forked from forks/microblog.pub
Tweak design and try to prevent CSRF issues
This commit is contained in:
parent
7bb417759e
commit
68c13b275d
4 changed files with 32 additions and 1 deletions
11
app/main.py
11
app/main.py
|
@ -122,6 +122,17 @@ async def add_security_headers(request: Request, call_next):
|
||||||
response.headers["x-content-type-options"] = "nosniff"
|
response.headers["x-content-type-options"] = "nosniff"
|
||||||
response.headers["x-xss-protection"] = "1; mode=block"
|
response.headers["x-xss-protection"] = "1; mode=block"
|
||||||
response.headers["x-frame-options"] = "SAMEORIGIN"
|
response.headers["x-frame-options"] = "SAMEORIGIN"
|
||||||
|
if request.url.path.startswith("/admin/login") or (
|
||||||
|
is_current_user_admin(request)
|
||||||
|
and not (
|
||||||
|
request.url.path.startswith("/attachments")
|
||||||
|
or request.url.path.startswith("/proxy")
|
||||||
|
or request.url.path.startswith("/static")
|
||||||
|
)
|
||||||
|
):
|
||||||
|
# Prevent caching (to prevent caching CSRF tokens)
|
||||||
|
response.headers["Cache-Control"] = "private"
|
||||||
|
|
||||||
# TODO(ts): disallow inline CSS?
|
# TODO(ts): disallow inline CSS?
|
||||||
if DEBUG:
|
if DEBUG:
|
||||||
return response
|
return response
|
||||||
|
|
|
@ -165,6 +165,7 @@
|
||||||
{% if metadata.is_following %}
|
{% if metadata.is_following %}
|
||||||
<li>already following</li>
|
<li>already following</li>
|
||||||
<li>{{ admin_undo_button(metadata.outbox_follow_ap_id, "unfollow")}}</li>
|
<li>{{ admin_undo_button(metadata.outbox_follow_ap_id, "unfollow")}}</li>
|
||||||
|
<li>{{ admin_profile_button(actor.ap_id) }}</li>
|
||||||
{% elif metadata.is_follow_request_sent %}
|
{% elif metadata.is_follow_request_sent %}
|
||||||
<li>follow request sent</li>
|
<li>follow request sent</li>
|
||||||
{% else %}
|
{% else %}
|
||||||
|
@ -172,6 +173,9 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if metadata.is_follower %}
|
{% if metadata.is_follower %}
|
||||||
<li>follows you</li>
|
<li>follows you</li>
|
||||||
|
{% if not metadata.is_following %}
|
||||||
|
<li>{{ admin_profile_button(actor.ap_id) }}</li>
|
||||||
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
17
poetry.lock
generated
17
poetry.lock
generated
|
@ -429,6 +429,17 @@ cli = ["click (>=8.0.0,<9.0.0)", "rich (>=10,<13)", "pygments (>=2.0.0,<3.0.0)"]
|
||||||
http2 = ["h2 (>=3,<5)"]
|
http2 = ["h2 (>=3,<5)"]
|
||||||
socks = ["socksio (>=1.0.0,<2.0.0)"]
|
socks = ["socksio (>=1.0.0,<2.0.0)"]
|
||||||
|
|
||||||
|
[[package]]
|
||||||
|
name = "humanize"
|
||||||
|
version = "4.2.3"
|
||||||
|
description = "Python humanize utilities"
|
||||||
|
category = "main"
|
||||||
|
optional = false
|
||||||
|
python-versions = ">=3.7"
|
||||||
|
|
||||||
|
[package.extras]
|
||||||
|
tests = ["freezegun", "pytest", "pytest-cov"]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "idna"
|
name = "idna"
|
||||||
version = "3.3"
|
version = "3.3"
|
||||||
|
@ -1151,7 +1162,7 @@ dev = ["pytest (>=4.6.2)", "black (>=19.3b0)"]
|
||||||
[metadata]
|
[metadata]
|
||||||
lock-version = "1.1"
|
lock-version = "1.1"
|
||||||
python-versions = "^3.10"
|
python-versions = "^3.10"
|
||||||
content-hash = "4ea5cf809ffddcabfa9f23de9051538b7c8f7b96c5d79883b469a0e1cff2864b"
|
content-hash = "1192c7c9d7ce2b93f928406f66c6a6797581bdb4928974679f7b8a0a08a1cf9f"
|
||||||
|
|
||||||
[metadata.files]
|
[metadata.files]
|
||||||
aiosqlite = [
|
aiosqlite = [
|
||||||
|
@ -1451,6 +1462,10 @@ httpx = [
|
||||||
{file = "httpx-0.23.0-py3-none-any.whl", hash = "sha256:42974f577483e1e932c3cdc3cd2303e883cbfba17fe228b0f63589764d7b9c4b"},
|
{file = "httpx-0.23.0-py3-none-any.whl", hash = "sha256:42974f577483e1e932c3cdc3cd2303e883cbfba17fe228b0f63589764d7b9c4b"},
|
||||||
{file = "httpx-0.23.0.tar.gz", hash = "sha256:f28eac771ec9eb4866d3fb4ab65abd42d38c424739e80c08d8d20570de60b0ef"},
|
{file = "httpx-0.23.0.tar.gz", hash = "sha256:f28eac771ec9eb4866d3fb4ab65abd42d38c424739e80c08d8d20570de60b0ef"},
|
||||||
]
|
]
|
||||||
|
humanize = [
|
||||||
|
{file = "humanize-4.2.3-py3-none-any.whl", hash = "sha256:bed628920d45cd5018abb095710f0c03a8336d6ac0790e7647c6a328f3880b81"},
|
||||||
|
{file = "humanize-4.2.3.tar.gz", hash = "sha256:2bc1fdd831cd00557d3010abdd84d3e41b4a96703a3eaf6c24ee290b26b75a44"},
|
||||||
|
]
|
||||||
idna = [
|
idna = [
|
||||||
{file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"},
|
{file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"},
|
||||||
{file = "idna-3.3.tar.gz", hash = "sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d"},
|
{file = "idna-3.3.tar.gz", hash = "sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d"},
|
||||||
|
|
|
@ -39,6 +39,7 @@ emoji = "^1.7.0"
|
||||||
PyLD = "^2.0.3"
|
PyLD = "^2.0.3"
|
||||||
aiosqlite = "^0.17.0"
|
aiosqlite = "^0.17.0"
|
||||||
cachetools = "^5.2.0"
|
cachetools = "^5.2.0"
|
||||||
|
humanize = "^4.2.3"
|
||||||
|
|
||||||
[tool.poetry.dev-dependencies]
|
[tool.poetry.dev-dependencies]
|
||||||
black = "^22.3.0"
|
black = "^22.3.0"
|
||||||
|
|
Loading…
Reference in a new issue