Return-Path: X-Original-To: apmail-incubator-allura-commits-archive@minotaur.apache.org Delivered-To: apmail-incubator-allura-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 146FCD18B for ; Tue, 9 Oct 2012 20:53:06 +0000 (UTC) Received: (qmail 65273 invoked by uid 500); 9 Oct 2012 20:53:06 -0000 Delivered-To: apmail-incubator-allura-commits-archive@incubator.apache.org Received: (qmail 65239 invoked by uid 500); 9 Oct 2012 20:53:05 -0000 Mailing-List: contact allura-commits-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: allura-dev@incubator.apache.org Delivered-To: mailing list allura-commits@incubator.apache.org Received: (qmail 65218 invoked by uid 99); 9 Oct 2012 20:53:05 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Oct 2012 20:53:05 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id A07B53CDE6; Tue, 9 Oct 2012 20:53:05 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: johnsca@apache.org To: allura-commits@incubator.apache.org X-Mailer: ASF-Git Admin Mailer Subject: [3/3] git commit: [#4571] only apply set-cookie for csrf protection when serving html pages Message-Id: <20121009205305.A07B53CDE6@tyr.zones.apache.org> Date: Tue, 9 Oct 2012 20:53:05 +0000 (UTC) [#4571] only apply set-cookie for csrf protection when serving html pages Only HTML content needs this cookie, since it's used via JS on web forms to prevent CSRF. Removing it from all other content (e.g. icons, attachments) makes those response more cacheable. Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/2074e912 Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/2074e912 Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/2074e912 Branch: refs/heads/master Commit: 2074e912da8c1f5d6571d3dd429033803eca436f Parents: f5556c1 Author: Dave Brondsema Authored: Tue Oct 9 19:13:38 2012 +0000 Committer: Dave Brondsema Committed: Tue Oct 9 19:13:38 2012 +0000 ---------------------------------------------------------------------- Allura/allura/lib/custom_middleware.py | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/2074e912/Allura/allura/lib/custom_middleware.py ---------------------------------------------------------------------- diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index 65d1926..6075653 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -108,9 +108,10 @@ class CSRFMiddleware(object): log.warning('CSRF attempt detected, %r != %r', cookie, param) environ.pop('HTTP_COOKIE', None) def session_start_response(status, headers, exc_info = None): - headers.append( - ('Set-cookie', - str('%s=%s; Path=/' % (self._cookie_name, cookie)))) + if dict(headers).get('Content-Type', '').startswith('text/html'): + headers.append( + ('Set-cookie', + str('%s=%s; Path=/' % (self._cookie_name, cookie)))) return start_response(status, headers, exc_info) return self._app(environ, session_start_response)