From 9c35f3ddb7b829252e9a413766985adb80db0aca Mon Sep 17 00:00:00 2001 From: Nick Sweeting Date: Thu, 22 Aug 2024 18:40:47 -0700 Subject: [PATCH] add new CSRF_TRUSTED_ORIGINS config option --- archivebox/config.py | 3 ++- archivebox/core/settings.py | 7 +++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/archivebox/config.py b/archivebox/config.py index f08e597a..de086304 100644 --- a/archivebox/config.py +++ b/archivebox/config.py @@ -88,7 +88,8 @@ CONFIG_SCHEMA: Dict[str, ConfigDefaultDict] = { 'SERVER_CONFIG': { 'SECRET_KEY': {'type': str, 'default': None}, 'BIND_ADDR': {'type': str, 'default': lambda c: ['127.0.0.1:8000', '0.0.0.0:8000'][c['IN_DOCKER']]}, - 'ALLOWED_HOSTS': {'type': str, 'default': '*'}, + 'ALLOWED_HOSTS': {'type': str, 'default': '*'}, # e.g. archivebox.example.com,archivebox2.example.com + 'CSRF_TRUSTED_ORIGINS': {'type': str, 'default': ''}, # e.g. https://archivebox.example.com,https://archivebox2.example.com:8080 'DEBUG': {'type': bool, 'default': False}, 'PUBLIC_INDEX': {'type': bool, 'default': True}, 'PUBLIC_SNAPSHOTS': {'type': bool, 'default': True}, diff --git a/archivebox/core/settings.py b/archivebox/core/settings.py index ef08643e..1321bd52 100644 --- a/archivebox/core/settings.py +++ b/archivebox/core/settings.py @@ -317,6 +317,13 @@ STORAGES = { SECRET_KEY = CONFIG.SECRET_KEY or get_random_string(50, 'abcdefghijklmnopqrstuvwxyz0123456789_') ALLOWED_HOSTS = CONFIG.ALLOWED_HOSTS.split(',') +CSRF_TRUSTED_ORIGINS = CONFIG.CSRF_TRUSTED_ORIGINS.split(',') + +# automatically fix case when user sets ALLOWED_HOSTS (e.g. to archivebox.example.com) +# but forgets to add https://archivebox.example.com to CSRF_TRUSTED_ORIGINS +if CONFIG.ALLOWED_HOSTS != '*' and (not CSRF_TRUSTED_ORIGINS): + for hostname in ALLOWED_HOSTS: + CSRF_TRUSTED_ORIGINS.append(f'https://{hostname}') SECURE_BROWSER_XSS_FILTER = True SECURE_CONTENT_TYPE_NOSNIFF = True