This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/allura.git
commit b72eb95e2796660812c67dd1d100834cf23df695 Author: Guillermo Cruz <[email protected]> AuthorDate: Thu May 11 10:13:52 2023 -0500 [#8510] added new http header Permissions-Policy for iframes --- Allura/allura/config/middleware.py | 3 +++ Allura/allura/lib/custom_middleware.py | 17 +++++++++++++++++ Allura/development.ini | 6 ++++++ 3 files changed, 26 insertions(+) diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py index 043943ef8..5e42a1b06 100644 --- a/Allura/allura/config/middleware.py +++ b/Allura/allura/config/middleware.py @@ -61,6 +61,7 @@ from allura.lib.custom_middleware import RememberLoginMiddleware from allura.lib.custom_middleware import SetRequestHostFromConfig from allura.lib.custom_middleware import MingTaskSessionSetupMiddleware from allura.lib.custom_middleware import ContentSecurityPolicyMiddleware +from allura.lib.custom_middleware import BrowserPermissionsPolicy from allura.lib.custom_middleware import StatusCodeRedirect from allura.lib import helpers as h from allura.lib.utils import configure_ming @@ -131,6 +132,8 @@ def _make_core_app(root, global_conf: dict, **app_conf): app = Middleware(app, config) # CSP headers app = ContentSecurityPolicyMiddleware(app, config) + # broswer permissions policy + app = BrowserPermissionsPolicy(app, config) # Required for sessions app = SessionMiddleware(app, config, data_serializer=BeakerPickleSerializerWithLatin1()) # Handle "Remember me" functionality diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index c0ca9684a..e3f130cdf 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -533,6 +533,23 @@ class ContentSecurityPolicyMiddleware: return resp(environ, start_response) +class BrowserPermissionsPolicy: + """ Sets Permissions-Policy header for iframes """ + + def __init__(self, app, config): + self.app = app + self.config = config + + def __call__(self, environ, start_response): + req = Request(environ) + resp = req.get_response(self.app) + if self.config.get('permissions_policies', ''): + resp.headers.add('Permissions-Policy', f"{self.config['permissions_policies']}") + if self.config.get('features_policies', ''): + resp.headers.add('Feature-Policy', f"{self.config['features_policies']}") + return resp(environ, start_response) + + """ _call_wsgi_application & StatusCodeRedirect were originally part of TurboGears, but then removed from it. They came from Pylons before that. diff --git a/Allura/development.ini b/Allura/development.ini index b73c0173c..b9389c43a 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -350,6 +350,12 @@ ew.cache_header_seconds = 0 ; If your environment (e.g. behind a server-side proxy) needs to look at an http header to get the actual remote addr ;ip_address_header = X-Forwarded-For +; browser permissions policy header +; Deprecated but still supported by older and new browsers +features_policies = microphone 'none'; geolocation 'none'; camera 'none'; payment 'none'; document-domain 'none'; display 'none'; autoplay 'none' +; Replacement of Feature Policy +permissions_policies = microphone=(), geolocation=(), camera=(), payment=(), document-domain=(), display-capture=(), autoplay=() + ; SCM settings for local development ; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding ; checkout commands by adding new entries to these lists. Each one needs a name/key/title as shown below.
