You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@allura.apache.org by gc...@apache.org on 2023/05/25 14:56:22 UTC

[allura] branch master updated (c67b7d459 -> 4ded20c09)

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git


    from c67b7d459 fix skjold warning for request<2.31
     new 6b1e40e96 [#8511] adding new header Referrer-Policy
     new 4ded20c09 [#8511] updated Referrer-Policy header directive

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 Allura/allura/config/middleware.py     | 4 ++--
 Allura/allura/lib/custom_middleware.py | 6 ++++--
 Allura/development.ini                 | 3 +++
 3 files changed, 9 insertions(+), 4 deletions(-)

[allura] 02/02: [#8511] updated Referrer-Policy header directive

Posted by gc...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 4ded20c09a95c4fa4a11488254a2fdf8c7ea73bf
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Thu May 25 08:54:27 2023 -0600

    [#8511] updated Referrer-Policy header directive
---
 Allura/development.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Allura/development.ini b/Allura/development.ini
index 20fe654d7..7e3850d50 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -357,7 +357,7 @@ features_policies = microphone 'none'; geolocation 'none'; camera 'none'; paymen
 permissions_policies = microphone=(), geolocation=(), camera=(), payment=(), document-domain=(), display-capture=(), autoplay=()
 
 ; Referrer Policy
-referrer_policy = 'origin'
+referrer_policy = 'same-origin'
 
 ; SCM settings for local development
 ; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding

[allura] 01/02: [#8511] adding new header Referrer-Policy

Posted by gc...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 6b1e40e963fa6da35275ad00c88700038692406a
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Fri May 19 16:17:58 2023 -0500

    [#8511] adding new header Referrer-Policy
---
 Allura/allura/config/middleware.py     | 4 ++--
 Allura/allura/lib/custom_middleware.py | 6 ++++--
 Allura/development.ini                 | 3 +++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py
index 5e42a1b06..58ee37078 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -61,7 +61,7 @@ from allura.lib.custom_middleware import RememberLoginMiddleware
 from allura.lib.custom_middleware import SetRequestHostFromConfig
 from allura.lib.custom_middleware import MingTaskSessionSetupMiddleware
 from allura.lib.custom_middleware import ContentSecurityPolicyMiddleware
-from allura.lib.custom_middleware import BrowserPermissionsPolicy
+from allura.lib.custom_middleware import SetHeadersMiddleware
 from allura.lib.custom_middleware import StatusCodeRedirect
 from allura.lib import helpers as h
 from allura.lib.utils import configure_ming
@@ -133,7 +133,7 @@ def _make_core_app(root, global_conf: dict, **app_conf):
     # CSP headers
     app = ContentSecurityPolicyMiddleware(app, config)
     # broswer permissions policy
-    app = BrowserPermissionsPolicy(app, config)
+    app = SetHeadersMiddleware(app, config)
     # Required for sessions
     app = SessionMiddleware(app, config, data_serializer=BeakerPickleSerializerWithLatin1())
     # Handle "Remember me" functionality
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index e3f130cdf..e74594aa0 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -533,8 +533,8 @@ class ContentSecurityPolicyMiddleware:
         return resp(environ, start_response)
 
 
-class BrowserPermissionsPolicy:
-    """ Sets Permissions-Policy header for iframes """
+class SetHeadersMiddleware:
+    """ Set headers """
 
     def __init__(self, app, config):
         self.app = app
@@ -547,6 +547,8 @@ class BrowserPermissionsPolicy:
             resp.headers.add('Permissions-Policy', f"{self.config['permissions_policies']}")
         if self.config.get('features_policies', ''):
             resp.headers.add('Feature-Policy', f"{self.config['features_policies']}")
+        if self.config.get('referrer_policy'):
+            resp.headers.add('Referrer-Policy', f"{self.config['referrer_policy']}")
         return resp(environ, start_response)
 
 
diff --git a/Allura/development.ini b/Allura/development.ini
index b9389c43a..20fe654d7 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -356,6 +356,9 @@ features_policies = microphone 'none'; geolocation 'none'; camera 'none'; paymen
 ; Replacement of Feature Policy
 permissions_policies = microphone=(), geolocation=(), camera=(), payment=(), document-domain=(), display-capture=(), autoplay=()
 
+; Referrer Policy
+referrer_policy = 'origin'
+
 ; SCM settings for local development
 ; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding
 ; checkout commands by adding new entries to these lists.   Each one needs a name/key/title as shown below.