Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(5)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: appengine/isolate/handlers_frontend.py

Issue 2681293003: Fix iframe security policy directives for viewing isolate content (Closed)
Patch Set: Fix iframe security policy directive with child-src (use 'self') Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « appengine/components/components/auth/handler.py ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Copyright 2012 The LUCI Authors. All rights reserved. 1 # Copyright 2012 The LUCI Authors. All rights reserved.
2 # Use of this source code is governed under the Apache License, Version 2.0 2 # Use of this source code is governed under the Apache License, Version 2.0
3 # that can be found in the LICENSE file. 3 # that can be found in the LICENSE file.
4 4
5 """This module defines Isolate Server frontend url handlers.""" 5 """This module defines Isolate Server frontend url handlers."""
6 6
7 import cgi 7 import cgi
8 import datetime 8 import datetime
9 import json 9 import json
10 import logging 10 import logging
(...skipping 187 matching lines...) Expand 10 before | Expand all | Expand 10 after
198 # Check for existence of element, so we can 400/404 198 # Check for existence of element, so we can 400/404
199 if digest and namespace: 199 if digest and namespace:
200 try: 200 try:
201 model.get_content(namespace, digest) 201 model.get_content(namespace, digest)
202 except ValueError: 202 except ValueError:
203 self.abort(400, 'Invalid key') 203 self.abort(400, 'Invalid key')
204 except LookupError: 204 except LookupError:
205 self.abort(404, 'Unable to retrieve the entry') 205 self.abort(404, 'Unable to retrieve the entry')
206 self.response.write(template.render('isolate/browse.html', params)) 206 self.response.write(template.render('isolate/browse.html', params))
207 207
208 def get_content_security_policy(self):
209 csp = super(BrowseHandler, self).get_content_security_policy()
210 csp.setdefault('child-src', []).append("'self'")
211 return csp
212
208 213
209 class ContentHandler(auth.AuthenticatingHandler): 214 class ContentHandler(auth.AuthenticatingHandler):
210 @auth.autologin 215 @auth.autologin
211 @auth.require(acl.isolate_readable) 216 @auth.require(acl.isolate_readable)
212 def get(self): 217 def get(self):
213 namespace = self.request.get('namespace', 'default-gzip') 218 namespace = self.request.get('namespace', 'default-gzip')
214 digest = self.request.get('digest', '') 219 digest = self.request.get('digest', '')
215 content = None 220 content = None
216 221
217 if digest and namespace: 222 if digest and namespace:
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after
273 content = re.sub(r'([0-9a-f]{40})', 278 content = re.sub(r'([0-9a-f]{40})',
274 r'<a target="_blank" href="/browse?namespace=%s' % namespace + 279 r'<a target="_blank" href="/browse?namespace=%s' % namespace +
275 r'&digest=\1">\1</a>', 280 r'&digest=\1">\1</a>',
276 content) 281 content)
277 self.response.headers['Content-Type'] = 'text/html; charset=utf-8' 282 self.response.headers['Content-Type'] = 'text/html; charset=utf-8'
278 except ValueError: 283 except ValueError:
279 pass 284 pass
280 285
281 self.response.write(content) 286 self.response.write(content)
282 287
283
M-A Ruel 2017/02/09 21:37:09 add back, we keep two empty lines between file lev
jonesmi 2017/02/09 21:49:04 Done.
284 class StatsHandler(webapp2.RequestHandler): 288 class StatsHandler(webapp2.RequestHandler):
285 """Returns the statistics web page.""" 289 """Returns the statistics web page."""
286 def get(self): 290 def get(self):
287 """Presents nice recent statistics. 291 """Presents nice recent statistics.
288 292
289 It fetches data from the 'JSON' API. 293 It fetches data from the 'JSON' API.
290 """ 294 """
291 # Preloads the data to save a complete request. 295 # Preloads the data to save a complete request.
292 resolution = self.request.params.get('resolution', 'hours') 296 resolution = self.request.params.get('resolution', 'hours')
293 if resolution not in ('days', 'hours', 'minutes'): 297 if resolution not in ('days', 'hours', 'minutes'):
(...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after
407 def create_application(debug): 411 def create_application(debug):
408 """Creates the url router. 412 """Creates the url router.
409 413
410 The basic layouts is as follow: 414 The basic layouts is as follow:
411 - /restricted/.* requires being an instance administrator. 415 - /restricted/.* requires being an instance administrator.
412 - /stats/.* has statistics. 416 - /stats/.* has statistics.
413 """ 417 """
414 acl.bootstrap() 418 acl.bootstrap()
415 template.bootstrap() 419 template.bootstrap()
416 return webapp2.WSGIApplication(get_routes(), debug=debug) 420 return webapp2.WSGIApplication(get_routes(), debug=debug)
OLDNEW
« no previous file with comments | « appengine/components/components/auth/handler.py ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698