This is an automated email from the ASF dual-hosted git repository. gcruz pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/allura.git
commit 6b1e40e963fa6da35275ad00c88700038692406a Author: Guillermo Cruz <[email protected]> AuthorDate: Fri May 19 16:17:58 2023 -0500 [#8511] adding new header Referrer-Policy --- Allura/allura/config/middleware.py | 4 ++-- Allura/allura/lib/custom_middleware.py | 6 ++++-- Allura/development.ini | 3 +++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py index 5e42a1b06..58ee37078 100644 --- a/Allura/allura/config/middleware.py +++ b/Allura/allura/config/middleware.py @@ -61,7 +61,7 @@ from allura.lib.custom_middleware import RememberLoginMiddleware from allura.lib.custom_middleware import SetRequestHostFromConfig from allura.lib.custom_middleware import MingTaskSessionSetupMiddleware from allura.lib.custom_middleware import ContentSecurityPolicyMiddleware -from allura.lib.custom_middleware import BrowserPermissionsPolicy +from allura.lib.custom_middleware import SetHeadersMiddleware from allura.lib.custom_middleware import StatusCodeRedirect from allura.lib import helpers as h from allura.lib.utils import configure_ming @@ -133,7 +133,7 @@ def _make_core_app(root, global_conf: dict, **app_conf): # CSP headers app = ContentSecurityPolicyMiddleware(app, config) # broswer permissions policy - app = BrowserPermissionsPolicy(app, config) + app = SetHeadersMiddleware(app, config) # Required for sessions app = SessionMiddleware(app, config, data_serializer=BeakerPickleSerializerWithLatin1()) # Handle "Remember me" functionality diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index e3f130cdf..e74594aa0 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -533,8 +533,8 @@ class ContentSecurityPolicyMiddleware: return resp(environ, start_response) -class BrowserPermissionsPolicy: - """ Sets Permissions-Policy header for iframes """ +class SetHeadersMiddleware: + """ Set headers """ def __init__(self, app, config): self.app = app @@ -547,6 +547,8 @@ class BrowserPermissionsPolicy: resp.headers.add('Permissions-Policy', f"{self.config['permissions_policies']}") if self.config.get('features_policies', ''): resp.headers.add('Feature-Policy', f"{self.config['features_policies']}") + if self.config.get('referrer_policy'): + resp.headers.add('Referrer-Policy', f"{self.config['referrer_policy']}") return resp(environ, start_response) diff --git a/Allura/development.ini b/Allura/development.ini index b9389c43a..20fe654d7 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -356,6 +356,9 @@ features_policies = microphone 'none'; geolocation 'none'; camera 'none'; paymen ; Replacement of Feature Policy permissions_policies = microphone=(), geolocation=(), camera=(), payment=(), document-domain=(), display-capture=(), autoplay=() +; Referrer Policy +referrer_policy = 'origin' + ; SCM settings for local development ; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding ; checkout commands by adding new entries to these lists. Each one needs a name/key/title as shown below.
