You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@allura.apache.org by gc...@apache.org on 2022/09/28 17:32:09 UTC

[allura] branch gc/8470 updated: fixup! [#8470] added default csp headers and configurable options to add additional frame-src and form-action

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch gc/8470
in repository https://gitbox.apache.org/repos/asf/allura.git


The following commit(s) were added to refs/heads/gc/8470 by this push:
     new de538d303 fixup! [#8470] added default csp headers and configurable options to add additional frame-src and form-action
de538d303 is described below

commit de538d3036dbafd45dd79f84923a889ca60a7beb
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Wed Sep 28 11:32:01 2022 -0600

    fixup! [#8470] added default csp headers and configurable options to add additional frame-src and form-action
---
 Allura/allura/lib/custom_middleware.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 688bff4e8..c3c898fb0 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -470,6 +470,7 @@ class ContentSecurityPolicyMiddleware:
         resp = req.get_response(self.app)
         resp.headers.add('Content-Security-Policy', "object-src 'none'")
         resp.headers.add('Content-Security-Policy', 'upgrade-insecure-requests')
+        resp.headers.add('Content-Security-Policy', "frame-ancestors 'self'")
         report_uri = ''
         report_suffix = ''
         if g.csp_report_mode and g.csp_report_uri: