Skip to content

Commit

Permalink
Merge pull request #42 from cmason3/dev
Browse files Browse the repository at this point in the history 
Dev
  • Loading branch information
@cmason3
cmason3 authored Jun 20, 2024
2 parents bd46f1a + 6ddd42d commit feb802c
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 5 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
## CHANGELOG

### [24.6.2] - Jun 20, 2024
- The ETag hash is now across all additional headers including `Content-Type` and `Content-Security-Policy` as well as the content itself

### [24.6.1] - Jun 20, 2024
- Updated `Content-Security-Policy` to explicitly allow `data:` scheme for `img-src` as `*` doesn't permit it

Expand Down Expand Up @@ -312,6 +315,7 @@
### 21.11.0 - Nov 29, 2021
- Initial release

[24.6.2]: https://github.com/cmason3/jinjafx_server/compare/24.6.1...24.6.2
[24.6.1]: https://github.com/cmason3/jinjafx_server/compare/24.6.0...24.6.1
[24.6.0]: https://github.com/cmason3/jinjafx_server/compare/24.5.0...24.6.0
[24.5.0]: https://github.com/cmason3/jinjafx_server/compare/24.3.0...24.5.0
Expand Down
15 changes: 10 additions & 5 deletions jinjafx_server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
import re, argparse, hashlib, traceback, glob, hmac, uuid, struct, binascii, gzip, requests, ctypes, subprocess
import cmarkgfm, emoji

__version__ = '24.6.1'
__version__ = '24.6.2'

llock = threading.RLock()
rlock = threading.RLock()
Expand Down Expand Up @@ -390,7 +390,13 @@ def do_GET(self, head=False, cache=True, versioned=False):
else:
r = [ 'text/plain', 404, '404 Not Found\r\n'.encode('utf-8'), sys._getframe().f_lineno ]

etag = '"' + hashlib.sha256(r[2]).hexdigest() + '"'
headers = {
'X-Content-Type-Options': 'nosniff',
'Content-Security-Policy': "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; script-src 'self' https://cdnjs.cloudflare.com; img-src data: *; frame-ancestors 'none'",
'Referrer-Policy': 'strict-origin-when-cross-origin'
}
etag = '"' + hashlib.sha224(repr(headers).encode('utf-8') + b'|' + r[0].encode('utf-8') + b'; ' + r[2]).hexdigest() + '"'

if 'If-None-Match' in self.headers:
if self.headers['If-None-Match'] == etag:
head = True
Expand All @@ -415,9 +421,8 @@ def do_GET(self, head=False, cache=True, versioned=False):

elif r[1] == 200 or r[1] == 304:
if r[1] == 200:
self.send_header('X-Content-Type-Options', 'nosniff')
self.send_header('Content-Security-Policy', "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; script-src 'self' https://cdnjs.cloudflare.com; img-src data: *; frame-ancestors 'none'")
self.send_header('Referrer-Policy', 'strict-origin-when-cross-origin')
for h in headers:
self.send_header(h, headers[h])

self.send_header('Cache-Control', 'max-age=0, must-revalidate')
self.send_header('ETag', etag)
Expand Down

0 comments on commit feb802c

Please sign in to comment.