You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2014/09/08 19:16:27 UTC

chttpd commit: updated refs/heads/master to 6577ad1

Repository: couchdb-chttpd
Updated Branches:
  refs/heads/master 6b372c641 -> 6577ad195


Forward-port caching and csp headers for _utils


Project: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/commit/6577ad19
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/tree/6577ad19
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/diff/6577ad19

Branch: refs/heads/master
Commit: 6577ad1957ef2eb5027a9c8cf41a822fef7dfce9
Parents: 6b372c6
Author: Robert Newson <rn...@apache.org>
Authored: Mon Sep 8 18:11:00 2014 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Mon Sep 8 18:14:52 2014 +0100

----------------------------------------------------------------------
 src/chttpd.erl      | 11 ++++++++---
 src/chttpd_misc.erl | 13 ++++++++++++-
 2 files changed, 20 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/6577ad19/src/chttpd.erl
----------------------------------------------------------------------
diff --git a/src/chttpd.erl b/src/chttpd.erl
index 32b12c8..77093c9 100644
--- a/src/chttpd.erl
+++ b/src/chttpd.erl
@@ -19,7 +19,7 @@
     qs_value/3, qs/1, qs_json_value/3, path/1, absolute_uri/2, body_length/1,
     verify_is_server_admin/1, unquote/1, quote/1, recv/2, recv_chunked/4,
     error_info/1, parse_form/1, json_body/1, json_body_obj/1, body/1,
-    doc_etag/1, make_etag/1, etag_respond/3, partition/1, serve_file/3,
+    doc_etag/1, make_etag/1, etag_respond/3, partition/1, serve_file/3, serve_file/4,
     server_header/0, start_chunked_response/3,send_chunk/2,
     start_response_length/4, send/2, start_json_response/2,
     start_json_response/3, end_json_response/1, send_response/4,
@@ -411,9 +411,14 @@ header_value(#httpd{mochi_req=MochiReq}, Key, Default) ->
 primary_header_value(#httpd{mochi_req=MochiReq}, Key) ->
     MochiReq:get_primary_header_value(Key).
 
-serve_file(#httpd{mochi_req=MochiReq}=Req, RelativePath, DocumentRoot) ->
+serve_file(Req, RelativePath, DocumentRoot) ->
+    serve_file(Req, RelativePath, DocumentRoot, []).
+
+serve_file(#httpd{mochi_req=MochiReq}=Req, RelativePath, DocumentRoot,
+           ExtraHeaders) ->
     Headers = server_header() ++
-	couch_httpd_auth:cookie_auth_header(Req, []),
+	couch_httpd_auth:cookie_auth_header(Req, []) ++
+	ExtraHeaders,
     {ok, MochiReq:serve_file(RelativePath, DocumentRoot,
         chttpd_cors:headers(Req, Headers))}.
 

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/6577ad19/src/chttpd_misc.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_misc.erl b/src/chttpd_misc.erl
index dea85e3..ce23fd9 100644
--- a/src/chttpd_misc.erl
+++ b/src/chttpd_misc.erl
@@ -72,7 +72,10 @@ handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) ->
     case chttpd:partition(UrlPath) of
     {_ActionKey, "/", RelativePath} ->
         % GET /_utils/path or GET /_utils/
-        chttpd:serve_file(Req, RelativePath, DocumentRoot);
+        CachingHeaders = [{"Cache-Control", "private, must-revalidate"}],
+        EnableCsp = config:get("csp", "enable", "false"),
+        Headers = maybe_add_csp_headers(CachingHeaders, EnableCsp),
+        chttpd:serve_file(Req, RelativePath, DocumentRoot, Headers);
     {_ActionKey, "", _RelativePath} ->
         % GET /_utils
         RedirectPath = chttpd:path(Req) ++ "/",
@@ -81,6 +84,14 @@ handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) ->
 handle_utils_dir_req(Req, _) ->
     send_method_not_allowed(Req, "GET,HEAD").
 
+maybe_add_csp_headers(Headers, "true") ->
+    DefaultValues = "default-src 'self'; img-src 'self'; font-src 'self'; "
+                    "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
+    Value = config:get("csp", "header_value", DefaultValues),
+    [{"Content-Security-Policy", Value} | Headers];
+maybe_add_csp_headers(Headers, _) ->
+    Headers.
+
 handle_sleep_req(#httpd{method='GET'}=Req) ->
     Time = list_to_integer(chttpd:qs_value(Req, "time")),
     receive snicklefart -> ok after Time -> ok end,