oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix resource loading with origin only referer

Browse source
This commit is contained in:
shortcutme 2019-03-27 03:01:39 +01:00
parent 5ab20317d0
commit 350adeb52d
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/Ui/UiRequest.py
View file

@ -246,7 +246,13 @@ class UiRequest(object):
headers["Connection"] = "Keep-Alive" headers["Connection"] = "Keep-Alive"
headers["Keep-Alive"] = "max=25, timeout=30" headers["Keep-Alive"] = "max=25, timeout=30"
headers["X-Frame-Options"] = "SAMEORIGIN" headers["X-Frame-Options"] = "SAMEORIGIN"
if content_type != "text/html" and self.env.get("HTTP_REFERER") and self.isSameOrigin(self.getReferer(), self.getRequestUrl()): is_referer_allowed = False
if self.env.get("HTTP_REFERER"):
if self.isSameOrigin(self.getReferer(), self.getRequestUrl()):
is_referer_allowed = True
elif self.getReferer() == "%s://%s/" % (self.env["wsgi.url_scheme"], self.env["HTTP_HOST"]): # Origin-only referer
is_referer_allowed = True
if content_type != "text/html" and is_referer_allowed:
headers["Access-Control-Allow-Origin"] = "*" # Allow load font files from css headers["Access-Control-Allow-Origin"] = "*" # Allow load font files from css
if noscript: if noscript: