Skip to content

Commit

Permalink
☔ Set some more headers, remove CDN URL & remove unused JSESSIONID
Browse files Browse the repository at this point in the history 
  * Set X-Content-Type-Options to nosniff
  * Set X-Frame-Options to sameorigin (if not configured otherwise)
  * SockJS iframe fallback no longer embeds sockjs library from a CDN
  * SockJS no longer rewrites the unused JSESSIONID cookie
  • Loading branch information
@foosel
foosel committed Oct 8, 2019
1 parent a445cfe commit fd62c1f
Show file tree
Hide file tree
Showing 6 changed files with 25 additions and 4 deletions.
10 changes: 8 additions & 2 deletions src/octoprint/server/__init__.py
View file
Expand Up @@ -536,7 +536,9 @@ def settings_plugin_config_migration_and_cleanup(identifier, implementation):

self._router = SockJSRouter(self._create_socket_connection, "/sockjs",
session_kls=util.sockjs.ThreadSafeSession,
user_settings=dict(websocket_allow_origin="*" if enable_cors else ""))
user_settings=dict(websocket_allow_origin="*" if enable_cors else "",
jsessionid=False,
sockjs_url="../../static/js/lib/sockjs.min.js"))

upload_suffixes = dict(name=self._settings.get(["server", "uploads", "nameSuffix"]), path=self._settings.get(["server", "uploads", "pathSuffix"]))

Expand Down Expand Up @@ -647,7 +649,11 @@ def joined_dict(*dicts):
self._logger.debug("Adding additional route {route} handled by handler {handler} and with additional arguments {kwargs!r}".format(**locals()))
server_routes.append((route, handler, kwargs))

headers = {"X-Robots-Tag": "noindex, nofollow, noimageindex"}
headers = {"X-Robots-Tag": "noindex, nofollow, noimageindex",
"X-Content-Type-Options": "nosniff"}
if not settings().getBoolean(["server", "allowFraming"]):
headers["X-Frame-Options"] = "sameorigin"

removed_headers = ["Server"]

server_routes.append((r".*", util.tornado.UploadStorageFallbackHandler, dict(fallback=util.tornado.WsgiInputContainer(app.wsgi_app,
Expand Down
5 changes: 4 additions & 1 deletion src/octoprint/server/api/settings.py
View file
Expand Up @@ -236,7 +236,8 @@ def getSettings():
"enabled": s.getBoolean(["server", "pluginBlacklist", "enabled"]),
"url": s.get(["server", "pluginBlacklist", "url"]),
"ttl": int(s.getInt(["server", "pluginBlacklist", "ttl"]) / 60)
}
},
"allowFraming": s.getBoolean(["server", "allowFraming"])
}
}

Expand Down Expand Up @@ -554,6 +555,8 @@ def _saveSettings(data):
s.setInt(["server", "pluginBlacklist", "ttl"], ttl * 60)
except ValueError:
pass
if "allowFraming" in data["server"]:
s.setBoolean(["server", "allowFraming"], data["server"]["allowFraming"])

if "plugins" in data:
for plugin in octoprint.plugin.plugin_manager().get_implementations(octoprint.plugin.SettingsPlugin):
Expand Down
3 changes: 2 additions & 1 deletion src/octoprint/settings.py
View file
Expand Up @@ -214,7 +214,8 @@ def settings(init=False, basedir=None, configfile=None):
"ipCheck": {
"enabled": True,
"trustedSubnets": []
}
},
"allowFraming": False
},
"webcam": {
"webcamEnabled": True,
Expand Down
2 changes: 2 additions & 0 deletions src/octoprint/static/js/app/viewmodels/settings.js
View file
Expand Up @@ -244,6 +244,8 @@ $(function() {
self.server_pluginBlacklist_url = ko.observable();
self.server_pluginBlacklist_ttl = ko.observable();

self.server_allowFraming = ko.observable();

self.settings = undefined;
self.lastReceivedSettings = undefined;

Expand Down
2 changes: 2 additions & 0 deletions src/octoprint/templates/dialogs/settings/server.jinja2
View file
@@ -1,4 +1,6 @@
<form class="form-horizontal">
{% include "snippets/settings/server/serverAllowFraming.jinja2" %}

<h3>{{ _('Commands') }}</h3>

{% include "snippets/settings/server/serverCommandServerRestart.jinja2" %}
Expand Down
7 changes: 7 additions & 0 deletions src/octoprint/templates/snippets/settings/server/serverAllowFraming.jinja2
View file
@@ -0,0 +1,7 @@
<div class="control-group">
<div class="controls">
<label class="checkbox">
<input type="checkbox" data-bind="checked: server_allowFraming" id="settings-serverAllowFraming"> {{ _('Allow embedding the web interface into a frame or iframe') }} <span class="label">Needs restart</span>
</label>
</div>
</div>

0 comments on commit fd62c1f

Please sign in to comment.