libervia-backend: sat/plugins/plugin_comp_file

comparison sat/plugins/plugin_comp_file_sharing.py @ 3296:da443cf946ad

comp file sharing: CORS: - added CORS headers to allow using the HTTP server from an other domain - added `Content-Security-Policy`

author	Goffi <goffi@goffi.org>
date	Tue, 09 Jun 2020 06:21:23 +0200
parents	449dfbfcdbcc
children	91b5ae058c66

comparison

equal deleted inserted replaced

-:9bc3fca290ab
+:da443cf946ad
 from sat.tools.common import files_utils
 from sat.tools.common import tls
 from sat.tools import stream
 from twisted.internet import defer, reactor
 from twisted.words.protocols.jabber import error
-from twisted.web import server, resource, static
+from twisted.web import server, resource, static, http
 from wokkel import pubsub
 from wokkel import generic
 log = getLogger(__name__)
 class HTTPFileServer(resource.Resource):
 isLeaf = True
 def errorPage(self, request, code):
 request.setResponseCode(code)
-if code == 400:
+if code == http.BAD_REQUEST:
 brief = 'Bad Request'
 details = "Your request is invalid"
-elif code == 403:
+elif code == http.FORBIDDEN:
 brief = 'Forbidden'
 details = "You're not allowed to use this resource"
-elif code == 404:
+elif code == http.NOT_FOUND:
 brief = 'Not Found'
 details = "No resource found at this URL"
 else:
 brief = 'Error'
 details = "This resource can't be used"
 elif media_type == 'application' and media_subtype == 'pdf':
 return 'inline'
 else:
 return 'attachment'
+def render(self, request):
+request.setHeader("Access-Control-Allow-Origin", "*")
+request.setHeader("Access-Control-Allow-Methods", "OPTIONS, HEAD, GET, PUT")
+request.setHeader("Access-Control-Allow-Headers", "Content-Type, Xmpp-File-Path, Xmpp-File-No-Http")
+request.setHeader("Access-Control-Allow-Credentials", "true")
+return super().render(request)
+def render_OPTIONS(self, request):
+request.setResponseCode(http.OK)
+return b""
 def render_GET(self, request):
 try:
 request.upload_data
 except exceptions.DataError:
-return self.errorPage(request, 404)
+return self.errorPage(request, http.NOT_FOUND)
 defer.ensureDeferred(self.renderGet(request))
 return server.NOT_DONE_YET
 async def renderGet(self, request):
 try:
 upload_id, filename = request.upload_data
 except exceptions.DataError:
-request.write(self.errorPage(request, 403))
+request.write(self.errorPage(request, http.FORBIDDEN))
 request.finish()
 return
 found_files = await request.file_sharing.host.memory.getFiles(
 client=None, peer_jid=None, perms_to_check=None, public_id=upload_id)
 if not found_files:
-request.write(self.errorPage(request, 404))
+request.write(self.errorPage(request, http.NOT_FOUND))
 request.finish()
 return
 if len(found_files) > 1:
 log.error(f"more that one files found for public id {upload_id!r}")
 # thus we add a content disposition header
 request.setHeader(
 'Content-Disposition',
 f"{disp_type}; filename*=UTF-8''{quote(found_file['name'])}"
 )
+# cf. https://xmpp.org/extensions/xep-0363.html#server
+request.setHeader(
+'Content-Security-Policy',
+"default-src 'none'; frame-ancestors 'none';"
+)
 ret = file_res.render(request)
 if ret != server.NOT_DONE_YET:
 # HEAD returns directly the result (while GET use a produced)
 request.write(ret)
 request.finish()
 async def renderPut(self, request):
 try:
 client, upload_request = request.upload_request_data
 upload_id, filename = request.upload_data
 except AttributeError:
-request.write(self.errorPage(request, 400))
+request.write(self.errorPage(request, http.BAD_REQUEST))
 request.finish()
 return
 # at this point request is checked and file is buffered, we can store it
 # we close the content here, before registering the file
 await request.file_sharing.registerReceivedFile(
 client, upload_request.from_, file_data, tmp_file_path,
 public_id=upload_id,
 )
-request.setResponseCode(201)
+request.setResponseCode(http.CREATED)
 request.finish()
 class FileSharingRequest(server.Request):

Mercurial > libervia-backend

comparison sat/plugins/plugin_comp_file_sharing.py @ 3296:da443cf946ad