Tweak design and try to prevent CSRF issues

main
Thomas Sileo 2022-07-08 09:01:25 +02:00
parent 7bb417759e
commit 68c13b275d
4 changed files with 32 additions and 1 deletions

View File

@ -122,6 +122,17 @@ async def add_security_headers(request: Request, call_next):
response.headers["x-content-type-options"] = "nosniff"
response.headers["x-xss-protection"] = "1; mode=block"
response.headers["x-frame-options"] = "SAMEORIGIN"
if request.url.path.startswith("/admin/login") or (
is_current_user_admin(request)
and not (
request.url.path.startswith("/attachments")
or request.url.path.startswith("/proxy")
or request.url.path.startswith("/static")
)
):
# Prevent caching (to prevent caching CSRF tokens)
response.headers["Cache-Control"] = "private"
# TODO(ts): disallow inline CSS?
if DEBUG:
return response

View File

@ -165,6 +165,7 @@
{% if metadata.is_following %}
<li>already following</li>
<li>{{ admin_undo_button(metadata.outbox_follow_ap_id, "unfollow")}}</li>
<li>{{ admin_profile_button(actor.ap_id) }}</li>
{% elif metadata.is_follow_request_sent %}
<li>follow request sent</li>
{% else %}
@ -172,6 +173,9 @@
{% endif %}
{% if metadata.is_follower %}
<li>follows you</li>
{% if not metadata.is_following %}
<li>{{ admin_profile_button(actor.ap_id) }}</li>
{% endif %}
{% endif %}
</li>
</ul>

17
poetry.lock generated
View File

@ -429,6 +429,17 @@ cli = ["click (>=8.0.0,<9.0.0)", "rich (>=10,<13)", "pygments (>=2.0.0,<3.0.0)"]
http2 = ["h2 (>=3,<5)"]
socks = ["socksio (>=1.0.0,<2.0.0)"]
[[package]]
name = "humanize"
version = "4.2.3"
description = "Python humanize utilities"
category = "main"
optional = false
python-versions = ">=3.7"
[package.extras]
tests = ["freezegun", "pytest", "pytest-cov"]
[[package]]
name = "idna"
version = "3.3"
@ -1151,7 +1162,7 @@ dev = ["pytest (>=4.6.2)", "black (>=19.3b0)"]
[metadata]
lock-version = "1.1"
python-versions = "^3.10"
content-hash = "4ea5cf809ffddcabfa9f23de9051538b7c8f7b96c5d79883b469a0e1cff2864b"
content-hash = "1192c7c9d7ce2b93f928406f66c6a6797581bdb4928974679f7b8a0a08a1cf9f"
[metadata.files]
aiosqlite = [
@ -1451,6 +1462,10 @@ httpx = [
{file = "httpx-0.23.0-py3-none-any.whl", hash = "sha256:42974f577483e1e932c3cdc3cd2303e883cbfba17fe228b0f63589764d7b9c4b"},
{file = "httpx-0.23.0.tar.gz", hash = "sha256:f28eac771ec9eb4866d3fb4ab65abd42d38c424739e80c08d8d20570de60b0ef"},
]
humanize = [
{file = "humanize-4.2.3-py3-none-any.whl", hash = "sha256:bed628920d45cd5018abb095710f0c03a8336d6ac0790e7647c6a328f3880b81"},
{file = "humanize-4.2.3.tar.gz", hash = "sha256:2bc1fdd831cd00557d3010abdd84d3e41b4a96703a3eaf6c24ee290b26b75a44"},
]
idna = [
{file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"},
{file = "idna-3.3.tar.gz", hash = "sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d"},

View File

@ -39,6 +39,7 @@ emoji = "^1.7.0"
PyLD = "^2.0.3"
aiosqlite = "^0.17.0"
cachetools = "^5.2.0"
humanize = "^4.2.3"
[tool.poetry.dev-dependencies]
black = "^22.3.0"