Home Explore Help
Register Sign In
OpenSource
/
open-webui
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #6761 from diegmonti/feat/permissions-policy

feat: Add permissions-policy to security headers
Timothy Jaeryang Baek 6 months ago
parent
aa80df1431 b1805380dc
commit
2fdbab6640
1 changed files with 11 additions and 0 deletions
Unified View Show Diff Stats
  1. 11 0
      backend/open_webui/utils/security_headers.py

+ 11 - 0
backend/open_webui/utils/security_headers.py
View File 

@@ -20,6 +20,7 @@ def set_security_headers() -> Dict[str, str]:
 
     This function reads specific environment variables and uses their values
 
     This function reads specific environment variables and uses their values
 
     to set corresponding security headers. The headers that can be set are:
 
     to set corresponding security headers. The headers that can be set are:
 
     - cache-control
 
     - cache-control
 
+    - permissions-policy
 
     - strict-transport-security
 
     - strict-transport-security
 
     - referrer-policy
 
     - referrer-policy
 
     - x-content-type-options
 
     - x-content-type-options
 
@@ -38,6 +39,7 @@ def set_security_headers() -> Dict[str, str]:
 
     header_setters = {
 
     header_setters = {
 
         "CACHE_CONTROL": set_cache_control,
 
         "CACHE_CONTROL": set_cache_control,
 
         "HSTS": set_hsts,
 
         "HSTS": set_hsts,
 
+        "PERMISSIONS_POLICY": set_permissions_policy,
 
         "REFERRER_POLICY": set_referrer,
 
         "REFERRER_POLICY": set_referrer,
 
         "XCONTENT_TYPE": set_xcontent_type,
 
         "XCONTENT_TYPE": set_xcontent_type,
 
         "XDOWNLOAD_OPTIONS": set_xdownload_options,
 
         "XDOWNLOAD_OPTIONS": set_xdownload_options,
 
@@ -73,6 +75,15 @@ def set_xframe(value: str):
 
     return {"X-Frame-Options": value}
 
     return {"X-Frame-Options": value}
 
 
 
 
 
+# Set Permissions-Policy response header
 
+def set_permissions_policy(value: str):
 
+    pattern = r"^(?:(accelerometer|autoplay|camera|clipboard-read|clipboard-write|fullscreen|geolocation|gyroscope|magnetometer|microphone|midi|payment|picture-in-picture|sync-xhr|usb|xr-spatial-tracking)=\((self)?\),?)*$"
 
+    match = re.match(pattern, value, re.IGNORECASE)
 
+    if not match:
 
+        value = "none"
 
+    return {"Permissions-Policy": value}
 
+
 
+
 
 # Set Referrer-Policy response header
 
 # Set Referrer-Policy response header
 
 def set_referrer(value: str):
 
 def set_referrer(value: str):
 
     pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"
 
     pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"