lucaspalomodevelop/eventcally
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/eventcally.git synced 2026-03-13 00:07:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #444 from eventcally/issues/443

Browse Source 
Fix Referrer-Policy #443
This commit is contained in:
Daniel Grams 2023-04-19 19:50:38 +02:00 committed by GitHub
commit 1ad81d9a53
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
project/__init__.py
View File

@ -63,6 +63,9 @@ if os.getenv("PREFERRED_URL_SCHEME"): # pragma: no cover
if app.config["PREFERRED_URL_SCHEME"] == "https": if app.config["PREFERRED_URL_SCHEME"] == "https":
app.config["SESSION_COOKIE_SECURE"] = True app.config["SESSION_COOKIE_SECURE"] = True
app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
app.config["REMEMBER_COOKIE_SECURE"] = True
app.config["REMEMBER_COOKIE_SAMESITE"] = "Lax"
from project.reverse_proxied import ReverseProxied from project.reverse_proxied import ReverseProxied

3
project/requests.py
View File

@ -17,6 +17,7 @@ def set_manage_admin_unit_cookie(response):
value=encoded, value=encoded,
expires=datetime.utcnow() + timedelta(days=365), expires=datetime.utcnow() + timedelta(days=365),
secure=app.config["SESSION_COOKIE_SECURE"], secure=app.config["SESSION_COOKIE_SECURE"],
samesite=app.config["SESSION_COOKIE_SAMESITE"],
) )
return response return response
@ -29,7 +30,7 @@ def set_response_headers(response):
response.headers["X-Frame-Options"] = "SAMEORIGIN" response.headers["X-Frame-Options"] = "SAMEORIGIN"
response.headers["X-Content-Type-Options"] = "nosniff" response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["Referrer-Policy"] = "no-referrer" response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
response.headers[ response.headers[
"Content-Security-Policy" "Content-Security-Policy"
] = "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data: *.openstreetmap.org;" ] = "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data: *.openstreetmap.org;"

20
project/static/site.webmanifest
View File

@ -1 +1,19 @@
{"name":"","short_name":"","icons":[{"src":"/android-chrome-192x192.png","sizes":"192x192","type":"image/png"},{"src":"/android-chrome-512x512.png","sizes":"512x512","type":"image/png"}],"theme_color":"#ffffff","background_color":"#ffffff","display":"standalone"} {
"name": "",
"short_name": "",
"icons": [
{
"src": "/static/android-chrome-192x192.png",
"sizes": "192x192",
"type": "image/png"
},
{
"src": "/static/android-chrome-512x512.png",
"sizes": "512x512",
"type": "image/png"
}
],
"theme_color": "#ffffff",
"background_color": "#ffffff",
"display": "standalone"
}

2
tests/views/test_root.py
View File

@ -8,7 +8,7 @@ def test_home(client, seeder, utils):
response = utils.get_ok(url) response = utils.get_ok(url)
assert response.headers["X-Frame-Options"] == "SAMEORIGIN" assert response.headers["X-Frame-Options"] == "SAMEORIGIN"
assert response.headers["X-Content-Type-Options"] == "nosniff" assert response.headers["X-Content-Type-Options"] == "nosniff"
assert response.headers["Referrer-Policy"] == "no-referrer" assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"
assert "Content-Security-Policy" in response.headers assert "Content-Security-Policy" in response.headers