Update.
This commit is contained in:
parent
2c182ad48d
commit
bf576bc0e3
@ -1,13 +1,8 @@
|
|||||||
# Written by retoor@molodetz.nl
|
# Written by retoor@molodetz.nl
|
||||||
|
|
||||||
# This code provides middleware functions for an aiohttp server to manage and modify CORS (Cross-Origin Resource Sharing) headers.
|
# This code provides middleware functions for an aiohttp server to manage and modify CSP, CORS, and authentication headers.
|
||||||
|
|
||||||
# Imports from 'aiohttp' library are used to create middleware; they are not part of Python's standard library.
|
|
||||||
|
|
||||||
# MIT License: This code is distributed under the MIT License.
|
|
||||||
|
|
||||||
import secrets
|
import secrets
|
||||||
|
|
||||||
from aiohttp import web
|
from aiohttp import web
|
||||||
|
|
||||||
@web.middleware
|
@web.middleware
|
||||||
@ -17,18 +12,22 @@ async def csp_middleware(request, handler):
|
|||||||
csp_policy = (
|
csp_policy = (
|
||||||
"default-src 'self'; "
|
"default-src 'self'; "
|
||||||
f"script-src 'self' https://umami.molodetz.nl 'nonce-{nonce}'; "
|
f"script-src 'self' https://umami.molodetz.nl 'nonce-{nonce}'; "
|
||||||
"style-src 'self'; "
|
"style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
|
||||||
"img-src *; "
|
"img-src 'self' data: https://umodetz.nl; "
|
||||||
"connect-src 'self'; https://umami.molodetz.nl; 'nonce-{nonce}';"
|
"connect-src 'self' https://umodetz.nl; "
|
||||||
"font-src 'self'; "
|
"font-src 'self' data:; "
|
||||||
"object-src 'none'; "
|
"object-src 'none'; "
|
||||||
"base-uri 'self'; "
|
"base-uri 'self'; "
|
||||||
"form-action 'self';"
|
"form-action 'self'; "
|
||||||
|
"frame-src 'self'; "
|
||||||
|
"worker-src 'self'; "
|
||||||
|
"media-src 'self'; "
|
||||||
|
"manifest-src 'self';"
|
||||||
)
|
)
|
||||||
request['csp_nonce'] = nonce
|
request['csp_nonce'] = nonce
|
||||||
response = await handler(request)
|
response = await handler(request)
|
||||||
response.headers['Content-Security-Policy'] = csp_policy
|
response.headers['Content-Security-Policy'] = csp_policy
|
||||||
return response
|
return response
|
||||||
|
|
||||||
@web.middleware
|
@web.middleware
|
||||||
async def no_cors_middleware(request, handler):
|
async def no_cors_middleware(request, handler):
|
||||||
@ -36,7 +35,6 @@ async def no_cors_middleware(request, handler):
|
|||||||
response.headers.pop("Access-Control-Allow-Origin", None)
|
response.headers.pop("Access-Control-Allow-Origin", None)
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
@web.middleware
|
@web.middleware
|
||||||
async def cors_allow_middleware(request, handler):
|
async def cors_allow_middleware(request, handler):
|
||||||
response = await handler(request)
|
response = await handler(request)
|
||||||
@ -48,7 +46,6 @@ async def cors_allow_middleware(request, handler):
|
|||||||
response.headers["Access-Control-Allow-Credentials"] = "true"
|
response.headers["Access-Control-Allow-Credentials"] = "true"
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
@web.middleware
|
@web.middleware
|
||||||
async def auth_middleware(request, handler):
|
async def auth_middleware(request, handler):
|
||||||
request["user"] = None
|
request["user"] = None
|
||||||
@ -58,7 +55,6 @@ async def auth_middleware(request, handler):
|
|||||||
)
|
)
|
||||||
return await handler(request)
|
return await handler(request)
|
||||||
|
|
||||||
|
|
||||||
@web.middleware
|
@web.middleware
|
||||||
async def cors_middleware(request, handler):
|
async def cors_middleware(request, handler):
|
||||||
if request.headers.get("Allow"):
|
if request.headers.get("Allow"):
|
||||||
|
Loading…
Reference in New Issue
Block a user