Flask 监控仪表板不适用于 after_request

Question

Flask Monitoring Dashboard Module is not working fine when @app.after_request is used in Flask Server.

If I remove the @app.after_request then the Dashboard is working fine.

I want to include few things in @app.after_request.

@app.after_request
def after_request(response):
    s= 'request:'+str(request.data)+" \n "+str(request.remote_addr)+"  "+str(request.method)+"  "+ str(request.scheme)+"  "+ str(request.full_path)+"  "+str(response.status)+" \n "+"response returned :"+ str(response.data)
    print(s)
    debugPrint(str(inspect.stack()[0][3]),s)
    response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
    response.headers['Content-Security-Policy'] = "default-src 'self'"
    response.headers['X-Content-Type-Options'] = 'nosniff'
    response.headers['X-Frame-Options'] = 'SAMEORIGIN'
    response.headers['X-XSS-Protection'] = '1; mode=block'

    return response

when this code is included, the flask monitoring Dashboard is showing

Console Log when I am checking Flask Monitoring Dashboard

Kindly please help me to resolve this issue.

Answer 1

As @Halvor Sakshaug observes above, your problem is the line:

    response.headers['Content-Security-Policy'] = "default-src 'self'"

If you look into your page console you'll see a bunch of messages of the form:

Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.5/angular.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the script 'https://unpkg.com/sunburst-chart' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Since the external URLs are loading critical resources (eg Angular), and your desired content policy prevents this, at the moment it is only by relaxing your content security policy that you can make the Flask Monitoring Dashboard work.

A line that allows all the FMD required external resources is:

    response.headers['Content-Security-Policy'] = "script-src 'self' cdnjs.cloudflare.com/ajax/ ajax.googleapis.com/ajax/ unpkg.com/sunburst-chart;"

PS Note that your code is also broken because the request var is undefined in the scope of the after_request function.