You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by gc...@apache.org on 2023/05/19 21:18:18 UTC

[allura] 01/01: [#8511] adding new header Referrer-Policy

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch gc/8511
in repository https://gitbox.apache.org/repos/asf/allura.git

commit cc1a0eb584729afffe97875992601d1a0d5fa59f
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Fri May 19 16:17:58 2023 -0500

    [#8511] adding new header Referrer-Policy
---
 Allura/allura/config/middleware.py     | 4 ++--
 Allura/allura/lib/custom_middleware.py | 6 ++++--
 Allura/development.ini                 | 3 +++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py
index 5e42a1b06..58ee37078 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -61,7 +61,7 @@ from allura.lib.custom_middleware import RememberLoginMiddleware
 from allura.lib.custom_middleware import SetRequestHostFromConfig
 from allura.lib.custom_middleware import MingTaskSessionSetupMiddleware
 from allura.lib.custom_middleware import ContentSecurityPolicyMiddleware
-from allura.lib.custom_middleware import BrowserPermissionsPolicy
+from allura.lib.custom_middleware import SetHeadersMiddleware
 from allura.lib.custom_middleware import StatusCodeRedirect
 from allura.lib import helpers as h
 from allura.lib.utils import configure_ming
@@ -133,7 +133,7 @@ def _make_core_app(root, global_conf: dict, **app_conf):
     # CSP headers
     app = ContentSecurityPolicyMiddleware(app, config)
     # broswer permissions policy
-    app = BrowserPermissionsPolicy(app, config)
+    app = SetHeadersMiddleware(app, config)
     # Required for sessions
     app = SessionMiddleware(app, config, data_serializer=BeakerPickleSerializerWithLatin1())
     # Handle "Remember me" functionality
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index e3f130cdf..e74594aa0 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -533,8 +533,8 @@ class ContentSecurityPolicyMiddleware:
         return resp(environ, start_response)
 
 
-class BrowserPermissionsPolicy:
-    """ Sets Permissions-Policy header for iframes """
+class SetHeadersMiddleware:
+    """ Set headers """
 
     def __init__(self, app, config):
         self.app = app
@@ -547,6 +547,8 @@ class BrowserPermissionsPolicy:
             resp.headers.add('Permissions-Policy', f"{self.config['permissions_policies']}")
         if self.config.get('features_policies', ''):
             resp.headers.add('Feature-Policy', f"{self.config['features_policies']}")
+        if self.config.get('referrer_policy'):
+            resp.headers.add('Referrer-Policy', f"{self.config['referrer_policy']}")
         return resp(environ, start_response)
 
 
diff --git a/Allura/development.ini b/Allura/development.ini
index b9389c43a..20fe654d7 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -356,6 +356,9 @@ features_policies = microphone 'none'; geolocation 'none'; camera 'none'; paymen
 ; Replacement of Feature Policy
 permissions_policies = microphone=(), geolocation=(), camera=(), payment=(), document-domain=(), display-capture=(), autoplay=()
 
+; Referrer Policy
+referrer_policy = 'origin'
+
 ; SCM settings for local development
 ; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding
 ; checkout commands by adding new entries to these lists.   Each one needs a name/key/title as shown below.