Am 19.12.2017 um 06:54 schrieb RjOllos:
On Monday, December 18, 2017 at 8:32:16 AM UTC-8, torgeriedel wrote:
Am 18.12.2017 um 09:15 schrieb Jun Omae:
> Hi,
>
> <[email protected] <mailto:[email protected]>> wrote on 2017-Dec-15 at
06:02 PM:
>> Any such headers need to be configurable, but we want to avoid
configuration option bloat. What we might be able to do is add an [http-headers]
configuration section to trac.ini. We could specify some common configurations to the
documentation.
>>
>> Example configuration:
>>
>> [http-headers]
>> X-Frame-Options = DENY
>> X-XSS-Protection = 1; mode=block
>>
>> The option names as read by ConfigParser are case-insensitive, but I
think that may be okay as it looks like the HTTP headers are also case-insensitive.
>>
>> I've done a PoC patch against 1.2-stable, but I'll want to hear what Jun
has to say before suggesting this is the right solution, since he has much more
experience with web server internals and configuration.
>
> Good feature.
>
> My suggestions:
>
> 1. Whether http header name is valid like [trac] xsendfile_header option.
> 2. Whether http header value is valid (the value cannot contain control
characters except TAB and SPACE).
> 3. Ignore some headers, e.g. Content-Type, Content-Length, Location,
ETag, Pragma, Cache-Control, Expires
> 4. I think we should send configured headers for all send_* methods
included send_error().
>
> See attached patch.
>
> I thought it might be good to allow to overwrite headers like "set" in
mod_headers module but it would not be needed in use-case of Trac.
>
Hi,
I created a temporary dev env of Trac 1.2.2 with the patch of Jun applied.
I have configured the following headers in trac.ini:
[http-headers]
Content-Security-Policy = frame-ancestors 'none'; default-src 'none';
img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'
Referrer-Policy = no-referrer
Strict-Transport-Security = max-age=31536000; includeSubDomains
X-Frame-Options = DENY
X-Content-Type-Options = nosniff
X-XSS-Protection = 1; mode=block
with the headers defined as above trac should get a better rating or
something near to it.
Well currently the trac test env I have set up is getting an F rating on
observatory.mozilla.org <http://observatory.mozilla.org>, since https was not
in use, a redirect to https is missing and HSTS was set without https.
And there is another import point which needs to be adjusted:
Cookies -40 Session cookie set without using the Secure flag or
set over http
If used on https the score is "just" -10, but I recommend to add the secure
flag to the cookie trac is setting.
https://trac.edgewall.org/wiki/TracIni#trac-secure_cookies-option
Is there a chance to get this in a Trac 1.2.3? I recommend setting the
headers above in a default trac.ini created by trac-admin initenv.
Yes,
https://trac.edgewall.org/ticket/12964
- Ryan
--
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
[email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
Hi,
regarding secure cookies: Sorry, I missed that. Changed in my installation and
the rating got better.
I will wait for 1.2.3 and will give feedback after deploy and changing
configurable headers.
Thanks for your efforts
Torge
--
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
