middleware: use sec-fetch-dest=document to identify page requests (#84104)
gitea/django-mellon/pipeline/head This commit looks good
Details
gitea/django-mellon/pipeline/head This commit looks good
Details
This commit is contained in:
parent
410cb6cc92
commit
200e009b1e
|
@ -47,7 +47,10 @@ class PassiveAuthenticationMiddleware(MiddlewareMixin):
|
|||
if request.headers.get('x-requested-with') == 'XMLHttpRequest':
|
||||
return
|
||||
sec_fetch_mode = request.headers.get('sec-fetch-mode')
|
||||
if sec_fetch_mode and sec_fetch_mode != 'navigate':
|
||||
if sec_fetch_mode and sec_fetch_mode not in ('navigate', 'same-origin'):
|
||||
return
|
||||
sec_fetch_dest = request.headers.get('sec-fetch-dest')
|
||||
if sec_fetch_dest and sec_fetch_dest not in ('document', 'empty'):
|
||||
return
|
||||
# Skip AJAX and media/script requests, unless mellon_no_passive is False on the view
|
||||
if getattr(view_func, 'mellon_no_passive', True) and 'text/html' not in request.headers.get(
|
||||
|
|
|
@ -775,13 +775,27 @@ def test_passive_auth_middleware_ajax_x_requested_with(db, app, idp, caplog, set
|
|||
assert 'MELLON_PASSIVE_TRIED' not in app.cookies
|
||||
|
||||
|
||||
def test_passive_auth_middleware_ajax_sec_fetch_mode(db, app, idp, caplog, settings):
|
||||
def test_passive_auth_middleware_ajax_via_sec_fetch(db, app, idp, caplog, settings):
|
||||
settings.MELLON_OPENED_SESSION_COOKIE_NAME = 'IDP_SESSION'
|
||||
assert 'MELLON_PASSIVE_TRIED' not in app.cookies
|
||||
# webtest-lint is against unicode
|
||||
app.set_cookie('IDP_SESSION', '1234')
|
||||
response = app.get('/', headers={'Accept': 'text/html', 'Sec-Fetch-Mode': 'cors'}, status=200)
|
||||
response = app.get(
|
||||
'/',
|
||||
headers={'Accept': 'text/html', 'Sec-Fetch-Dest': 'script', 'Sec-Fetch-Mode': 'same-origin'},
|
||||
status=200,
|
||||
)
|
||||
assert 'MELLON_PASSIVE_TRIED' not in app.cookies
|
||||
response = app.get(
|
||||
'/', headers={'Accept': 'text/html', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors'}, status=200
|
||||
)
|
||||
assert 'MELLON_PASSIVE_TRIED' not in app.cookies
|
||||
response = app.get(
|
||||
'/',
|
||||
headers={'Accept': 'text/html', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'same-origin'},
|
||||
status=302,
|
||||
)
|
||||
assert 'MELLON_PASSIVE_TRIED' in app.cookies
|
||||
|
||||
|
||||
def test_sso_user_change(db, app, idp, caplog, sp_settings):
|
||||
|
|
Loading…
Reference in New Issue