# HG changeset patch # User Goffi # Date 1591676483 -7200 # Node ID da443cf946ad7020ee287b515bfceb4fe542d449 # Parent 9bc3fca290ab6f844b4e0707227d8f88d544eb25 comp file sharing: CORS: - added CORS headers to allow using the HTTP server from an other domain - added `Content-Security-Policy` diff -r 9bc3fca290ab -r da443cf946ad sat/plugins/plugin_comp_file_sharing.py --- a/sat/plugins/plugin_comp_file_sharing.py Tue Jun 09 06:16:52 2020 +0200 +++ b/sat/plugins/plugin_comp_file_sharing.py Tue Jun 09 06:21:23 2020 +0200 @@ -36,7 +36,7 @@ from sat.tools import stream from twisted.internet import defer, reactor from twisted.words.protocols.jabber import error -from twisted.web import server, resource, static +from twisted.web import server, resource, static, http from wokkel import pubsub from wokkel import generic @@ -85,13 +85,13 @@ def errorPage(self, request, code): request.setResponseCode(code) - if code == 400: + if code == http.BAD_REQUEST: brief = 'Bad Request' details = "Your request is invalid" - elif code == 403: + elif code == http.FORBIDDEN: brief = 'Forbidden' details = "You're not allowed to use this resource" - elif code == 404: + elif code == http.NOT_FOUND: brief = 'Not Found' details = "No resource found at this URL" else: @@ -113,11 +113,22 @@ else: return 'attachment' + def render(self, request): + request.setHeader("Access-Control-Allow-Origin", "*") + request.setHeader("Access-Control-Allow-Methods", "OPTIONS, HEAD, GET, PUT") + request.setHeader("Access-Control-Allow-Headers", "Content-Type, Xmpp-File-Path, Xmpp-File-No-Http") + request.setHeader("Access-Control-Allow-Credentials", "true") + return super().render(request) + + def render_OPTIONS(self, request): + request.setResponseCode(http.OK) + return b"" + def render_GET(self, request): try: request.upload_data except exceptions.DataError: - return self.errorPage(request, 404) + return self.errorPage(request, http.NOT_FOUND) defer.ensureDeferred(self.renderGet(request)) return server.NOT_DONE_YET @@ -126,13 +137,13 @@ try: upload_id, filename = request.upload_data except exceptions.DataError: - request.write(self.errorPage(request, 403)) + request.write(self.errorPage(request, http.FORBIDDEN)) request.finish() return found_files = await request.file_sharing.host.memory.getFiles( client=None, peer_jid=None, perms_to_check=None, public_id=upload_id) if not found_files: - request.write(self.errorPage(request, 404)) + request.write(self.errorPage(request, http.NOT_FOUND)) request.finish() return if len(found_files) > 1: @@ -151,6 +162,11 @@ 'Content-Disposition', f"{disp_type}; filename*=UTF-8''{quote(found_file['name'])}" ) + # cf. https://xmpp.org/extensions/xep-0363.html#server + request.setHeader( + 'Content-Security-Policy', + "default-src 'none'; frame-ancestors 'none';" + ) ret = file_res.render(request) if ret != server.NOT_DONE_YET: # HEAD returns directly the result (while GET use a produced) @@ -166,7 +182,7 @@ client, upload_request = request.upload_request_data upload_id, filename = request.upload_data except AttributeError: - request.write(self.errorPage(request, 400)) + request.write(self.errorPage(request, http.BAD_REQUEST)) request.finish() return @@ -188,7 +204,7 @@ public_id=upload_id, ) - request.setResponseCode(201) + request.setResponseCode(http.CREATED) request.finish()