This is an automated email from the ASF dual-hosted git repository. gcruz pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/allura.git
commit 42a24fb0ceaf1f0396bf40f2fdb599f37dba5901 Author: Dave Brondsema <[email protected]> AuthorDate: Thu Mar 13 11:58:53 2025 -0400 support configs for COOP/CORP/COEP headers --- Allura/allura/lib/custom_middleware.py | 12 +++++++++--- Allura/allura/tests/functional/test_root.py | 6 ++++++ Allura/development.ini | 11 ++++++++--- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index b32bece97..1f6d3cf30 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -548,11 +548,17 @@ def __call__(self, environ, start_response): req = Request(environ) resp = req.get_response(self.app) if self.config.get('permissions_policies', ''): - resp.headers.add('Permissions-Policy', f"{self.config['permissions_policies']}") + resp.headers.add('Permissions-Policy', self.config['permissions_policies']) if self.config.get('features_policies', ''): - resp.headers.add('Feature-Policy', f"{self.config['features_policies']}") + resp.headers.add('Feature-Policy', self.config['features_policies']) if self.config.get('referrer_policy'): - resp.headers.add('Referrer-Policy', f"{self.config['referrer_policy']}") + resp.headers.add('Referrer-Policy', self.config['referrer_policy']) + if self.config.get('cross_origin_opener_policy'): + resp.headers.add('Cross-Origin-Opener-Policy', self.config['cross_origin_opener_policy']) + if self.config.get('cross_origin_embedder_policy'): + resp.headers.add('Cross-Origin-Embedder-Policy', self.config['cross_origin_embedder_policy']) + if self.config.get('cross_origin_resource_policy'): + resp.headers.add('Cross-Origin-Resource-Policy', self.config['cross_origin_resource_policy']) return resp(environ, start_response) diff --git a/Allura/allura/tests/functional/test_root.py b/Allura/allura/tests/functional/test_root.py index e3297edea..142bb490d 100644 --- a/Allura/allura/tests/functional/test_root.py +++ b/Allura/allura/tests/functional/test_root.py @@ -244,6 +244,12 @@ def test_headers_frame_sources_enforce(self): assert all([h.strip() in csp_headers for h in expected_headers.split(';')]) assert all([h.strip() in csp_report_headers for h in expected_report_headers.split(';')]) + def test_permissions_coop_etc_headers(self): + resp = self.app.get("/p/wiki/Home/") + assert 'microphone=(), ' in resp.headers['Permissions-Policy'] + assert "microphone 'none'; " in resp.headers['Feature-Policy'] + assert resp.headers["Cross-Origin-Opener-Policy"] == "same-origin" + class TestRootWithSSLPattern(TestController): def setup_method(self, method): diff --git a/Allura/development.ini b/Allura/development.ini index 6339d95ba..564450eaa 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -388,9 +388,14 @@ ew.cache_header_seconds = 0 features_policies = microphone 'none'; geolocation 'none'; camera 'none'; payment 'none'; document-domain 'none'; display 'none'; autoplay 'none' ; Replacement of Feature Policy permissions_policies = microphone=(), geolocation=(), camera=(), payment=(), document-domain=(), display-capture=(), autoplay=() - -; Referrer Policy -referrer_policy = 'same-origin' +; Referrer Policy. Generally not needed since modern browsers default to strict-origin-when-cross-origin +;referrer_policy = same-origin +; COOP header +cross_origin_opener_policy = same-origin +; CORP header +;cross_origin_resource_policy = same-origin +; COEP header +;cross_origin_embedder_policy = require-corp ; SCM settings for local development ; If you set up services for Git, SVN, or Hg that run on https://, ssh://, git:// etc, you can show corresponding
