Am 19.12.2017 um 06:54 schrieb RjOllos:
On Monday, December 18, 2017 at 8:32:16 AM UTC-8, torgeriedel wrote:
Am 18.12.2017 um 09:15 schrieb Jun Omae:
> Hi,
>
> <rjol...@gmail.com <mailto:rjol...@gmail.com>> wrote on 2017-Dec-15 at
06:02 PM:
>> Any such headers need to be configurable, but we want to avoid
configuration option bloat. What we might be able to do is add an [http-headers]
configuration section to trac.ini. We could specify some common configurations to the
documentation.
>>
>> Example configuration:
>>
>> [http-headers]
>> X-Frame-Options = DENY
>> X-XSS-Protection = 1; mode=block
>>
>> The option names as read by ConfigParser are case-insensitive, but I
think that may be okay as it looks like the HTTP headers are also case-insensitive.
>>
>> I've done a PoC patch against 1.2-stable, but I'll want to hear what Jun
has to say before suggesting this is the right solution, since he has much more
experience with web server internals and configuration.
>
> Good feature.
>
> My suggestions:
>
> 1. Whether http header name is valid like [trac] xsendfile_header option.
> 2. Whether http header value is valid (the value cannot contain control
characters except TAB and SPACE).
> 3. Ignore some headers, e.g. Content-Type, Content-Length, Location,
ETag, Pragma, Cache-Control, Expires
> 4. I think we should send configured headers for all send_* methods
included send_error().
>
> See attached patch.
>
> I thought it might be good to allow to overwrite headers like "set" in
mod_headers module but it would not be needed in use-case of Trac.
>
Hi,
I created a temporary dev env of Trac 1.2.2 with the patch of Jun applied.
I have configured the following headers in trac.ini:
[http-headers]
Content-Security-Policy = frame-ancestors 'none'; default-src 'none';
img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'
Referrer-Policy = no-referrer
Strict-Transport-Security = max-age=31536000; includeSubDomains
X-Frame-Options = DENY
X-Content-Type-Options = nosniff
X-XSS-Protection = 1; mode=block
with the headers defined as above trac should get a better rating or
something near to it.
Well currently the trac test env I have set up is getting an F rating on
observatory.mozilla.org <http://observatory.mozilla.org>, since https was not
in use, a redirect to https is missing and HSTS was set without https.
And there is another import point which needs to be adjusted:
Cookies -40 Session cookie set without using the Secure flag or
set over http
If used on https the score is "just" -10, but I recommend to add the secure
flag to the cookie trac is setting.
https://trac.edgewall.org/wiki/TracIni#trac-secure_cookies-option
Is there a chance to get this in a Trac 1.2.3? I recommend setting the
headers above in a default trac.ini created by trac-admin initenv.
Yes,
https://trac.edgewall.org/ticket/12964
- Ryan
--
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
trac-dev+unsubscr...@googlegroups.com
<mailto:trac-dev+unsubscr...@googlegroups.com>.
To post to this group, send email to trac-dev@googlegroups.com
<mailto:trac-dev@googlegroups.com>.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
Hi,
regarding secure cookies: Sorry, I missed that. Changed in my installation and
the rating got better.
I will wait for 1.2.3 and will give feedback after deploy and changing
configurable headers.
Thanks for your efforts
Torge
--
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to trac-dev+unsubscr...@googlegroups.com.
To post to this group, send email to trac-dev@googlegroups.com.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
