This is an automated email from the ASF dual-hosted git repository. gcruz pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/allura.git
commit d346848e028b003b697ada5144dcabe5e18d5fa9 Author: Dave Brondsema <[email protected]> AuthorDate: Thu Mar 13 11:59:14 2025 -0400 support CSP fenced-frame-src config --- Allura/allura/lib/custom_middleware.py | 7 +++++++ Allura/development.ini | 3 +++ 2 files changed, 10 insertions(+) diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index 1f6d3cf30..2a90cacff 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -489,6 +489,13 @@ def __call__(self, environ, start_response): else: report_rules.add(f"frame-src {frame_srcs}") + if self.config.get('csp.fenced_frame_sources'): + fenced_frame_srcs = self.config['csp.fenced_frame_sources'] + if asbool(self.config.get('csp.fenced_frame_sources_enforce', False)): + rules.add(f"fenced-frame-src {fenced_frame_srcs}") + else: + report_rules.add(f"fenced-frame-src {fenced_frame_srcs}") + if self.config.get('csp.form_action_urls'): srcs = self.config['csp.form_action_urls'] if environ.get('csp_form_actions'): diff --git a/Allura/development.ini b/Allura/development.ini index 564450eaa..a29b4027b 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -729,6 +729,9 @@ userstats.count_lines_of_code = true ; frame-src list of valid sources for loading frames csp.frame_sources = 'self' www.youtube-nocookie.com +; csp.fenced_frame_sources_enforce = true +;csp.fenced_frame_sources = https: + ; to enable enforce mode on form-action ; csp.form_actions_enforce = true
