forked from WeblateOrg/website
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmiddleware.py
99 lines (82 loc) · 2.96 KB
/
middleware.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#
# Copyright © 2012–2020 Michal Čihař <[email protected]>
#
# This file is part of Weblate <https://weblate.org/>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from django.conf import settings
URL = (
"https://sentry.io/api/1305560/security/"
"?sentry_key=795461fdeabc4ff6a3b6a6dedc495b5f"
)
CSP_TEMPLATE = (
"default-src 'self'; "
"style-src {style}; "
"img-src {image}; "
"script-src {script}; "
"connect-src {connect}; "
"object-src 'none'; "
"font-src {font}; "
"frame-src 'none'; "
"frame-ancestors 'none'; "
"report-uri {report}"
)
class SecurityMiddleware:
"""Middleware that sets various security related headers.
- Disables CSRF when payment secret is provided
- Content-Security-Policy
- X-XSS-Protection
"""
def __init__(self, get_response=None):
self.get_response = get_response
def __call__(self, request):
# Skip CSRF validation for requests with valid secret
# This is used to process automatic payments
if request.POST.get("secret") == settings.PAYMENT_SECRET:
request._dont_enforce_csrf_checks = True # noqa: SF01
response = self.get_response(request)
# No CSP for debug mode (to allow djdt or error pages)
if settings.DEBUG:
return response
style = ["'self'", "s.weblate.org"]
script = ["'self'"]
connect = ["'self'"]
image = ["'self'", "data:"]
font = ["'self'", "s.weblate.org"]
# Sentry/Raven
script.append("cdn.ravenjs.com")
# Matomo/Piwik
script.append("stats.cihar.com")
image.append("stats.cihar.com")
connect.append("stats.cihar.com")
# Hosted Weblate widget
image.append("hosted.weblate.org")
# Old blog entries
image.append("blog.cihar.com")
# The Pay
image.append("www.thepay.cz")
# GitHub avatars
image.append("*.githubusercontent.com")
response["Content-Security-Policy"] = CSP_TEMPLATE.format(
style=" ".join(style),
image=" ".join(image),
script=" ".join(script),
font=" ".join(font),
connect=" ".join(connect),
report=URL,
)
response["Expect-CT"] = 'max-age=86400, enforce, report-uri="{}"'.format(URL)
response["X-XSS-Protection"] = "1; mode=block"
return response