oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Never allow cross-origin file request

Browse source
This commit is contained in:
shortcutme 2017-07-06 00:08:32 +02:00
parent f30b2b6fc2
commit 2a161f4421
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 0 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/Ui/UiRequest.py
View file

@ -170,8 +170,6 @@ class UiRequest(object):
headers.append(("Version", "HTTP/1.1")) headers.append(("Version", "HTTP/1.1"))
headers.append(("Connection", "Keep-Alive")) headers.append(("Connection", "Keep-Alive"))
headers.append(("Keep-Alive", "max=25, timeout=30")) headers.append(("Keep-Alive", "max=25, timeout=30"))
if content_type != "text/html":
headers.append(("Access-Control-Allow-Origin", "*")) # Allow json access on non-html files
headers.append(("X-Frame-Options", "SAMEORIGIN")) headers.append(("X-Frame-Options", "SAMEORIGIN"))
# headers.append(("Content-Security-Policy", "default-src 'self' data: 'unsafe-inline' ws://127.0.0.1:* http://127.0.0.1:* wss://tracker.webtorrent.io; sandbox allow-same-origin allow-top-navigation allow-scripts")) # Only local connections # headers.append(("Content-Security-Policy", "default-src 'self' data: 'unsafe-inline' ws://127.0.0.1:* http://127.0.0.1:* wss://tracker.webtorrent.io; sandbox allow-same-origin allow-top-navigation allow-scripts")) # Only local connections
if self.env["REQUEST_METHOD"] == "OPTIONS": if self.env["REQUEST_METHOD"] == "OPTIONS":