kopia lustrzana https://github.com/snarfed/bridgy-fed
Ryan Barrett
rodzic
4a55739b91
commit
80a0969575
13
app.py
13
app.py
|
|
@ -35,4 +35,17 @@ def handle_exception(e):
|
|||
else:
|
||||
raise e
|
||||
|
||||
|
||||
# Add modern headers, but let the response override them
|
||||
from common import MODERN_HEADERS
|
||||
|
||||
def default_modern_headers(resp):
|
||||
for name, value in MODERN_HEADERS.items():
|
||||
resp.headers.setdefault(name, value)
|
||||
|
||||
return resp
|
||||
|
||||
app.after_request(default_modern_headers)
|
||||
|
||||
|
||||
import activitypub, add_webmention, logs, redirect, render, salmon, superfeedr, webfinger, webmention
|
||||
|
|
|
|||
42
common.py
42
common.py
|
|
@ -15,7 +15,6 @@ import requests
|
|||
from webob import exc
|
||||
from werkzeug.exceptions import abort
|
||||
|
||||
import common
|
||||
from models import Response
|
||||
|
||||
DOMAIN_RE = r'([^/:]+\.[^/:]+)'
|
||||
|
|
@ -50,6 +49,24 @@ CONNEG_HEADERS_AS2_HTML = {
|
|||
'Accept': CONNEG_HEADERS_AS2['Accept'] + ', %s; q=0.7' % CONTENT_TYPE_HTML,
|
||||
}
|
||||
|
||||
# Modern HTTP headers for CORS, CSP, other security, etc.
|
||||
MODERN_HEADERS = {
|
||||
'Access-Control-Allow-Headers': '*',
|
||||
'Access-Control-Allow-Methods': '*',
|
||||
'Access-Control-Allow-Origin': '*',
|
||||
# see https://content-security-policy.com/
|
||||
'Content-Security-Policy':
|
||||
"script-src https: localhost:8080 my.dev.com:8080 'unsafe-inline'; "
|
||||
"frame-ancestors 'self'; "
|
||||
"report-uri /csp-report; ",
|
||||
# 16070400 seconds is 6 months
|
||||
'Strict-Transport-Security': 'max-age=16070400; preload',
|
||||
'X-Content-Type-Options': 'nosniff',
|
||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||
'X-Frame-Options': 'SAMEORIGIN',
|
||||
'X-XSS-Protection': '1; mode=block',
|
||||
}
|
||||
|
||||
SUPPORTED_VERBS = (
|
||||
'checkin',
|
||||
'create',
|
||||
|
|
@ -69,29 +86,6 @@ OTHER_DOMAINS = (
|
|||
DOMAINS = (PRIMARY_DOMAIN,) + OTHER_DOMAINS
|
||||
|
||||
|
||||
# TODO: add to all handlers:
|
||||
# self.response.headers.update({
|
||||
# 'Access-Control-Allow-Headers': '*',
|
||||
# 'Access-Control-Allow-Methods': '*',
|
||||
# 'Access-Control-Allow-Origin': '*',
|
||||
# # see https://content-security-policy.com/
|
||||
# 'Content-Security-Policy':
|
||||
# "script-src https: localhost:8080 my.dev.com:8080 'unsafe-inline'; "
|
||||
# "frame-ancestors 'self'; "
|
||||
# "report-uri /csp-report; ",
|
||||
# # 16070400 seconds is 6 months
|
||||
# 'Strict-Transport-Security': 'max-age=16070400; preload',
|
||||
# 'X-Content-Type-Options': 'nosniff',
|
||||
# # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||
# 'X-Frame-Options': 'SAMEORIGIN',
|
||||
# 'X-XSS-Protection': '1; mode=block',
|
||||
# })
|
||||
|
||||
# def options(self, *args, **kwargs):
|
||||
# """Respond to CORS pre-flight OPTIONS requests."""
|
||||
# pass
|
||||
|
||||
|
||||
def not_5xx(resp):
|
||||
return (isinstance(resp, tuple) and len(resp) > 1 and util.is_int(resp[1]) and
|
||||
resp[1] // 100 != 5)
|
||||
|
|
|
|||
Ładowanie…
Reference in New Issue