On Monday, December 18, 2017 at 10:36:51 PM UTC-8, torgeriedel wrote: > > Am 19.12.2017 um 07:25 schrieb Jun Omae: > > On 12/19/2017 1:32 AM, Torge Riedel wrote: > >> I created a temporary dev env of Trac 1.2.2 with the patch of Jun > applied. I have configured the following headers in trac.ini: > >> > >> [http-headers] > >> ... > >> > >> Is there a chance to get this in a Trac 1.2.3? I recommend setting the > headers above in a default trac.ini created by trac-admin initenv. > > > > > >> Content-Security-Policy = frame-ancestors 'none'; default-src 'none'; > img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self' > > > > frame-ancestors: > > Should be 'self'. The same reason for X-Frame-Options. > > > > > >> Referrer-Policy = no-referrer > > > > Should be same-origin by default. Trac core and several plugins use > Referer header. > > > > > >> Strict-Transport-Security = max-age=31536000; includeSubDomains > > > > Shouldn't use by default. All Trac sites don't run on HTTPS. > > Also, includeSubDomains should be used only when subdomain(s) are used. > > It it hard to reset the "includeSubDomains" behavior on user's browser > when configuration is wrong. > > > > > >> X-Frame-Options = DENY > > > > Should be SAMEORIGIN by default. Trac core and several plugins create > iframe elements via javascript. > > > > > >> X-Content-Type-Options = nosniff > >> X-XSS-Protection = 1; mode=block > > > > No problem by default. > > > > > Hi Jun, > > thanks for your feedback. I will take this into account when deploying > 1.2.3 and configuring the headers. I will give feedback here. > > Regards > Torge >
I'm sorry for the long delay in getting these changes integrated. I think we'll get the patch in #12964 committed soon and I hope to release 1.2.3 by the end of April. - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+unsubscr...@googlegroups.com. To post to this group, send email to trac-dev@googlegroups.com. Visit this group at https://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/d/optout.
