mirrors/calibre-web
1
0
Fork 0
mirror of https://github.com/janeczku/calibre-web synced 2025-10-22 19:17:38 +00:00
Code Issues Releases Wiki Activity

Added handling for missing flask-wtf dependency

Browse Source 
Added CSRF protection (via flask-wtf)
Moved upload function to js file
Fixed error page in case of csrf failure
This commit is contained in:
Ozzie Isaacs
2021-10-04 17:50:32 +02:00
parent 5edde53fed
commit 50919d4721
25 changed files with 92 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
cps/web.py
View File

@@ -84,14 +84,13 @@ except ImportError:
@app.after_request
def add_security_headers(resp):
resp.headers['Content-Security-Policy'] = "default-src 'self' 'unsafe-inline' 'unsafe-eval';"
resp.headers['Content-Security-Policy'] = "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:"
if request.endpoint == "editbook.edit_book":
resp.headers['Content-Security-Policy'] += "img-src * data:"
resp.headers['Content-Security-Policy'] += " *"
resp.headers['X-Content-Type-Options'] = 'nosniff'
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
resp.headers['X-XSS-Protection'] = '1; mode=block'
resp.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
# log.debug(request.full_path)
return resp
web = Blueprint('web', __name__)