UniqAI/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui synced 2024-11-16 21:42:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #6761 from diegmonti/feat/permissions-policy
Some checks are pending
Deploy to HuggingFace Spaces / check-secret (push) Waiting to run
Details
Deploy to HuggingFace Spaces / deploy (push) Blocked by required conditions
Details
Create and publish Docker images with specific build args / build-main-image (linux/amd64) (push) Waiting to run
Details
Create and publish Docker images with specific build args / build-main-image (linux/arm64) (push) Waiting to run
Details
Create and publish Docker images with specific build args / build-cuda-image (linux/amd64) (push) Waiting to run
Details
Create and publish Docker images with specific build args / build-cuda-image (linux/arm64) (push) Waiting to run
Details
Create and publish Docker images with specific build args / build-ollama-image (linux/amd64) (push) Waiting to run
Details
Create and publish Docker images with specific build args / build-ollama-image (linux/arm64) (push) Waiting to run
Details
Create and publish Docker images with specific build args / merge-main-images (push) Blocked by required conditions
Details
Create and publish Docker images with specific build args / merge-cuda-images (push) Blocked by required conditions
Details
Create and publish Docker images with specific build args / merge-ollama-images (push) Blocked by required conditions
Details
Python CI / Format Backend (3.11) (push) Waiting to run
Details
Frontend Build / Format & Build Frontend (push) Waiting to run
Details
Frontend Build / Frontend Unit Tests (push) Waiting to run
Details
Integration Test / Run Cypress Integration Tests (push) Waiting to run
Details
Integration Test / Run Migration Tests (push) Waiting to run
Details

Browse Source 
feat: Add permissions-policy to security headers
This commit is contained in:
Timothy Jaeryang Baek 2024-11-09 00:30:48 -08:00 committed by GitHub
commit 2fdbab6640
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
backend/open_webui/utils/security_headers.py
View File

@ -20,6 +20,7 @@ def set_security_headers() -> Dict[str, str]:
This function reads specific environment variables and uses their values
to set corresponding security headers. The headers that can be set are:
- cache-control
- permissions-policy
- strict-transport-security
- referrer-policy
- x-content-type-options
@ -38,6 +39,7 @@ def set_security_headers() -> Dict[str, str]:
header_setters = {
"CACHE_CONTROL": set_cache_control,
"HSTS": set_hsts,
"PERMISSIONS_POLICY": set_permissions_policy,
"REFERRER_POLICY": set_referrer,
"XCONTENT_TYPE": set_xcontent_type,
"XDOWNLOAD_OPTIONS": set_xdownload_options,
@ -73,6 +75,15 @@ def set_xframe(value: str):
return {"X-Frame-Options": value}
# Set Permissions-Policy response header
def set_permissions_policy(value: str):
pattern = r"^(?:(accelerometer|autoplay|camera|clipboard-read|clipboard-write|fullscreen|geolocation|gyroscope|magnetometer|microphone|midi|payment|picture-in-picture|sync-xhr|usb|xr-spatial-tracking)=\((self)?\),?)*$"
match = re.match(pattern, value, re.IGNORECASE)
if not match:
value = "none"
return {"Permissions-Policy": value}
# Set Referrer-Policy response header
def set_referrer(value: str):
pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"