You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@allura.apache.org by br...@apache.org on 2023/05/19 20:04:54 UTC

[allura] branch master updated (bd2e9179c -> 857bc2e5a)

This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git


    from bd2e9179c with recent versions of pip but no wheel pkg, "pip install -e .." needs setuptools, so --no-index is a problem.  Remove that, and update folder paths to be clearly folders to ensure they don't get installed from PyPI
     new b72eb95e2 [#8510] added new http header Permissions-Policy for iframes
     new 857bc2e5a pytest: ignore other package's namespace warnings

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 Allura/allura/config/middleware.py     |  3 +++
 Allura/allura/lib/custom_middleware.py | 17 +++++++++++++++++
 Allura/development.ini                 |  6 ++++++
 pytest.ini                             |  4 +++-
 4 files changed, 29 insertions(+), 1 deletion(-)

[allura] 01/02: [#8510] added new http header Permissions-Policy for iframes

Posted by br...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git

commit b72eb95e2796660812c67dd1d100834cf23df695
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Thu May 11 10:13:52 2023 -0500

    [#8510] added new http header Permissions-Policy for iframes
---
 Allura/allura/config/middleware.py     |  3 +++
 Allura/allura/lib/custom_middleware.py | 17 +++++++++++++++++
 Allura/development.ini                 |  6 ++++++
 3 files changed, 26 insertions(+)

diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py
index 043943ef8..5e42a1b06 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -61,6 +61,7 @@ from allura.lib.custom_middleware import RememberLoginMiddleware
 from allura.lib.custom_middleware import SetRequestHostFromConfig
 from allura.lib.custom_middleware import MingTaskSessionSetupMiddleware
 from allura.lib.custom_middleware import ContentSecurityPolicyMiddleware
+from allura.lib.custom_middleware import BrowserPermissionsPolicy
 from allura.lib.custom_middleware import StatusCodeRedirect
 from allura.lib import helpers as h
 from allura.lib.utils import configure_ming
@@ -131,6 +132,8 @@ def _make_core_app(root, global_conf: dict, **app_conf):
             app = Middleware(app, config)
     # CSP headers
     app = ContentSecurityPolicyMiddleware(app, config)
+    # broswer permissions policy
+    app = BrowserPermissionsPolicy(app, config)
     # Required for sessions
     app = SessionMiddleware(app, config, data_serializer=BeakerPickleSerializerWithLatin1())
     # Handle "Remember me" functionality
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index c0ca9684a..e3f130cdf 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -533,6 +533,23 @@ class ContentSecurityPolicyMiddleware:
         return resp(environ, start_response)
 
 
+class BrowserPermissionsPolicy:
+    """ Sets Permissions-Policy header for iframes """
+
+    def __init__(self, app, config):
+        self.app = app
+        self.config = config
+
+    def __call__(self, environ, start_response):
+        req = Request(environ)
+        resp = req.get_response(self.app)
+        if self.config.get('permissions_policies', ''):
+            resp.headers.add('Permissions-Policy', f"{self.config['permissions_policies']}")
+        if self.config.get('features_policies', ''):
+            resp.headers.add('Feature-Policy', f"{self.config['features_policies']}")
+        return resp(environ, start_response)
+
+
 """
 _call_wsgi_application & StatusCodeRedirect were originally part of TurboGears, but then removed from it.
 They came from Pylons before that.
diff --git a/Allura/development.ini b/Allura/development.ini
index b73c0173c..b9389c43a 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -350,6 +350,12 @@ ew.cache_header_seconds = 0
 ; If your environment (e.g. behind a server-side proxy) needs to look at an http header to get the actual remote addr
 ;ip_address_header = X-Forwarded-For
 
+; browser permissions policy header
+; Deprecated but still supported by older and new browsers
+features_policies = microphone 'none'; geolocation 'none'; camera 'none'; payment 'none'; document-domain 'none'; display 'none'; autoplay 'none'
+; Replacement of Feature Policy
+permissions_policies = microphone=(), geolocation=(), camera=(), payment=(), document-domain=(), display-capture=(), autoplay=()
+
 ; SCM settings for local development
 ; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding
 ; checkout commands by adding new entries to these lists.   Each one needs a name/key/title as shown below.

[allura] 02/02: pytest: ignore other package's namespace warnings

Posted by br...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 857bc2e5a7bfd8cbaffbd22b8670b667964b22c5
Author: Dave Brondsema <db...@slashdotmedia.com>
AuthorDate: Fri May 19 20:02:25 2023 +0000

    pytest: ignore other package's namespace warnings
---
 pytest.ini | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pytest.ini b/pytest.ini
index 9ed74938b..c689fada9 100644
--- a/pytest.ini
+++ b/pytest.ini
@@ -27,6 +27,8 @@ filterwarnings =
     ignore:insert is deprecated. Use insert_one or insert_many instead.:DeprecationWarning:timermiddleware
     ignore:update is deprecated. Use replace_one, update_one or update_many instead.:DeprecationWarning:timermiddleware
     ignore:remove is deprecated. Use delete_one or delete_many instead.:DeprecationWarning:timermiddleware
+    # other packages' issues:
+    ignore:Deprecated call to `pkg_resources.declare_namespace:DeprecationWarning:pkg_resources
 
 addopts = --pyargs -p no:flaky --tb=short
 
@@ -37,4 +39,4 @@ norecursedirs = templates_responsive resources images js data docs public *.egg-
 #junit_family = legacy
 
 # no|log|system-out|system-err|out-err|all
-junit_logging = all
\ No newline at end of file
+junit_logging = all