mirror of https://gitlab.crans.org/bde/nk20
53 lines
1.7 KiB
Python
53 lines
1.7 KiB
Python
# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from urllib3.packages.rfc3986 import urlparse
|
|
|
|
try:
|
|
from django.utils.deprecation import MiddlewareMixin
|
|
except ImportError:
|
|
MiddlewareMixin = object
|
|
from django.http import HttpResponseForbidden
|
|
|
|
|
|
def same_origin(current_uri, redirect_uri):
|
|
a = urlparse(current_uri)
|
|
if not a.scheme:
|
|
return True
|
|
b = urlparse(redirect_uri)
|
|
return (a.scheme, a.hostname, a.port) == (b.scheme, b.hostname, b.port)
|
|
|
|
|
|
class TurbolinksMiddleware(MiddlewareMixin):
|
|
|
|
def process_request(self, request):
|
|
referrer = request.META.get('HTTP_X_XHR_REFERER')
|
|
if referrer:
|
|
# overwrite referrer
|
|
request.META['HTTP_REFERER'] = referrer
|
|
return
|
|
|
|
def process_response(self, request, response):
|
|
referrer = request.META.get('HTTP_X_XHR_REFERER')
|
|
if not referrer:
|
|
# turbolinks not enabled
|
|
return response
|
|
|
|
method = request.COOKIES.get('request_method')
|
|
if not method or method != request.method:
|
|
response.set_cookie('request_method', request.method)
|
|
|
|
if response.has_header('Location'):
|
|
# this is a redirect response
|
|
loc = response['Location']
|
|
request.session['_turbolinks_redirect_to'] = loc
|
|
|
|
# cross domain blocker
|
|
if referrer and not same_origin(loc, referrer):
|
|
return HttpResponseForbidden()
|
|
else:
|
|
if request.session.get('_turbolinks_redirect_to'):
|
|
loc = request.session.pop('_turbolinks_redirect_to')
|
|
response['X-XHR-Redirected-To'] = loc
|
|
return response
|