Skip to content

Commit 7de55a6

Browse files
sailhenzsailhenz
authored
Merge pull request #872 from mendix/DEPS-553_allow_http_headers
DEPS-553 allow cross-origin related http response headers
2 parents eb124fa + 96e5832 commit 7de55a6

File tree

2 files changed

+92
-0
lines changed

2 files changed

+92
-0
lines changed

buildpack/core/nginx.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,10 @@
2323
"X-Permitted-Cross-Domain-Policies": r"(?i)(^all$|^none$|^master-only$|^by-content-type$|^by-ftp-filename$)", # noqa: C0301
2424
"Origin-Trial": r"[a-zA-Z0-9:;/''\"\*_\- \.\n?=%&+]+",
2525
"X-XSS-Protection": r"(?i)(^0$|^1$|^1; mode=block$|^1; report=https?://([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*(:\d+)?$)", # noqa: C0301
26+
"Cross-Origin-Resource-Policy": r"(?i)(^same-origin$|^same-site$|^cross-origin$)",
27+
"Cross-Origin-Opener-Policy": r"(?i)(^unsafe-none$|^same-origin$|^same-origin-allow-popups$|^noopener-allow-popups$)",
28+
"Cross-Origin-Embedder-Policy": r"(?i)(^unsafe-none$|^require-corp$|^credentialless$)",
29+
"Clear-Site-Data": r"(?i)(^cache$|^cookies$|^storage$|^executionContexts$|^prefetchCache$|^prerenderCache$)",
2630
}
2731

2832
CONFIG_FILE = "nginx/conf/nginx.conf"

tests/unit/test_custom_headers.py

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -192,3 +192,91 @@ def test_inValid_header_originTrial(self):
192192
)
193193
header_config = nginx._get_http_headers()
194194
self.assertEqual([], header_config)
195+
196+
def test_valid_header_cross_origin_resource_policy(self):
197+
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
198+
{
199+
"Cross-Origin-Resource-Policy": "same-origin"
200+
}
201+
)
202+
header_config = nginx._get_http_headers()
203+
self.assertIn(
204+
("Cross-Origin-Resource-Policy",
205+
"same-origin",
206+
),
207+
header_config,
208+
)
209+
def test_invalid_header_cross_origin_resource_policy(self):
210+
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
211+
{
212+
"Cross-Origin-Resource-Policy": "#####"
213+
}
214+
)
215+
header_config = nginx._get_http_headers()
216+
self.assertEqual([], header_config)
217+
218+
def test_valid_header_cross_origin_opener_policy(self):
219+
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
220+
{
221+
"Cross-Origin-Opener-Policy": "same-origin"
222+
}
223+
)
224+
header_config = nginx._get_http_headers()
225+
self.assertIn(
226+
("Cross-Origin-Opener-Policy",
227+
"same-origin",
228+
),
229+
header_config,
230+
)
231+
def test_invalid_header_cross_origin_opener_policy(self):
232+
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
233+
{
234+
"Cross-Origin-Opener-Policy": "&^%$#"
235+
}
236+
)
237+
header_config = nginx._get_http_headers()
238+
self.assertEqual([], header_config)
239+
240+
def test_valid_header_cross_origin_embedder_policy(self):
241+
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
242+
{
243+
"Cross-Origin-Embedder-Policy": "require-corp"
244+
}
245+
)
246+
header_config = nginx._get_http_headers()
247+
self.assertIn(
248+
("Cross-Origin-Embedder-Policy",
249+
"require-corp",
250+
),
251+
header_config,
252+
)
253+
def test_invalid_header_cross_origin_embedder_policy(self):
254+
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
255+
{
256+
"Cross-Origin-Embedder-Policy": "&^as%$#"
257+
}
258+
)
259+
header_config = nginx._get_http_headers()
260+
self.assertEqual([], header_config)
261+
262+
def test_valid_header_clear_site_data_policy(self):
263+
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
264+
{
265+
"Clear-Site-Data": "executionContexts"
266+
}
267+
)
268+
header_config = nginx._get_http_headers()
269+
self.assertIn(
270+
("Clear-Site-Data",
271+
"executionContexts",
272+
),
273+
header_config,
274+
)
275+
def test_invalid_header_clear_site_data_policy(self):
276+
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
277+
{
278+
"Clear-Site-Data": "&^as%$#"
279+
}
280+
)
281+
header_config = nginx._get_http_headers()
282+
self.assertEqual([], header_config)

0 commit comments

Comments
 (0)