This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push: new 60992aecb [#8470] don't use newer report-to directive, it requires more setup to be correct 60992aecb is described below commit 60992aecb5ef659d5b792e1a467fef46de69e613 Author: Dave Brondsema <dbronds...@slashdotmedia.com> AuthorDate: Mon Oct 17 14:20:16 2022 -0400 [#8470] don't use newer report-to directive, it requires more setup to be correct --- Allura/allura/lib/custom_middleware.py | 4 ++-- Allura/allura/tests/functional/test_root.py | 12 +++++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index 8974734d3..1968ad31c 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -481,13 +481,13 @@ class ContentSecurityPolicyMiddleware: resp.headers.pop('Content-Security-Policy-Report-Only') if report_mode and report_uri: - report_rules.append(f'report-uri {report_uri}; report-to {report_uri}') + report_rules.append(f'report-uri {report_uri}') if self.config['base_url'].startswith('https'): rules.append('upgrade-insecure-requests') if report_enforce_mode and report_uri_enforce: - rules.append(f'report-uri {report_uri_enforce}; report-to {report_uri_enforce:}') + rules.append(f'report-uri {report_uri_enforce}') if self.config.get('csp.frame_sources'): if report_mode: diff --git a/Allura/allura/tests/functional/test_root.py b/Allura/allura/tests/functional/test_root.py index 6964fa0d5..f2f6b425d 100644 --- a/Allura/allura/tests/functional/test_root.py +++ b/Allura/allura/tests/functional/test_root.py @@ -202,15 +202,17 @@ class TestRootController(TestController): @mock.patch.dict(tg.config, {'csp.report_mode': True, 'csp.report_uri': 'https://example.com/r/d/csp/reportOnly'}) def test_headers_report(self): resp = self.app.get('/p/wiki/Home/') - assert resp.headers.getall('Content-Security-Policy-Report-Only')[0] == '; '.join(["report-uri https://example.com/r/d/csp/reportOnly", - "report-to https://example.com/r/d/csp/reportOnly", - "frame-src 'self' www.youtube-nocookie.com", - "form-action 'self'"]) + assert resp.headers.getall('Content-Security-Policy-Report-Only')[0] == '; '.join([ + "report-uri https://example.com/r/d/csp/reportOnly", + "frame-src 'self' www.youtube-nocookie.com", + "form-action 'self'", + ]) @mock.patch.dict(tg.config, {'csp.report_uri_enforce': 'https://example.com/r/d/csp/enforce', 'csp.report_enforce_mode': True}) def test_headers_report_enforce(self): resp = self.app.get('/p/wiki/Home/') - assert "report-uri https://example.com/r/d/csp/enforce; report-to https://example.com/r/d/csp/enforce; frame-src 'self' www.youtube-nocookie.com;" in resp.headers.getall('Content-Security-Policy')[0] + assert "report-uri https://example.com/r/d/csp/enforce; frame-src 'self' www.youtube-nocookie.com;" \ + in resp.headers.getall('Content-Security-Policy')[0] class TestRootWithSSLPattern(TestController):