[allura] branch gc/8470 updated: fixup! fixup! [#8470] added default csp headers and configurable options to add additional frame-src and form-action

[gcruz]

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch gc/8470
in repository https://gitbox.apache.org/repos/asf/allura.git


The following commit(s) were added to refs/heads/gc/8470 by this push:
     new f152c9ca9 fixup! fixup! [#8470] added default csp headers and 
configurable options to add additional frame-src and form-action
f152c9ca9 is described below

commit f152c9ca9b037b4fa206281a0b92f6bb5f00e5f8
Author: Guillermo Cruz <guillermo.c...@slashdotmedia.com>
AuthorDate: Fri Sep 30 12:10:18 2022 -0600

    fixup! fixup! [#8470] added default csp headers and configurable options to 
add additional frame-src and form-action
---
 Allura/allura/lib/custom_middleware.py      | 10 +++++-----
 Allura/allura/tests/functional/test_root.py | 19 +++++++++++++++++++
 Allura/development.ini                      |  2 +-
 3 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/Allura/allura/lib/custom_middleware.py 
b/Allura/allura/lib/custom_middleware.py
index c3c898fb0..a713bc0e7 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -468,17 +468,17 @@ class ContentSecurityPolicyMiddleware:
     def __call__(self, environ, start_response):
         req = Request(environ)
         resp = req.get_response(self.app)
-        resp.headers.add('Content-Security-Policy', "object-src 'none'")
-        resp.headers.add('Content-Security-Policy', 
'upgrade-insecure-requests')
-        resp.headers.add('Content-Security-Policy', "frame-ancestors 'self'")
         report_uri = ''
         report_suffix = ''
+        if self.config['base_url'].startswith('https'):
+            resp.headers.add('Content-Security-Policy', 
'upgrade-insecure-requests')
         if g.csp_report_mode and g.csp_report_uri:
             report_suffix = '-Report-Only'
             report_uri = f'; report-uri {g.csp_report_uri}'
         if g.csp_frame_sources:
             resp.headers.add(f'Content-Security-Policy{report_suffix}', 
f"frame-src 'self' {' '.join(g.csp_frame_sources)}{report_uri}")
         if g.csp_form_action_urls:
-            resp.headers.add(f'Content-Security-Policy{report_suffix}', 
f"form-action 'self' {' '.join(g.csp_form_action_urls)}{report_uri}")
-
+            resp.headers.add(f'Content-Security-Policy{report_suffix}', 
f"form-action {' '.join(g.csp_form_action_urls)}{report_uri}")
+        resp.headers.add('Content-Security-Policy', "object-src 'none'")
+        resp.headers.add('Content-Security-Policy', "frame-ancestors 'self'")
         return resp(environ, start_response)
diff --git a/Allura/allura/tests/functional/test_root.py 
b/Allura/allura/tests/functional/test_root.py
index 83eadf9c5..92406ed8a 100644
--- a/Allura/allura/tests/functional/test_root.py
+++ b/Allura/allura/tests/functional/test_root.py
@@ -35,6 +35,7 @@ from tg import tmpl_context as c
 from alluratest.tools import assert_equal, module_not_available
 from ming.orm.ormsession import ThreadLocalORMSession
 import mock
+import tg
 
 from allura.tests import decorators as td
 from allura.tests import TestController
@@ -187,6 +188,24 @@ class TestRootController(TestController):
         r = self.app.get('/error/document')
         r.mustcontain("We're sorry but we weren't able to process")
 
+    def test_headers(self):
+        resp = self.app.get('/p')
+        assert resp.headers.getall('Content-Security-Policy') == ["form-action 
'self'", "object-src 'none'",
+                                                                  
"frame-ancestors 'self'"]
+
+    @mock.patch.dict(tg.config, {'csp.frame_sources': 
'www.youtube-nocookie.com'})
+    def test_headers_config(self):
+        resp = self.app.get('/p')
+        assert "frame-src 'self' www.youtube-nocookie.com" in 
resp.headers.getall('Content-Security-Policy')
+
+    @mock.patch.dict(tg.config, {'csp.report_mode': True, 'csp.report_uri': 
'https://example.com/r/d/csp/reportOnly',
+                                 'csp.frame_sources': 
'www.youtube-nocookie.com'})
+    def test_headers_report(self):
+        resp = self.app.get('/p/wiki/Home/')
+        assert resp.headers.getall('Content-Security-Policy-Report-Only') == [
+            "frame-src 'self' www.youtube-nocookie.com; report-uri 
https://example.com/r/d/csp/reportOnly";,
+            "form-action 'self'; report-uri 
https://example.com/r/d/csp/reportOnly";]
+
 
 class TestRootWithSSLPattern(TestController):
     def setUp(self):
diff --git a/Allura/development.ini b/Allura/development.ini
index 361a9ad79..858a3d3be 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -667,7 +667,7 @@ userstats.count_lines_of_code = true
 ; csp.frame_sources =
 
 ; form-action valid sources that can be used as an HTML <form> action
-; csp.form_action_urls =
+csp.form_action_urls = 'self'
 
 ;
 ; Settings for comment reactions