changeset 3296:da443cf946ad

comp file sharing: CORS: - added CORS headers to allow using the HTTP server from an other domain - added `Content-Security-Policy`
author Goffi <goffi@goffi.org>
date Tue, 09 Jun 2020 06:21:23 +0200
parents 9bc3fca290ab
children 91b5ae058c66
files sat/plugins/plugin_comp_file_sharing.py
diffstat 1 files changed, 25 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/sat/plugins/plugin_comp_file_sharing.py	Tue Jun 09 06:16:52 2020 +0200
+++ b/sat/plugins/plugin_comp_file_sharing.py	Tue Jun 09 06:21:23 2020 +0200
@@ -36,7 +36,7 @@
 from sat.tools import stream
 from twisted.internet import defer, reactor
 from twisted.words.protocols.jabber import error
-from twisted.web import server, resource, static
+from twisted.web import server, resource, static, http
 from wokkel import pubsub
 from wokkel import generic
 
@@ -85,13 +85,13 @@
 
     def errorPage(self, request, code):
         request.setResponseCode(code)
-        if code == 400:
+        if code == http.BAD_REQUEST:
             brief = 'Bad Request'
             details = "Your request is invalid"
-        elif code == 403:
+        elif code == http.FORBIDDEN:
             brief = 'Forbidden'
             details = "You're not allowed to use this resource"
-        elif code == 404:
+        elif code == http.NOT_FOUND:
             brief = 'Not Found'
             details = "No resource found at this URL"
         else:
@@ -113,11 +113,22 @@
         else:
             return 'attachment'
 
+    def render(self, request):
+        request.setHeader("Access-Control-Allow-Origin", "*")
+        request.setHeader("Access-Control-Allow-Methods", "OPTIONS, HEAD, GET, PUT")
+        request.setHeader("Access-Control-Allow-Headers", "Content-Type, Xmpp-File-Path, Xmpp-File-No-Http")
+        request.setHeader("Access-Control-Allow-Credentials", "true")
+        return super().render(request)
+
+    def render_OPTIONS(self, request):
+        request.setResponseCode(http.OK)
+        return b""
+
     def render_GET(self, request):
         try:
             request.upload_data
         except exceptions.DataError:
-            return self.errorPage(request, 404)
+            return self.errorPage(request, http.NOT_FOUND)
 
         defer.ensureDeferred(self.renderGet(request))
         return server.NOT_DONE_YET
@@ -126,13 +137,13 @@
         try:
             upload_id, filename = request.upload_data
         except exceptions.DataError:
-            request.write(self.errorPage(request, 403))
+            request.write(self.errorPage(request, http.FORBIDDEN))
             request.finish()
             return
         found_files = await request.file_sharing.host.memory.getFiles(
             client=None, peer_jid=None, perms_to_check=None, public_id=upload_id)
         if not found_files:
-            request.write(self.errorPage(request, 404))
+            request.write(self.errorPage(request, http.NOT_FOUND))
             request.finish()
             return
         if len(found_files) > 1:
@@ -151,6 +162,11 @@
             'Content-Disposition',
             f"{disp_type}; filename*=UTF-8''{quote(found_file['name'])}"
         )
+        # cf. https://xmpp.org/extensions/xep-0363.html#server
+        request.setHeader(
+            'Content-Security-Policy',
+            "default-src 'none'; frame-ancestors 'none';"
+        )
         ret = file_res.render(request)
         if ret != server.NOT_DONE_YET:
             # HEAD returns directly the result (while GET use a produced)
@@ -166,7 +182,7 @@
             client, upload_request = request.upload_request_data
             upload_id, filename = request.upload_data
         except AttributeError:
-            request.write(self.errorPage(request, 400))
+            request.write(self.errorPage(request, http.BAD_REQUEST))
             request.finish()
             return
 
@@ -188,7 +204,7 @@
             public_id=upload_id,
         )
 
-        request.setResponseCode(201)
+        request.setResponseCode(http.CREATED)
         request.finish()