On Thursday, December 14, 2017 at 10:24:10 PM UTC-8, torgeriedel wrote:
>
> Am 14.12.2017 um 21:03 schrieb Ryan Ollos:
>
>
>
> On Thu, Dec 14, 2017 at 9:41 AM, Torge Riedel <[email protected]> wrote:
>
>> Hi,
>>
>> I've set up a trac via https using latest stable trac (1.2.2).
>>
>> I've found a nice tool checking site configuration:
>> https://observatory.mozilla.org/
>>
>> Checking my trac installation I got a poor "D" rating.
>>
>> Following is the list of tests failed resulting in a negative score:
>>
>> Test Score Explanation
>> Content Security Policy -25 Content Security Policy (CSP)
>> header not implemented
>> Contribute.json -10 Contribute.json file cannot
>> be parsed
>> X-Content-Type-Options -5 X-Content-Type-Options header not
>> implemented
>> X-Frame-Options -20 X-Frame-Options (XFO) header
>> not implemented
>> X-XSS-Protection -10 X-XSS-Protection header not
>> implemented
>>
>> Since other sites hosted on my server get better ratings there must be a
>> chance to fix this in the code. Another way is to add such headers to the
>> apache config, but I'm not sure whether I am breaking something in trac and
>> it's less flexible.
>>
>> Is there a chance to improve the headers trac is sending? Can I help with
>> whatever is helpful?
>>
>> Regards
>> Torge
>>
>
> Some of all of this may be best addressed through your web server
> configuration. Are you running Apache?
>
> - Ryan
> --
> You received this message because you are subscribed to the Google Groups
> "Trac Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at https://groups.google.com/group/trac-dev.
> For more options, visit https://groups.google.com/d/optout.
>
> Yes, I am running apache. And I have full access to my server. Others
> might not have full access to the apache config and are able to add headers
> or mod_headers is not activated.
>
> That's why I think as much as possible of such headers should be sent by
> trac.
>
Any such headers need to be configurable, but we want to avoid
configuration option bloat. What we might be able to do is add an
[http-headers] configuration section to trac.ini. We could specify some
common configurations to the documentation.
Example configuration:
[http-headers]
X-Frame-Options = DENY
X-XSS-Protection = 1; mode=block
The option names as read by ConfigParser are case-insensitive, but I think
that may be okay as it looks like the HTTP headers are also
case-insensitive.
I've done a PoC patch against 1.2-stable, but I'll want to hear what Jun
has to say before suggesting this is the right solution, since he has much
more experience with web server internals and configuration.
diff --git a/trac/web/api.py b/trac/web/api.py
index b2e76f948..521cd59ab 100644
--- a/trac/web/api.py
+++ b/trac/web/api.py
@@ -686,6 +686,8 @@ class Request(object):
self.send_header('Content-Type', content_type + ';charset=utf-8')
if isinstance(content, basestring):
self.send_header('Content-Length', len(content))
+ for name, val in getattr(self, 'configurable_headers', []):
+ self.send_header(name, val)
self.end_headers()
if self.method != 'HEAD':
diff --git a/trac/web/main.py b/trac/web/main.py
index 56b493d38..1a54dce82 100644
--- a/trac/web/main.py
+++ b/trac/web/main.py
@@ -38,8 +38,9 @@ from genshi.output import DocType
from genshi.template import TemplateLoader
from trac import __version__ as TRAC_VERSION
-from trac.config import BoolOption, ChoiceOption, ConfigurationError, \
- ExtensionOption, Option, OrderedExtensionsOption
+from trac.config import (
+ BoolOption, ChoiceOption, ConfigSection, ConfigurationError,
+ ExtensionOption, Option, OrderedExtensionsOption)
from trac.core import *
from trac.env import open_environment
from trac.loader import get_plugin_info, match_plugins_to_frames
@@ -164,6 +165,10 @@ class RequestDispatcher(Component):
"""The header to use if `use_xsendfile` is enabled. If Nginx is
used,
set `X-Accel-Redirect`. (''since 1.0.6'')""")
+ configurable_headers = ConfigSection('http-headers', """
+ Headers to be added to the HTTP request.
+ """)
+
# Public API
def authenticate(self, req):
@@ -317,6 +322,7 @@ class RequestDispatcher(Component):
'tz': self._get_timezone,
'use_xsendfile': self._get_use_xsendfile,
'xsendfile_header': self._get_xsendfile_header,
+ 'configurable_headers': self._get_configurable_headers,
})
@lazy
@@ -426,6 +432,10 @@ class RequestDispatcher(Component):
header)
return None
+ def _get_configurable_headers(self, req):
+ for name, val in self.configurable_headers.options():
+ yield name, val
+
def _pre_process_request(self, req, chosen_handler):
for filter_ in self.filters:
chosen_handler = filter_.pre_process_request(req,
chosen_handler)
(pve) ~/Documents/Workspace/trac-dev/teo-rjollos.git$clear
(pve) ~/Documents/Workspace/trac-dev/teo-rjollos.git$git diff
diff --git a/trac/web/api.py b/trac/web/api.py
index b2e76f948..521cd59ab 100644
--- a/trac/web/api.py
+++ b/trac/web/api.py
@@ -686,6 +686,8 @@ class Request(object):
self.send_header('Content-Type', content_type + ';charset=utf-8')
if isinstance(content, basestring):
self.send_header('Content-Length', len(content))
+ for name, val in getattr(self, 'configurable_headers', []):
+ self.send_header(name, val)
self.end_headers()
if self.method != 'HEAD':
diff --git a/trac/web/main.py b/trac/web/main.py
index 56b493d38..8f66906e3 100644
--- a/trac/web/main.py
+++ b/trac/web/main.py
@@ -38,8 +38,9 @@ from genshi.output import DocType
from genshi.template import TemplateLoader
from trac import __version__ as TRAC_VERSION
-from trac.config import BoolOption, ChoiceOption, ConfigurationError, \
- ExtensionOption, Option, OrderedExtensionsOption
+from trac.config import (
+ BoolOption, ChoiceOption, ConfigSection, ConfigurationError,
+ ExtensionOption, Option, OrderedExtensionsOption)
from trac.core import *
from trac.env import open_environment
from trac.loader import get_plugin_info, match_plugins_to_frames
@@ -164,6 +165,10 @@ class RequestDispatcher(Component):
"""The header to use if `use_xsendfile` is enabled. If Nginx is
used,
set `X-Accel-Redirect`. (''since 1.0.6'')""")
+ configurable_headers = ConfigSection('http-headers', """
+ Headers to be added to the HTTP request. (''since 1.2.3'')
+ """)
+
# Public API
def authenticate(self, req):
@@ -317,6 +322,7 @@ class RequestDispatcher(Component):
'tz': self._get_timezone,
'use_xsendfile': self._get_use_xsendfile,
'xsendfile_header': self._get_xsendfile_header,
+ 'configurable_headers': self._get_configurable_headers,
})
@lazy
@@ -426,6 +432,10 @@ class RequestDispatcher(Component):
header)
return None
+ def _get_configurable_headers(self, req):
+ for name, val in self.configurable_headers.options():
+ yield name, val
+
def _pre_process_request(self, req, chosen_handler):
for filter_ in self.filters:
chosen_handler = filter_.pre_process_request(req,
chosen_handler)
- Ryan
--
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
