implement content-security-policy, static assets cache bust, and fix

stripe back button ratchet issue

because the only way to use stripe checkout is to run their proprietary
JS, and we arent using a SPA, naturally what happens is, when you land
on the stripe payment page if you hit the back button it goes back to
the same page where you got re-directed to stripe. this commit fixes
that.

capsulflask/__init__.py

@@ -2,12 +2,15 @@ import logging
 from logging.config import dictConfig as logging_dict_config
 
 import os
+import hashlib
 
 import stripe
 from dotenv import load_dotenv, find_dotenv
 from flask import Flask
 from flask_mail import Mail
 from flask import render_template
+from flask import url_for
+from flask import current_app
 
 from capsulflask import virt_model, cli
 from capsulflask.btcpay import client as btcpay
@@ -45,19 +48,19 @@ app.config.from_mapping(
 )
 
 logging_dict_config({
-    'version': 1,
-    'formatters': {'default': {
-        'format': '[%(asctime)s] %(levelname)s in %(module)s: %(message)s',
-    }},
-    'handlers': {'wsgi': {
-        'class': 'logging.StreamHandler',
-        'stream': 'ext://flask.logging.wsgi_errors_stream',
-        'formatter': 'default'
-    }},
-    'root': {
-        'level': app.config['LOG_LEVEL'],
-        'handlers': ['wsgi']
-    }
+  'version': 1,
+  'formatters': {'default': {
+    'format': '[%(asctime)s] %(levelname)s in %(module)s: %(message)s',
+  }},
+  'handlers': {'wsgi': {
+    'class': 'logging.StreamHandler',
+    'stream': 'ext://flask.logging.wsgi_errors_stream',
+    'formatter': 'default'
+  }},
+  'root': {
+    'level': app.config['LOG_LEVEL'],
+    'handlers': ['wsgi']
+  }
 })
 
 # app.logger.critical("critical")
@@ -72,9 +75,9 @@ stripe.api_version = app.config['STRIPE_API_VERSION']
 app.config['FLASK_MAIL_INSTANCE'] = Mail(app)
 
 if app.config['VIRTUALIZATION_MODEL'] == "shell_scripts":
-    app.config['VIRTUALIZATION_MODEL'] = virt_model.ShellScriptVirtualization()
+  app.config['VIRTUALIZATION_MODEL'] = virt_model.ShellScriptVirtualization()
 else:
-    app.config['VIRTUALIZATION_MODEL'] = virt_model.MockVirtualization()
+  app.config['VIRTUALIZATION_MODEL'] = virt_model.MockVirtualization()
 
 app.config['BTCPAY_CLIENT'] = btcpay.Client(api_uri=app.config['BTCPAY_URL'], pem=app.config['BTCPAY_PRIVATE_KEY'])
 
@@ -93,3 +96,49 @@ app.register_blueprint(cli.bp)
 
 app.add_url_rule("/", endpoint="index")
 
+@app.after_request
+def security_headers(response):
+  response.headers['X-Frame-Options'] = 'SAMEORIGIN'
+  if 'Content-Security-Policy' not in response.headers:
+    response.headers['Content-Security-Policy'] = "default-src 'self'"
+  response.headers['X-Content-Type-Options'] = 'nosniff'
+  return response
+
+
+@app.context_processor
+def override_url_for():
+  """
+  override the url_for function built into flask 
+  with our own custom implementation that busts the cache correctly when files change 
+  """
+  return dict(url_for=url_for_with_cache_bust)
+
+
+
+def url_for_with_cache_bust(endpoint, **values):
+  """
+  Add a query parameter based on the hash of the file, this acts as a cache bust
+  """
+  
+  if endpoint == 'static':
+    filename = values.get('filename', None)
+    if filename:
+      if 'STATIC_FILE_HASH_CACHE' not in current_app.config:
+        current_app.config['STATIC_FILE_HASH_CACHE'] = dict()
+      
+      if filename not in current_app.config['STATIC_FILE_HASH_CACHE']:
+        filepath = os.path.join(current_app.root_path, endpoint, filename)
+        #print(filepath)
+        if os.path.isfile(filepath) and os.access(filepath, os.R_OK):
+          
+          with open(filepath, 'rb') as file:
+            hasher = hashlib.md5()
+            hasher.update(file.read())
+            current_app.config['STATIC_FILE_HASH_CACHE'][filename] = hasher.hexdigest()[-6:]
+            
+      values['q'] = current_app.config['STATIC_FILE_HASH_CACHE'][filename]
+
+  return url_for(endpoint, **values)
+
+
+