normal requests). If this is not found, it looks for
a token in the `X-CSRFToken` header.

If you use jQuery (or Zepto, etc.) and server side templating through Pyramid,
you can use the [pyramid_layout][] panel provided to add this header to all
appropriate AJAX requests. Add it to your base template, e.g. just below your
jQuery / Zepto script:

<script src="your/jquery.js"></script>
${panel('csrf-ajax-setup')}

This adds a script element with code along these lines:

$.ajaxSetup({
'beforeSend': function(xhr, s) {
if (can_have_side_effects && is_relative_or_same_origin) {
xhr.setRequestHeader('X-CSRFToken', '<csrf token>');
}
}
});

[this security advice]: https://www.djangoproject.com/weblog/2011/feb/08/security/
[pyramid_layout]: http://docs.pylonsproject.org/projects/pyramid_layout/en/latest/

Page 1 of 5

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.