This is an automated email from the ASF dual-hosted git repository. gcruz pushed a commit to branch gc/8510 in repository https://gitbox.apache.org/repos/asf/allura.git
commit 420fb7b189c4696632a7546f6ef2425c19429dd6 Author: Guillermo Cruz <[email protected]> AuthorDate: Thu May 11 10:13:52 2023 -0500 [#8510] added new http header Permissions-Policy for iframes --- Allura/allura/config/middleware.py | 3 +++ Allura/allura/lib/custom_middleware.py | 15 +++++++++++++++ Allura/development.ini | 3 +++ 3 files changed, 21 insertions(+) diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py index 043943ef8..9d5abc9b6 100644 --- a/Allura/allura/config/middleware.py +++ b/Allura/allura/config/middleware.py @@ -61,6 +61,7 @@ from allura.lib.custom_middleware import RememberLoginMiddleware from allura.lib.custom_middleware import SetRequestHostFromConfig from allura.lib.custom_middleware import MingTaskSessionSetupMiddleware from allura.lib.custom_middleware import ContentSecurityPolicyMiddleware +from allura.lib.custom_middleware import IframePermissionsPolicy from allura.lib.custom_middleware import StatusCodeRedirect from allura.lib import helpers as h from allura.lib.utils import configure_ming @@ -131,6 +132,8 @@ def _make_core_app(root, global_conf: dict, **app_conf): app = Middleware(app, config) # CSP headers app = ContentSecurityPolicyMiddleware(app, config) + # iframe permissions policy + app = IframePermissionsPolicy(app, config) # Required for sessions app = SessionMiddleware(app, config, data_serializer=BeakerPickleSerializerWithLatin1()) # Handle "Remember me" functionality diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index c0ca9684a..e55cf8113 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -533,6 +533,21 @@ class ContentSecurityPolicyMiddleware: return resp(environ, start_response) +class IframePermissionsPolicy: + """ Sets Permissions-Policy header for iframes """ + + def __init__(self, app, config): + self.app = app + self.config = config + + def __call__(self, environ, start_response): + req = Request(environ) + resp = req.get_response(self.app) + if self.config.get('iframe_permissions', ''): + resp.headers.add('Permissions-Policy', f"{', '.join(aslist(self.config['iframe_permissions']))}") + return resp(environ, start_response) + + """ _call_wsgi_application & StatusCodeRedirect were originally part of TurboGears, but then removed from it. They came from Pylons before that. diff --git a/Allura/development.ini b/Allura/development.ini index b73c0173c..47a0d723f 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -350,6 +350,9 @@ ew.cache_header_seconds = 0 ; If your environment (e.g. behind a server-side proxy) needs to look at an http header to get the actual remote addr ;ip_address_header = X-Forwarded-For +; Iframe permissions policy header +; iframe_permissions = microphone=() geolocation=() camera=() payment=() document-domain=() display-capture=() autoplay=() + ; SCM settings for local development ; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding ; checkout commands by adding new entries to these lists. Each one needs a name/key/title as shown below.
