From d5a31df2abec5421cd7225c230fed07b2cca02af Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Jun 03 2019 12:32:04 +0000 Subject: Add default CSP headers and a mechanism to customize them Signed-off-by: Pierre-Yves Chibon --- diff --git a/pagure/default_config.py b/pagure/default_config.py index cc08ce3..0aec96c 100644 --- a/pagure/default_config.py +++ b/pagure/default_config.py @@ -525,6 +525,7 @@ REACTIONS = [ ("Confused", "emojione-1F615"), # Confused ("Heart", "emojione-2764"), # Heart ] + # This is used for faster indexing. Do not change. _REACTIONS_DICT = dict(REACTIONS) @@ -611,3 +612,9 @@ SSH_COMMAND_NON_REPOSPANNER = ( ], {}, ) + +CSP_HEADERS = ( + "default-src 'self' https:; " + "script-src 'self' 'nonce-{nonce}'; " + "style-src 'self' 'nonce-{nonce}'" +) diff --git a/pagure/flask_app.py b/pagure/flask_app.py index d2829d6..79a912c 100644 --- a/pagure/flask_app.py +++ b/pagure/flask_app.py @@ -165,6 +165,7 @@ def create_app(config=None): app.register_blueprint(themeblueprint) app.before_request(set_request) + app.after_request(after_request) app.teardown_request(end_request) if perfrepo: @@ -494,6 +495,17 @@ def end_request(exception=None): gc.collect() +def after_request(response): + """ After request callback, adjust the headers returned """ + csp_headers = pagure_config["CSP_HEADERS"] + try: + csp_headers = csp_headers.format(nonce=flask.g.nonce) + except (KeyError, IndexError): + pass + response.headers.set("Content-Security-Policy", csp_headers) + return response + + def _get_user(username): """ Check if user exists or not """