add new CSRF_TRUSTED_ORIGINS config option

2024-11-10 06:34:16 +00:00 · 2024-08-22 18:40:47 -07:00 · 2024-08-22 18:40:47 -07:00 · 9c35f3ddb7
commit 9c35f3ddb7
parent 1a03db2b1d
2 changed files with 9 additions and 1 deletions
--- a/archivebox/config.py
+++ b/archivebox/config.py
@ -88,7 +88,8 @@ CONFIG_SCHEMA: Dict[str, ConfigDefaultDict] = {
    'SERVER_CONFIG': {
        'SECRET_KEY':                {'type': str,   'default': None},
        'BIND_ADDR':                 {'type': str,   'default': lambda c: ['127.0.0.1:8000', '0.0.0.0:8000'][c['IN_DOCKER']]},
-        'ALLOWED_HOSTS':             {'type': str,   'default': '*'},
+        'ALLOWED_HOSTS':             {'type': str,   'default': '*'},     # e.g. archivebox.example.com,archivebox2.example.com
+        'CSRF_TRUSTED_ORIGINS':      {'type': str,   'default': ''},      # e.g. https://archivebox.example.com,https://archivebox2.example.com:8080
        'DEBUG':                     {'type': bool,  'default': False},
        'PUBLIC_INDEX':              {'type': bool,  'default': True},
        'PUBLIC_SNAPSHOTS':          {'type': bool,  'default': True},
--- a/archivebox/core/settings.py
+++ b/archivebox/core/settings.py
@ -317,6 +317,13 @@ STORAGES = {
 SECRET_KEY = CONFIG.SECRET_KEY or get_random_string(50, 'abcdefghijklmnopqrstuvwxyz0123456789_')

 ALLOWED_HOSTS = CONFIG.ALLOWED_HOSTS.split(',')
+CSRF_TRUSTED_ORIGINS = CONFIG.CSRF_TRUSTED_ORIGINS.split(',')
+
+# automatically fix case when user sets ALLOWED_HOSTS (e.g. to archivebox.example.com)
+# but forgets to add https://archivebox.example.com to CSRF_TRUSTED_ORIGINS
+if CONFIG.ALLOWED_HOSTS != '*' and (not CSRF_TRUSTED_ORIGINS):
+    for hostname in ALLOWED_HOSTS:
+        CSRF_TRUSTED_ORIGINS.append(f'https://{hostname}')

 SECURE_BROWSER_XSS_FILTER = True
 SECURE_CONTENT_TYPE_NOSNIFF = True