shaba/openuds
1
0
Fork 1
mirror of https://github.com/dkmstr/openuds.git synced 2025-03-14 12:58:35 +03:00
Code Issues Releases Wiki Activity

Removed nonsense security check right now...

Browse Source
This commit is contained in:
Adolfo Gómez García 2021-09-07 12:15:44 +02:00
parent 3615db877e
commit 3a69c9205e
2 changed files with 3 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
server/src/server/settings.py.sample
View File

@ -175,6 +175,7 @@ MIDDLEWARE = [
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware',
'uds.core.util.middleware.security.UDSSecurityMiddleware',
'uds.core.util.middleware.request.GlobalRequestMiddleware',
'uds.core.util.middleware.xua.XUACompatibleMiddleware',
'uds.core.util.middleware.redirect.RedirectMiddleware',

9
server/src/uds/core/util/middleware/security.py
View File

@ -48,10 +48,5 @@ class UDSSecurityMiddleware:
self.get_response = get_response
def __call__(self, request: 'HttpRequest') -> 'HttpResponse':
# Old browsers does not sends the sec-fetch* headers, count them as fine
# This is just only a layer on the top of the security headers
if request.headers.get('Sec-Fetch-Site', 'none') in ('same-origin', 'same-site', 'none'):
return self.get_response(request)
# If Sec-Fetch-Site header is present, but not allowed (that is, not same origin), return 403
return HttpResponseForbidden('Forbidden Cross Origin request')
# TODO: Implement security checks here
return self.get_response(request)