This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push:
new 60992aecb [#8470] don't use newer report-to directive, it requires
more setup to be correct
60992aecb is described below
commit 60992aecb5ef659d5b792e1a467fef46de69e613
Author: Dave Brondsema <dbronds...@slashdotmedia.com>
AuthorDate: Mon Oct 17 14:20:16 2022 -0400
[#8470] don't use newer report-to directive, it requires more setup to be
correct
---
Allura/allura/lib/custom_middleware.py | 4 ++--
Allura/allura/tests/functional/test_root.py | 12 +++++++-----
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/Allura/allura/lib/custom_middleware.py
b/Allura/allura/lib/custom_middleware.py
index 8974734d3..1968ad31c 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -481,13 +481,13 @@ class ContentSecurityPolicyMiddleware:
resp.headers.pop('Content-Security-Policy-Report-Only')
if report_mode and report_uri:
- report_rules.append(f'report-uri {report_uri}; report-to
{report_uri}')
+ report_rules.append(f'report-uri {report_uri}')
if self.config['base_url'].startswith('https'):
rules.append('upgrade-insecure-requests')
if report_enforce_mode and report_uri_enforce:
- rules.append(f'report-uri {report_uri_enforce}; report-to
{report_uri_enforce:}')
+ rules.append(f'report-uri {report_uri_enforce}')
if self.config.get('csp.frame_sources'):
if report_mode:
diff --git a/Allura/allura/tests/functional/test_root.py
b/Allura/allura/tests/functional/test_root.py
index 6964fa0d5..f2f6b425d 100644
--- a/Allura/allura/tests/functional/test_root.py
+++ b/Allura/allura/tests/functional/test_root.py
@@ -202,15 +202,17 @@ class TestRootController(TestController):
@mock.patch.dict(tg.config, {'csp.report_mode': True, 'csp.report_uri':
'https://example.com/r/d/csp/reportOnly'})
def test_headers_report(self):
resp = self.app.get('/p/wiki/Home/')
- assert resp.headers.getall('Content-Security-Policy-Report-Only')[0]
== '; '.join(["report-uri https://example.com/r/d/csp/reportOnly";,
-
"report-to https://example.com/r/d/csp/reportOnly";,
-
"frame-src 'self' www.youtube-nocookie.com",
-
"form-action 'self'"])
+ assert resp.headers.getall('Content-Security-Policy-Report-Only')[0]
== '; '.join([
+ "report-uri https://example.com/r/d/csp/reportOnly";,
+ "frame-src 'self' www.youtube-nocookie.com",
+ "form-action 'self'",
+ ])
@mock.patch.dict(tg.config, {'csp.report_uri_enforce':
'https://example.com/r/d/csp/enforce', 'csp.report_enforce_mode': True})
def test_headers_report_enforce(self):
resp = self.app.get('/p/wiki/Home/')
- assert "report-uri https://example.com/r/d/csp/enforce; report-to
https://example.com/r/d/csp/enforce; frame-src 'self'
www.youtube-nocookie.com;" in resp.headers.getall('Content-Security-Policy')[0]
+ assert "report-uri https://example.com/r/d/csp/enforce; frame-src
'self' www.youtube-nocookie.com;" \
+ in resp.headers.getall('Content-Security-Policy')[0]
class TestRootWithSSLPattern(TestController):
