This is an automated email from the ASF dual-hosted git repository.
ccruz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push:
new 8da4fc65d support per-page csp_frame_domains modifier
8da4fc65d is described below
commit 8da4fc65db7cc64500fef732c9ff51bcfd4d85dc
Author: Dave Brondsema <[email protected]>
AuthorDate: Tue Jul 2 16:56:47 2024 +0000
support per-page csp_frame_domains modifier
---
Allura/allura/lib/custom_middleware.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/Allura/allura/lib/custom_middleware.py
b/Allura/allura/lib/custom_middleware.py
index e06f950c1..4b2e5e1f5 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -486,10 +486,13 @@ class ContentSecurityPolicyMiddleware:
rules.add('upgrade-insecure-requests')
if self.config.get('csp.frame_sources'):
+ frame_srcs = self.config['csp.frame_sources']
+ if environ.get('csp_frame_domains'):
+ frame_srcs += ' ' + ' '.join(environ['csp_frame_domains'])
if asbool(self.config.get('csp.frame_sources_enforce', False)):
- rules.add(f"frame-src {self.config['csp.frame_sources']}")
+ rules.add(f"frame-src {frame_srcs}")
else:
- report_rules.add(f"frame-src
{self.config['csp.frame_sources']}")
+ report_rules.add(f"frame-src {frame_srcs}")
if self.config.get('csp.form_action_urls'):
srcs = self.config['csp.form_action_urls']
