You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@allura.apache.org by gc...@apache.org on 2023/05/11 15:14:10 UTC

[allura] branch gc/8510 created (now 420fb7b18)

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a change to branch gc/8510
in repository https://gitbox.apache.org/repos/asf/allura.git


      at 420fb7b18 [#8510] added new http header Permissions-Policy for iframes

This branch includes the following new commits:

     new 420fb7b18 [#8510] added new http header Permissions-Policy for iframes

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[allura] 01/01: [#8510] added new http header Permissions-Policy for iframes

Posted by gc...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch gc/8510
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 420fb7b189c4696632a7546f6ef2425c19429dd6
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Thu May 11 10:13:52 2023 -0500

    [#8510] added new http header Permissions-Policy for iframes
---
 Allura/allura/config/middleware.py     |  3 +++
 Allura/allura/lib/custom_middleware.py | 15 +++++++++++++++
 Allura/development.ini                 |  3 +++
 3 files changed, 21 insertions(+)

diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py
index 043943ef8..9d5abc9b6 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -61,6 +61,7 @@ from allura.lib.custom_middleware import RememberLoginMiddleware
 from allura.lib.custom_middleware import SetRequestHostFromConfig
 from allura.lib.custom_middleware import MingTaskSessionSetupMiddleware
 from allura.lib.custom_middleware import ContentSecurityPolicyMiddleware
+from allura.lib.custom_middleware import IframePermissionsPolicy
 from allura.lib.custom_middleware import StatusCodeRedirect
 from allura.lib import helpers as h
 from allura.lib.utils import configure_ming
@@ -131,6 +132,8 @@ def _make_core_app(root, global_conf: dict, **app_conf):
             app = Middleware(app, config)
     # CSP headers
     app = ContentSecurityPolicyMiddleware(app, config)
+    # iframe permissions policy
+    app = IframePermissionsPolicy(app, config)
     # Required for sessions
     app = SessionMiddleware(app, config, data_serializer=BeakerPickleSerializerWithLatin1())
     # Handle "Remember me" functionality
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index c0ca9684a..e55cf8113 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -533,6 +533,21 @@ class ContentSecurityPolicyMiddleware:
         return resp(environ, start_response)
 
 
+class IframePermissionsPolicy:
+    """ Sets Permissions-Policy header for iframes """
+
+    def __init__(self, app, config):
+        self.app = app
+        self.config = config
+
+    def __call__(self, environ, start_response):
+        req = Request(environ)
+        resp = req.get_response(self.app)
+        if self.config.get('iframe_permissions', ''):
+            resp.headers.add('Permissions-Policy', f"{', '.join(aslist(self.config['iframe_permissions']))}")
+        return resp(environ, start_response)
+
+
 """
 _call_wsgi_application & StatusCodeRedirect were originally part of TurboGears, but then removed from it.
 They came from Pylons before that.
diff --git a/Allura/development.ini b/Allura/development.ini
index b73c0173c..47a0d723f 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -350,6 +350,9 @@ ew.cache_header_seconds = 0
 ; If your environment (e.g. behind a server-side proxy) needs to look at an http header to get the actual remote addr
 ;ip_address_header = X-Forwarded-For
 
+; Iframe permissions policy header
+; iframe_permissions = microphone=() geolocation=() camera=() payment=() document-domain=() display-capture=() autoplay=()
+
 ; SCM settings for local development
 ; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding
 ; checkout commands by adding new entries to these lists.   Each one needs a name/key/title as shown below.