On Friday, December 15, 2017 at 1:02:03 AM UTC-8, RjOllos wrote: > > > > On Thursday, December 14, 2017 at 10:24:10 PM UTC-8, torgeriedel wrote: >> >> Am 14.12.2017 um 21:03 schrieb Ryan Ollos: >> >> >> >> On Thu, Dec 14, 2017 at 9:41 AM, Torge Riedel <[email protected]> wrote: >> >>> Hi, >>> >>> I've set up a trac via https using latest stable trac (1.2.2). >>> >>> I've found a nice tool checking site configuration: >>> https://observatory.mozilla.org/ >>> >>> Checking my trac installation I got a poor "D" rating. >>> >>> Following is the list of tests failed resulting in a negative score: >>> >>> Test Score Explanation >>> Content Security Policy -25 Content Security Policy (CSP) >>> header not implemented >>> Contribute.json -10 Contribute.json file cannot >>> be parsed >>> X-Content-Type-Options -5 X-Content-Type-Options header not >>> implemented >>> X-Frame-Options -20 X-Frame-Options (XFO) header >>> not implemented >>> X-XSS-Protection -10 X-XSS-Protection header not >>> implemented >>> >>> Since other sites hosted on my server get better ratings there must be a >>> chance to fix this in the code. Another way is to add such headers to the >>> apache config, but I'm not sure whether I am breaking something in trac and >>> it's less flexible. >>> >>> Is there a chance to improve the headers trac is sending? Can I help >>> with whatever is helpful? >>> >>> Regards >>> Torge >>> >> >> Some of all of this may be best addressed through your web server >> configuration. Are you running Apache? >> >> - Ryan >> -- >> You received this message because you are subscribed to the Google Groups >> "Trac Development" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/trac-dev. >> For more options, visit https://groups.google.com/d/optout. >> >> Yes, I am running apache. And I have full access to my server. Others >> might not have full access to the apache config and are able to add headers >> or mod_headers is not activated. >> >> That's why I think as much as possible of such headers should be sent by >> trac. >> > > Any such headers need to be configurable, but we want to avoid > configuration option bloat. What we might be able to do is add an > [http-headers] configuration section to trac.ini. We could specify some > common configurations to the documentation. > > Example configuration: > > [http-headers] > X-Frame-Options = DENY > X-XSS-Protection = 1; mode=block > > The option names as read by ConfigParser are case-insensitive, but I think > that may be okay as it looks like the HTTP headers are also > case-insensitive. > > I've done a PoC patch against 1.2-stable, but I'll want to hear what Jun > has to say before suggesting this is the right solution, since he has much > more experience with web server internals and configuration. > > diff --git a/trac/web/api.py b/trac/web/api.py > index b2e76f948..521cd59ab 100644 > --- a/trac/web/api.py > +++ b/trac/web/api.py > @@ -686,6 +686,8 @@ class Request(object): > self.send_header('Content-Type', content_type + ';charset=utf-8') > if isinstance(content, basestring): > self.send_header('Content-Length', len(content)) > + for name, val in getattr(self, 'configurable_headers', []): > + self.send_header(name, val) > self.end_headers() > > if self.method != 'HEAD': > diff --git a/trac/web/main.py b/trac/web/main.py > index 56b493d38..1a54dce82 100644 > --- a/trac/web/main.py > +++ b/trac/web/main.py > @@ -38,8 +38,9 @@ from genshi.output import DocType > from genshi.template import TemplateLoader > > from trac import __version__ as TRAC_VERSION > -from trac.config import BoolOption, ChoiceOption, ConfigurationError, \ > - ExtensionOption, Option, OrderedExtensionsOption > +from trac.config import ( > + BoolOption, ChoiceOption, ConfigSection, ConfigurationError, > + ExtensionOption, Option, OrderedExtensionsOption) > from trac.core import * > from trac.env import open_environment > from trac.loader import get_plugin_info, match_plugins_to_frames > @@ -164,6 +165,10 @@ class RequestDispatcher(Component): > """The header to use if `use_xsendfile` is enabled. If Nginx is > used, > set `X-Accel-Redirect`. (''since 1.0.6'')""") > > + configurable_headers = ConfigSection('http-headers', """ > + Headers to be added to the HTTP request. > + """) > + > # Public API > > def authenticate(self, req): > @@ -317,6 +322,7 @@ class RequestDispatcher(Component): > 'tz': self._get_timezone, > 'use_xsendfile': self._get_use_xsendfile, > 'xsendfile_header': self._get_xsendfile_header, > + 'configurable_headers': self._get_configurable_headers, > }) > > @lazy > @@ -426,6 +432,10 @@ class RequestDispatcher(Component): > header) > return None > > + def _get_configurable_headers(self, req): > + for name, val in self.configurable_headers.options(): > + yield name, val > + > def _pre_process_request(self, req, chosen_handler): > for filter_ in self.filters: > chosen_handler = filter_.pre_process_request(req, > chosen_handler) > (pve) ~/Documents/Workspace/trac-dev/teo-rjollos.git$clear > (pve) ~/Documents/Workspace/trac-dev/teo-rjollos.git$git diff > diff --git a/trac/web/api.py b/trac/web/api.py > index b2e76f948..521cd59ab 100644 > --- a/trac/web/api.py > +++ b/trac/web/api.py > @@ -686,6 +686,8 @@ class Request(object): > self.send_header('Content-Type', content_type + ';charset=utf-8') > if isinstance(content, basestring): > self.send_header('Content-Length', len(content)) > + for name, val in getattr(self, 'configurable_headers', []): > + self.send_header(name, val) > self.end_headers() > > if self.method != 'HEAD': > diff --git a/trac/web/main.py b/trac/web/main.py > index 56b493d38..8f66906e3 100644 > --- a/trac/web/main.py > +++ b/trac/web/main.py > @@ -38,8 +38,9 @@ from genshi.output import DocType > from genshi.template import TemplateLoader > > from trac import __version__ as TRAC_VERSION > -from trac.config import BoolOption, ChoiceOption, ConfigurationError, \ > - ExtensionOption, Option, OrderedExtensionsOption > +from trac.config import ( > + BoolOption, ChoiceOption, ConfigSection, ConfigurationError, > + ExtensionOption, Option, OrderedExtensionsOption) > from trac.core import * > from trac.env import open_environment > from trac.loader import get_plugin_info, match_plugins_to_frames > @@ -164,6 +165,10 @@ class RequestDispatcher(Component): > """The header to use if `use_xsendfile` is enabled. If Nginx is > used, > set `X-Accel-Redirect`. (''since 1.0.6'')""") > > + configurable_headers = ConfigSection('http-headers', """ > + Headers to be added to the HTTP request. (''since 1.2.3'') > + """) > + > # Public API > > def authenticate(self, req): > @@ -317,6 +322,7 @@ class RequestDispatcher(Component): > 'tz': self._get_timezone, > 'use_xsendfile': self._get_use_xsendfile, > 'xsendfile_header': self._get_xsendfile_header, > + 'configurable_headers': self._get_configurable_headers, > }) > > @lazy > @@ -426,6 +432,10 @@ class RequestDispatcher(Component): > header) > return None > > + def _get_configurable_headers(self, req): > + for name, val in self.configurable_headers.options(): > + yield name, val > + > def _pre_process_request(self, req, chosen_handler): > for filter_ in self.filters: > chosen_handler = filter_.pre_process_request(req, > chosen_handler) > > - Ryan >
Attaching same patch as a file. - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/d/optout.
commit 104636610b1bcb7f3696bae62be475f9f51fc5fc Author: Ryan J Ollos <[email protected]> Date: Fri Dec 15 01:02:27 2017 -0800 Add option for configuring HTTP headers diff --git a/trac/web/api.py b/trac/web/api.py index b2e76f948..521cd59ab 100644 --- a/trac/web/api.py +++ b/trac/web/api.py @@ -686,6 +686,8 @@ class Request(object): self.send_header('Content-Type', content_type + ';charset=utf-8') if isinstance(content, basestring): self.send_header('Content-Length', len(content)) + for name, val in getattr(self, 'configurable_headers', []): + self.send_header(name, val) self.end_headers() if self.method != 'HEAD': diff --git a/trac/web/main.py b/trac/web/main.py index 56b493d38..8f66906e3 100644 --- a/trac/web/main.py +++ b/trac/web/main.py @@ -38,8 +38,9 @@ from genshi.output import DocType from genshi.template import TemplateLoader from trac import __version__ as TRAC_VERSION -from trac.config import BoolOption, ChoiceOption, ConfigurationError, \ - ExtensionOption, Option, OrderedExtensionsOption +from trac.config import ( + BoolOption, ChoiceOption, ConfigSection, ConfigurationError, + ExtensionOption, Option, OrderedExtensionsOption) from trac.core import * from trac.env import open_environment from trac.loader import get_plugin_info, match_plugins_to_frames @@ -164,6 +165,10 @@ class RequestDispatcher(Component): """The header to use if `use_xsendfile` is enabled. If Nginx is used, set `X-Accel-Redirect`. (''since 1.0.6'')""") + configurable_headers = ConfigSection('http-headers', """ + Headers to be added to the HTTP request. (''since 1.2.3'') + """) + # Public API def authenticate(self, req): @@ -317,6 +322,7 @@ class RequestDispatcher(Component): 'tz': self._get_timezone, 'use_xsendfile': self._get_use_xsendfile, 'xsendfile_header': self._get_xsendfile_header, + 'configurable_headers': self._get_configurable_headers, }) @lazy @@ -426,6 +432,10 @@ class RequestDispatcher(Component): header) return None + def _get_configurable_headers(self, req): + for name, val in self.configurable_headers.options(): + yield name, val + def _pre_process_request(self, req, chosen_handler): for filter_ in self.filters: chosen_handler = filter_.pre_process_request(req, chosen_handler)
