Rev841, Allow ajax access only on json data, Better json request detect for wrapper

2016-01-12 21:52:24 +01:00 · 2016-01-12 21:52:24 +01:00 · 6427709dec
commit 6427709dec
parent e296ee7ebb
2 changed files with 6 additions and 5 deletions
--- a/src/Config.py
+++ b/src/Config.py
@ -8,7 +8,7 @@ class Config(object):

    def __init__(self, argv):
        self.version = "0.3.5"
-        self.rev = 839
+        self.rev = 841
        self.argv = argv
        self.action = None
        self.createParser()
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@ -133,19 +133,20 @@ class UiRequest(object):

    # Send response headers
    def sendHeader(self, status=200, content_type="text/html", extra_headers=[]):
-        if content_type == "text/html":
-            content_type = "text/html; charset=utf-8"
        headers = []
        headers.append(("Version", "HTTP/1.1"))
        headers.append(("Connection", "Keep-Alive"))
        headers.append(("Keep-Alive", "max=25, timeout=30"))
-        headers.append(("Access-Control-Allow-Origin", "*"))  # Allow json access
+        if content_type == "application/json":
+            headers.append(("Access-Control-Allow-Origin", "*"))  # Allow json access only on json content
        # headers.append(("Content-Security-Policy", "default-src 'self' data: 'unsafe-inline' ws://127.0.0.1:* http://127.0.0.1:* wss://tracker.webtorrent.io; sandbox allow-same-origin allow-top-navigation allow-scripts"))  # Only local connections
        if self.env["REQUEST_METHOD"] == "OPTIONS":
            # Allow json access
            headers.append(("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Cookie"))
            headers.append(("Access-Control-Allow-Credentials", "true"))

+        if content_type == "text/html":
+            content_type = "text/html; charset=utf-8"
        cacheable_type = (
            content_type == "text/css" or content_type.startswith("image") or content_type.startswith("video") or
            self.env["REQUEST_METHOD"] == "OPTIONS" or content_type == "application/javascript"
@ -186,7 +187,7 @@ class UiRequest(object):
            inner_path = match.group("inner_path").lstrip("/")
            if "." in inner_path and not inner_path.endswith(".html"):
                return self.actionSiteMedia("/media" + path)  # Only serve html files with frame
-            if self.env.get("HTTP_X_REQUESTED_WITH"):
+            if self.env.get("HTTP_X_REQUESTED_WITH") or self.env.get("HTTP_ORIGIN"):
                return self.error403("Ajax request not allowed to load wrapper")  # No ajax allowed on wrapper

            site = SiteManager.site_manager.get(address)