from ipsilon.util.log import Log
from ipsilon.util.user import UserSession
from urllib import unquote
+from functools import wraps
try:
from urlparse import urlparse
except ImportError:
from urllib.parse import urlparse
+def allow_iframe(func):
+ """
+ Remove the X-Frame-Options and CSP frame-options deny headers.
+ """
+ @wraps(func)
+ def wrapper(*args, **kwargs):
+ result = func(*args, **kwargs)
+ for (header, value) in [
+ ('X-Frame-Options', 'deny'),
+ ('Content-Security-Policy', 'frame-options \'deny\'')]:
+ if cherrypy.response.headers.get(header, None) == value:
+ cherrypy.response.headers.pop(header, None)
+ return result
+
+ return wrapper
+
+
class Endpoint(Log):
def __init__(self, site):
self._site = site
self.default_headers = {
'Cache-Control': 'no-cache, no-store, must-revalidate, private',
'Pragma': 'no-cache',
+ 'Content-Security-Policy': 'frame-options \'deny\'',
+ 'X-Frame-Options': 'deny',
}
self.auth_protect = False
if self.auth_protect and self.user.is_anonymous:
raise cherrypy.HTTPError(401)
- self._debug("method: %s" % cherrypy.request.method)
+ self.debug("method: %s" % cherrypy.request.method)
op = getattr(self, cherrypy.request.method, None)
if callable(op):
# Basic CSRF protection
if cherrypy.request.method != 'GET':
url = self.get_url()
if 'referer' not in cherrypy.request.headers:
- self._debug("Missing referer in %s request to %s"
- % (cherrypy.request.method, url))
+ self.debug("Missing referer in %s request to %s"
+ % (cherrypy.request.method, url))
raise cherrypy.HTTPError(403)
referer = cherrypy.request.headers['referer']
if not self._check_referer(referer, url):
- self._debug("Wrong referer %s in request to %s"
- % (referer, url))
+ self.debug("Wrong referer %s in request to %s"
+ % (referer, url))
raise cherrypy.HTTPError(403)
return op(*args, **kwargs)
else: