Am 18.12.2017 um 09:15 schrieb Jun Omae:
Hi,
<rjol...@gmail.com> wrote on 2017-Dec-15 at 06:02 PM:
Any such headers need to be configurable, but we want to avoid configuration
option bloat. What we might be able to do is add an [http-headers]
configuration section to trac.ini. We could specify some common configurations
to the documentation.
Example configuration:
[http-headers]
X-Frame-Options = DENY
X-XSS-Protection = 1; mode=block
The option names as read by ConfigParser are case-insensitive, but I think that
may be okay as it looks like the HTTP headers are also case-insensitive.
I've done a PoC patch against 1.2-stable, but I'll want to hear what Jun has to
say before suggesting this is the right solution, since he has much more
experience with web server internals and configuration.
Good feature.
My suggestions:
1. Whether http header name is valid like [trac] xsendfile_header option.
2. Whether http header value is valid (the value cannot contain control
characters except TAB and SPACE).
3. Ignore some headers, e.g. Content-Type, Content-Length, Location, ETag,
Pragma, Cache-Control, Expires
4. I think we should send configured headers for all send_* methods included
send_error().
See attached patch.
I thought it might be good to allow to overwrite headers like "set" in
mod_headers module but it would not be needed in use-case of Trac.
Hi,
I created a temporary dev env of Trac 1.2.2 with the patch of Jun applied. I
have configured the following headers in trac.ini:
[http-headers]
Content-Security-Policy = frame-ancestors 'none'; default-src 'none'; img-src
'self'; script-src 'self'; style-src 'self'; base-uri 'self'
Referrer-Policy = no-referrer
Strict-Transport-Security = max-age=31536000; includeSubDomains
X-Frame-Options = DENY
X-Content-Type-Options = nosniff
X-XSS-Protection = 1; mode=block
with the headers defined as above trac should get a better rating or something
near to it.
Well currently the trac test env I have set up is getting an F rating on
observatory.mozilla.org, since https was not in use, a redirect to https is
missing and HSTS was set without https.
And there is another import point which needs to be adjusted:
Cookies -40 Session cookie set without using the Secure flag or set
over http
If used on https the score is "just" -10, but I recommend to add the secure
flag to the cookie trac is setting.
Is there a chance to get this in a Trac 1.2.3? I recommend setting the headers
above in a default trac.ini created by trac-admin initenv.
Regards
Torge
--
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to trac-dev+unsubscr...@googlegroups.com.
To post to this group, send email to trac-dev@googlegroups.com.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
