Update.

2025-06-14 12:42:34 +02:00 · 2025-06-14 12:42:34 +02:00 · bf576bc0e3
commit bf576bc0e3
parent 2c182ad48d
1 changed files with 11 additions and 15 deletions
--- a/src/snek/system/middleware.py
+++ b/src/snek/system/middleware.py
@ -1,13 +1,8 @@
 # Written by retoor@molodetz.nl

-# This code provides middleware functions for an aiohttp server to manage and modify CORS (Cross-Origin Resource Sharing) headers.
-
-# Imports from 'aiohttp' library are used to create middleware; they are not part of Python's standard library.
-
-# MIT License: This code is distributed under the MIT License.
+# This code provides middleware functions for an aiohttp server to manage and modify CSP, CORS, and authentication headers.

 import secrets
-
 from aiohttp import web

@web.middleware
@ -17,13 +12,17 @@ async def csp_middleware(request, handler):
    csp_policy = (
        "default-src 'self'; "
        f"script-src 'self' https://umami.molodetz.nl 'nonce-{nonce}'; "
-        "style-src 'self'; "
-        "img-src *; "
-        "connect-src 'self'; https://umami.molodetz.nl; 'nonce-{nonce}';"
-        "font-src 'self'; "
+        "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
+        "img-src 'self' data: https://umodetz.nl; "
+        "connect-src 'self' https://umodetz.nl; "
+        "font-src 'self' data:; "
        "object-src 'none'; "
        "base-uri 'self'; "
-        "form-action 'self';"
+        "form-action 'self'; "
+        "frame-src 'self'; "
+        "worker-src 'self'; "
+        "media-src 'self'; "
+        "manifest-src 'self';"
    )
    request['csp_nonce'] = nonce
    response = await handler(request)
@ -36,7 +35,6 @@ async def no_cors_middleware(request, handler):
    response.headers.pop("Access-Control-Allow-Origin", None)
    return response

-
@web.middleware
 async def cors_allow_middleware(request, handler):
    response = await handler(request)
@ -48,7 +46,6 @@ async def cors_allow_middleware(request, handler):
    response.headers["Access-Control-Allow-Credentials"] = "true"
    return response

-
@web.middleware
 async def auth_middleware(request, handler):
    request["user"] = None
@ -58,7 +55,6 @@ async def auth_middleware(request, handler):
        )
    return await handler(request)

-
@web.middleware
 async def cors_middleware(request, handler):
    if request.headers.get("Allow"):