improve CSRF_TRUSTED_ORIGINS loading logic

2026-04-03 06:17:53 +10:00 · 2024-08-23 02:01:40 -07:00
parent c6a80ab256
commit 34389e5e7c
2 changed files with 8 additions and 5 deletions
--- a/archivebox/core/settings.py
+++ b/archivebox/core/settings.py
@@ -5,6 +5,7 @@ import sys
 import re
 import logging
 import tempfile
+from typing import Any, Dict

 from pathlib import Path
 from django.utils.crypto import get_random_string
@@ -317,13 +318,15 @@ STORAGES = {
 SECRET_KEY = CONFIG.SECRET_KEY or get_random_string(50, 'abcdefghijklmnopqrstuvwxyz0123456789_')

 ALLOWED_HOSTS = CONFIG.ALLOWED_HOSTS.split(',')
-CSRF_TRUSTED_ORIGINS = CONFIG.CSRF_TRUSTED_ORIGINS.split(',')
+CSRF_TRUSTED_ORIGINS = list(set(CONFIG.CSRF_TRUSTED_ORIGINS.split(',')))

 # automatically fix case when user sets ALLOWED_HOSTS (e.g. to archivebox.example.com)
 # but forgets to add https://archivebox.example.com to CSRF_TRUSTED_ORIGINS
-if CONFIG.ALLOWED_HOSTS != '*' and (not CSRF_TRUSTED_ORIGINS):
-    for hostname in ALLOWED_HOSTS:
-        CSRF_TRUSTED_ORIGINS.append(f'https://{hostname}')
+for hostname in ALLOWED_HOSTS:
+    https_endpoint = f'https://{hostname}'
+    if hostname != '*' and https_endpoint not in CSRF_TRUSTED_ORIGINS:
+        print(f'[!] WARNING: {https_endpoint} from ALLOWED_HOSTS should be added to CSRF_TRUSTED_ORIGINS')
+        CSRF_TRUSTED_ORIGINS.append(https_endpoint)

 SECURE_BROWSER_XSS_FILTER = True
 SECURE_CONTENT_TYPE_NOSNIFF = True