mirrors/ArchiveBox
1
0
Fork 0
mirror of https://github.com/ArchiveBox/ArchiveBox.git synced 2024-09-19 15:38:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

add new CSRF_TRUSTED_ORIGINS config option
Some checks failed
Build GitHub Pages website / build (push) Has been cancelled
Details
Run linters / lint (push) Has been cancelled
Details
CodeQL / Analyze (python) (push) Has been cancelled
Details
Build Debian package / build (push) Has been cancelled
Details
Build Docker image / buildx (push) Has been cancelled
Details
Build Homebrew package / build (push) Has been cancelled
Details
Build Pip package / build (push) Has been cancelled
Details
Run tests / python_tests (ubuntu-22.04, 3.11) (push) Has been cancelled
Details
Run tests / docker_tests (push) Has been cancelled
Details
Build GitHub Pages website / deploy (push) Has been cancelled
Details

Browse source
This commit is contained in:
Nick Sweeting 2024-08-22 18:40:47 -07:00
parent 1a03db2b1d
commit 9c35f3ddb7
No known key found for this signature in database
2 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
archivebox/config.py
View file

@ -88,7 +88,8 @@ CONFIG_SCHEMA: Dict[str, ConfigDefaultDict] = {
'SERVER_CONFIG': { 'SERVER_CONFIG': {
'SECRET_KEY': {'type': str, 'default': None}, 'SECRET_KEY': {'type': str, 'default': None},
'BIND_ADDR': {'type': str, 'default': lambda c: ['127.0.0.1:8000', '0.0.0.0:8000'][c['IN_DOCKER']]}, 'BIND_ADDR': {'type': str, 'default': lambda c: ['127.0.0.1:8000', '0.0.0.0:8000'][c['IN_DOCKER']]},
'ALLOWED_HOSTS': {'type': str, 'default': '*'}, 'ALLOWED_HOSTS': {'type': str, 'default': '*'}, # e.g. archivebox.example.com,archivebox2.example.com
'CSRF_TRUSTED_ORIGINS': {'type': str, 'default': ''}, # e.g. https://archivebox.example.com,https://archivebox2.example.com:8080
'DEBUG': {'type': bool, 'default': False}, 'DEBUG': {'type': bool, 'default': False},
'PUBLIC_INDEX': {'type': bool, 'default': True}, 'PUBLIC_INDEX': {'type': bool, 'default': True},
'PUBLIC_SNAPSHOTS': {'type': bool, 'default': True}, 'PUBLIC_SNAPSHOTS': {'type': bool, 'default': True},

7
archivebox/core/settings.py
View file

@ -317,6 +317,13 @@ STORAGES = {
SECRET_KEY = CONFIG.SECRET_KEY or get_random_string(50, 'abcdefghijklmnopqrstuvwxyz0123456789_') SECRET_KEY = CONFIG.SECRET_KEY or get_random_string(50, 'abcdefghijklmnopqrstuvwxyz0123456789_')
ALLOWED_HOSTS = CONFIG.ALLOWED_HOSTS.split(',') ALLOWED_HOSTS = CONFIG.ALLOWED_HOSTS.split(',')
CSRF_TRUSTED_ORIGINS = CONFIG.CSRF_TRUSTED_ORIGINS.split(',')
# automatically fix case when user sets ALLOWED_HOSTS (e.g. to archivebox.example.com)
# but forgets to add https://archivebox.example.com to CSRF_TRUSTED_ORIGINS
if CONFIG.ALLOWED_HOSTS != '*' and (not CSRF_TRUSTED_ORIGINS):
for hostname in ALLOWED_HOSTS:
CSRF_TRUSTED_ORIGINS.append(f'https://{hostname}')
SECURE_BROWSER_XSS_FILTER = True SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_CONTENT_TYPE_NOSNIFF = True