Mirrors/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2025-12-16 03:47:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6761 from diegmonti/feat/permissions-policy

Browse Source 
feat: Add permissions-policy to security headers
This commit is contained in:
Timothy Jaeryang Baek
2024-11-09 00:30:48 -08:00
committed by GitHub
parent aa80df1431 b1805380dc
commit 2fdbab6640
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
backend/open_webui/utils/security_headers.py
View File

@@ -20,6 +20,7 @@ def set_security_headers() -> Dict[str, str]:
This function reads specific environment variables and uses their values This function reads specific environment variables and uses their values
to set corresponding security headers. The headers that can be set are: to set corresponding security headers. The headers that can be set are:
- cache-control - cache-control
- permissions-policy
- strict-transport-security - strict-transport-security
- referrer-policy - referrer-policy
- x-content-type-options - x-content-type-options
@@ -38,6 +39,7 @@ def set_security_headers() -> Dict[str, str]:
header_setters = { header_setters = {
"CACHE_CONTROL": set_cache_control, "CACHE_CONTROL": set_cache_control,
"HSTS": set_hsts, "HSTS": set_hsts,
"PERMISSIONS_POLICY": set_permissions_policy,
"REFERRER_POLICY": set_referrer, "REFERRER_POLICY": set_referrer,
"XCONTENT_TYPE": set_xcontent_type, "XCONTENT_TYPE": set_xcontent_type,
"XDOWNLOAD_OPTIONS": set_xdownload_options, "XDOWNLOAD_OPTIONS": set_xdownload_options,
@@ -73,6 +75,15 @@ def set_xframe(value: str):
return {"X-Frame-Options": value} return {"X-Frame-Options": value}
# Set Permissions-Policy response header
def set_permissions_policy(value: str):
pattern = r"^(?:(accelerometer|autoplay|camera|clipboard-read|clipboard-write|fullscreen|geolocation|gyroscope|magnetometer|microphone|midi|payment|picture-in-picture|sync-xhr|usb|xr-spatial-tracking)=\((self)?\),?)*$"
match = re.match(pattern, value, re.IGNORECASE)
if not match:
value = "none"
return {"Permissions-Policy": value}
# Set Referrer-Policy response header # Set Referrer-Policy response header
def set_referrer(value: str): def set_referrer(value: str):
pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$" pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"