You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by gc...@apache.org on 2023/05/25 14:56:23 UTC
[allura] 01/02: [#8511] adding new header Referrer-Policy
This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 6b1e40e963fa6da35275ad00c88700038692406a
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Fri May 19 16:17:58 2023 -0500
[#8511] adding new header Referrer-Policy
---
Allura/allura/config/middleware.py | 4 ++--
Allura/allura/lib/custom_middleware.py | 6 ++++--
Allura/development.ini | 3 +++
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py
index 5e42a1b06..58ee37078 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -61,7 +61,7 @@ from allura.lib.custom_middleware import RememberLoginMiddleware
from allura.lib.custom_middleware import SetRequestHostFromConfig
from allura.lib.custom_middleware import MingTaskSessionSetupMiddleware
from allura.lib.custom_middleware import ContentSecurityPolicyMiddleware
-from allura.lib.custom_middleware import BrowserPermissionsPolicy
+from allura.lib.custom_middleware import SetHeadersMiddleware
from allura.lib.custom_middleware import StatusCodeRedirect
from allura.lib import helpers as h
from allura.lib.utils import configure_ming
@@ -133,7 +133,7 @@ def _make_core_app(root, global_conf: dict, **app_conf):
# CSP headers
app = ContentSecurityPolicyMiddleware(app, config)
# broswer permissions policy
- app = BrowserPermissionsPolicy(app, config)
+ app = SetHeadersMiddleware(app, config)
# Required for sessions
app = SessionMiddleware(app, config, data_serializer=BeakerPickleSerializerWithLatin1())
# Handle "Remember me" functionality
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index e3f130cdf..e74594aa0 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -533,8 +533,8 @@ class ContentSecurityPolicyMiddleware:
return resp(environ, start_response)
-class BrowserPermissionsPolicy:
- """ Sets Permissions-Policy header for iframes """
+class SetHeadersMiddleware:
+ """ Set headers """
def __init__(self, app, config):
self.app = app
@@ -547,6 +547,8 @@ class BrowserPermissionsPolicy:
resp.headers.add('Permissions-Policy', f"{self.config['permissions_policies']}")
if self.config.get('features_policies', ''):
resp.headers.add('Feature-Policy', f"{self.config['features_policies']}")
+ if self.config.get('referrer_policy'):
+ resp.headers.add('Referrer-Policy', f"{self.config['referrer_policy']}")
return resp(environ, start_response)
diff --git a/Allura/development.ini b/Allura/development.ini
index b9389c43a..20fe654d7 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -356,6 +356,9 @@ features_policies = microphone 'none'; geolocation 'none'; camera 'none'; paymen
; Replacement of Feature Policy
permissions_policies = microphone=(), geolocation=(), camera=(), payment=(), document-domain=(), display-capture=(), autoplay=()
+; Referrer Policy
+referrer_policy = 'origin'
+
; SCM settings for local development
; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding
; checkout commands by adding new entries to these lists. Each one needs a name/key/title as shown below.