backup/pywb
1
0
Fork 0
mirror of https://github.com/webrecorder/pywb.git synced 2025-03-24 06:59:52 +01:00
Code Issues Projects Releases Activity

rewriterapp: add default csp header, overridable via 'csp-header' config setting

Browse Source
This commit is contained in:
Ilya Kreymer 2017-10-05 19:59:37 -07:00
parent 31209db311
commit 902f6659f4
2 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pywb/apps/rewriterapp.py
View File

@ -48,6 +48,8 @@ class UpstreamException(WbException):
class RewriterApp(object): class RewriterApp(object):
VIDEO_INFO_CONTENT_TYPE = 'application/vnd.youtube-dl_formats+json' VIDEO_INFO_CONTENT_TYPE = 'application/vnd.youtube-dl_formats+json'
DEFAULT_CSP = "default-src 'unsafe-eval' 'unsafe-inline' 'self' data: blob: mediastream: ws: wss: ; form-action 'self'"
def __init__(self, framed_replay=False, jinja_env=None, config=None, paths=None): def __init__(self, framed_replay=False, jinja_env=None, config=None, paths=None):
self.loader = ArcWarcRecordLoader() self.loader = ArcWarcRecordLoader()
@ -89,6 +91,16 @@ class RewriterApp(object):
self.enable_memento = self.config.get('enable_memento') self.enable_memento = self.config.get('enable_memento')
csp_header = self.config.get('csp-header', self.DEFAULT_CSP)
if csp_header:
self.csp_header = ('Content-Security-Policy', csp_header)
else:
self.csp_header = None
def add_csp_header(self, wb_url, status_headers):
if self.csp_header and wb_url.mod == self.replay_mod:
status_headers.headers.append(self.csp_header)
def _html_templ(self, name): def _html_templ(self, name):
value = self.config.get(name) value = self.config.get(name)
if not value: if not value:
@ -302,6 +314,10 @@ class RewriterApp(object):
if set_content_loc: if set_content_loc:
status_headers.headers.append(('Content-Location', urlrewriter.get_new_url(timestamp=cdx['timestamp'], status_headers.headers.append(('Content-Location', urlrewriter.get_new_url(timestamp=cdx['timestamp'],
url=cdx['url']))) url=cdx['url'])))
if not is_proxy:
self.add_csp_header(wb_url, status_headers)
response = WbResponse(status_headers, gen) response = WbResponse(status_headers, gen)
return response return response

5
tests/test_integration.py
View File

@ -78,6 +78,8 @@ class TestWbIntegration(BaseConfigTest):
assert '"20140127171238"' in resp.text assert '"20140127171238"' in resp.text
assert 'http://www.iana.org/' in resp.text, resp.text assert 'http://www.iana.org/' in resp.text, resp.text
assert 'Content-Security-Policy' not in resp.headers
def test_replay_content(self, fmod): def test_replay_content(self, fmod):
resp = self.get('/pywb/20140127171238{0}/http://www.iana.org/', fmod) resp = self.get('/pywb/20140127171238{0}/http://www.iana.org/', fmod)
self._assert_basic_html(resp) self._assert_basic_html(resp)
@ -89,6 +91,9 @@ class TestWbIntegration(BaseConfigTest):
assert ('wbinfo.is_framed = ' + ('true' if fmod else 'false')) in resp.text assert ('wbinfo.is_framed = ' + ('true' if fmod else 'false')) in resp.text
csp = "default-src 'unsafe-eval' 'unsafe-inline' 'self' data: blob: mediastream: ws: wss: ; form-action 'self'"
assert resp.headers['Content-Security-Policy'] == csp
def test_replay_fuzzy_1(self, fmod): def test_replay_fuzzy_1(self, fmod):
resp = self.get('/pywb/20140127171238{0}/http://www.iana.org/?_=123', fmod) resp = self.get('/pywb/20140127171238{0}/http://www.iana.org/?_=123', fmod)
assert resp.status_int == 200 assert resp.status_int == 200