Skip to content

Use flask-talisman for handling backend response headers#3404

Merged
arikfr merged 8 commits intomasterfrom
talisman
Mar 27, 2019
Merged

Use flask-talisman for handling backend response headers#3404
arikfr merged 8 commits intomasterfrom
talisman

Conversation

@jezdez
Copy link
Copy Markdown
Contributor

@jezdez jezdez commented Feb 6, 2019

Fixes #3060.
Refs #3044.
Refs mozilla#562.
Helps #2891. 🎉

@ghost ghost assigned jezdez Feb 6, 2019
@ghost ghost added the in progress label Feb 6, 2019
@jezdez jezdez requested a review from arikfr February 6, 2019 14:54
@jezdez jezdez mentioned this pull request Feb 6, 2019
Closed
@rauchy
Copy link
Copy Markdown
Contributor

rauchy commented Feb 7, 2019

Thanks @jezdez!

@arikfr if you merge this, we can discard #3214

@jezdez
Copy link
Copy Markdown
Contributor Author

jezdez commented Feb 7, 2019

@rauchy Oh dang, I had missed your PR, apologies for the overlap 😬

emtwo
emtwo reviewed Feb 13, 2019
View reviewed changes
Copy link
Copy Markdown

@emtwo emtwo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good to me!

arikfr
arikfr requested changes Feb 14, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@arikfr arikfr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, please see comments.

Comment thread redash/security.py
Comment thread redash/settings/__init__.py Outdated
Comment thread redash/settings/__init__.py Outdated
Comment thread redash/settings/__init__.py
Comment thread requirements.txt Outdated
@jezdez jezdez mentioned this pull request Feb 19, 2019
Closed
arikfr
arikfr requested changes Feb 19, 2019
View reviewed changes
Comment thread requirements.txt Outdated
Comment thread redash/settings/__init__.py
Comment thread redash/settings/__init__.py Outdated
Comment thread redash/settings/__init__.py Outdated
@ghost ghost assigned rauchy Feb 19, 2019
jezdez
jezdez commented Feb 22, 2019
View reviewed changes
Comment thread redash/authentication/__init__.py Outdated
@jezdez jezdez requested a review from arikfr February 22, 2019 11:38
arikfr
arikfr requested changes Feb 25, 2019
View reviewed changes
Comment thread redash/authentication/__init__.py Outdated
Comment thread redash/settings/__init__.py
@rauchy rauchy removed their assignment Feb 27, 2019
@jezdez jezdez requested a review from arikfr March 7, 2019 11:02
@jezdez jezdez force-pushed the talisman branch 2 times, most recently from d697222 to bb26cee Compare March 7, 2019 11:07
@weekly-digest weekly-digest Bot mentioned this pull request Mar 10, 2019
Closed
@jezdez
Copy link
Copy Markdown
Contributor Author

jezdez commented Mar 21, 2019

@arikfr Is there anything needed to merge this?

@jezdez jezdez modified the milestones: v7.0.0, Next Mar 22, 2019
@jezdez
Copy link
Copy Markdown
Contributor Author

jezdez commented Mar 27, 2019

@arikfr Anything needed to merge this?

@arikfr arikfr merged commit 712fc63 into master Mar 27, 2019
@arikfr arikfr deleted the talisman branch March 27, 2019 15:24
@arikfr
Copy link
Copy Markdown
Member

arikfr commented Mar 27, 2019

Anything needed to merge this?

Time.

@arikfr arikfr mentioned this pull request Apr 17, 2019
Merged
1 task
jezdez pushed a commit that referenced this pull request Apr 17, 2019
@arikfr @jezdez
Fix: update default CSP policy to allow KB iframe. (#3714)
97492d7 
## What type of PR is this? (check all applicable)

- [x] Bug Fix

## Description

Without this change the Help Drawer couldn't load content anymore.

## Related Tickets & Documents

#3404
@arikfr arikfr mentioned this pull request Jul 7, 2019
Merged
1 task
harveyrendell pushed a commit to pushpay/redash that referenced this pull request Nov 14, 2019
@jezdez @harveyrendell
Use flask-talisman for handling backend response headers (getredash#3404
ff101a4 
)

* Normalize Flask initialization API use.

* Use Flask-Talisman.

* Enable HSTS when HTTPS is enforced.

* More details about how CSP is formatted and write CSP directives as a string.

* Use CSP frame-ancestors directive and not X-Frame-Options for embedable endpoints.

* Add link to flask-talisman docs.

* set remember_token cookie to be HTTP-Only and Secure

* Reorganize secret key configuration to be forward thinking and backward compatible.
harveyrendell pushed a commit to pushpay/redash that referenced this pull request Nov 14, 2019
@arikfr @harveyrendell
Fix: update default CSP policy to allow KB iframe. (getredash#3714)
f437081 
## What type of PR is this? (check all applicable)

- [x] Bug Fix

## Description

Without this change the Help Drawer couldn't load content anymore.

## Related Tickets & Documents

getredash#3404
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emtwo emtwo emtwo left review comments

@arikfr arikfr arikfr approved these changes

Assignees

@jezdez jezdez

@arikfr arikfr

Labels

None yet

Projects

None yet

Milestone

Next

Development

Successfully merging this pull request may close these issues.

4 participants

@jezdez @rauchy @arikfr @emtwo