This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch gc/8510
in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/gc/8510 by this push:
new ec11a7177 fixup! [#8510] added new http header Permissions-Policy for
iframes
ec11a7177 is described below
commit ec11a71771f4931d7343c31f9317846630c13ee9
Author: Guillermo Cruz <[email protected]>
AuthorDate: Thu May 18 13:05:51 2023 -0500
fixup! [#8510] added new http header Permissions-Policy for iframes
---
Allura/allura/config/middleware.py | 6 +++---
Allura/allura/lib/custom_middleware.py | 8 +++++---
Allura/development.ini | 7 +++++--
3 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/Allura/allura/config/middleware.py
b/Allura/allura/config/middleware.py
index 9d5abc9b6..5e42a1b06 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -61,7 +61,7 @@ from allura.lib.custom_middleware import
RememberLoginMiddleware
from allura.lib.custom_middleware import SetRequestHostFromConfig
from allura.lib.custom_middleware import MingTaskSessionSetupMiddleware
from allura.lib.custom_middleware import ContentSecurityPolicyMiddleware
-from allura.lib.custom_middleware import IframePermissionsPolicy
+from allura.lib.custom_middleware import BrowserPermissionsPolicy
from allura.lib.custom_middleware import StatusCodeRedirect
from allura.lib import helpers as h
from allura.lib.utils import configure_ming
@@ -132,8 +132,8 @@ def _make_core_app(root, global_conf: dict, **app_conf):
app = Middleware(app, config)
# CSP headers
app = ContentSecurityPolicyMiddleware(app, config)
- # iframe permissions policy
- app = IframePermissionsPolicy(app, config)
+ # broswer permissions policy
+ app = BrowserPermissionsPolicy(app, config)
# Required for sessions
app = SessionMiddleware(app, config,
data_serializer=BeakerPickleSerializerWithLatin1())
# Handle "Remember me" functionality
diff --git a/Allura/allura/lib/custom_middleware.py
b/Allura/allura/lib/custom_middleware.py
index e55cf8113..e3f130cdf 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -533,7 +533,7 @@ class ContentSecurityPolicyMiddleware:
return resp(environ, start_response)
-class IframePermissionsPolicy:
+class BrowserPermissionsPolicy:
""" Sets Permissions-Policy header for iframes """
def __init__(self, app, config):
@@ -543,8 +543,10 @@ class IframePermissionsPolicy:
def __call__(self, environ, start_response):
req = Request(environ)
resp = req.get_response(self.app)
- if self.config.get('iframe_permissions', ''):
- resp.headers.add('Permissions-Policy', f"{',
'.join(aslist(self.config['iframe_permissions']))}")
+ if self.config.get('permissions_policies', ''):
+ resp.headers.add('Permissions-Policy',
f"{self.config['permissions_policies']}")
+ if self.config.get('features_policies', ''):
+ resp.headers.add('Feature-Policy',
f"{self.config['features_policies']}")
return resp(environ, start_response)
diff --git a/Allura/development.ini b/Allura/development.ini
index 47a0d723f..b9389c43a 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -350,8 +350,11 @@ ew.cache_header_seconds = 0
; If your environment (e.g. behind a server-side proxy) needs to look at an
http header to get the actual remote addr
;ip_address_header = X-Forwarded-For
-; Iframe permissions policy header
-; iframe_permissions = microphone=() geolocation=() camera=() payment=()
document-domain=() display-capture=() autoplay=()
+; browser permissions policy header
+; Deprecated but still supported by older and new browsers
+features_policies = microphone 'none'; geolocation 'none'; camera 'none';
payment 'none'; document-domain 'none'; display 'none'; autoplay 'none'
+; Replacement of Feature Policy
+permissions_policies = microphone=(), geolocation=(), camera=(), payment=(),
document-domain=(), display-capture=(), autoplay=()
; SCM settings for local development
; If you set up services for Git, SVN, or Hg that run on https://, ssh://,
git:// etc, you can show corresponding
