openstack
/
swift
Code Issues Proposed changes

docs: Clean up cross-domain doc formatting; call out CWE-942 

Change-Id: I7ab605d48972e8dc06e630d160c745baeea91355
This commit is contained in:
Tim Burke 2023-04-18 14:19:31 -07:00 committed by Alistair Coles
parent 4b6f54d063
commit ed1f5193e5
2 changed files with 43 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
doc/source/crossdomain.rst
View File

@ -9,10 +9,12 @@ with the Swift API.
See http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html for See http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html for
a description of the purpose and structure of the cross-domain policy a description of the purpose and structure of the cross-domain policy
file. The cross-domain policy file is installed in the root of a web file. The cross-domain policy file is installed in the root of a web
server (i.e., the path is /crossdomain.xml). server (i.e., the path is ``/crossdomain.xml``).
The crossdomain middleware responds to a path of /crossdomain.xml with an The crossdomain middleware responds to a path of ``/crossdomain.xml`` with an
XML document such as:: XML document such as:
.. code:: xml
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd" > <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd" >
@ -31,12 +33,16 @@ Configuration
To enable this middleware, add it to the pipeline in your proxy-server.conf To enable this middleware, add it to the pipeline in your proxy-server.conf
file. It should be added before any authentication (e.g., tempauth or file. It should be added before any authentication (e.g., tempauth or
keystone) middleware. In this example ellipsis (...) indicate other keystone) middleware. In this example ellipsis (...) indicate other
middleware you may have chosen to use:: middleware you may have chosen to use:
.. code:: cfg
[pipeline:main] [pipeline:main]
pipeline = ... crossdomain ... authtoken ... proxy-server pipeline = ... crossdomain ... authtoken ... proxy-server
And add a filter section, such as:: And add a filter section, such as:
.. code:: cfg
[filter:crossdomain] [filter:crossdomain]
use = egg:swift#crossdomain use = egg:swift#crossdomain
@ -45,11 +51,19 @@ And add a filter section, such as::
For continuation lines, put some whitespace before the continuation For continuation lines, put some whitespace before the continuation
text. Ensure you put a completely blank line to terminate the text. Ensure you put a completely blank line to terminate the
cross_domain_policy value. ``cross_domain_policy`` value.
The cross_domain_policy name/value is optional. If omitted, the policy The ``cross_domain_policy`` name/value is optional. If omitted, the policy
defaults as if you had specified:: defaults as if you had specified:
.. code:: cfg
cross_domain_policy = <allow-access-from domain="*" secure="false" /> cross_domain_policy = <allow-access-from domain="*" secure="false" />
.. note::
The default policy is very permissive; this is appropriate
for most public cloud deployments, but may not be appropriate
for all deployments. See also:
`CWE-942 <https://cwe.mitre.org/data/definitions/942.html>`__

29
swift/common/middleware/crossdomain.py
View File

@ -23,20 +23,24 @@ class CrossDomainMiddleware(object):
Cross domain middleware used to respond to requests for cross domain Cross domain middleware used to respond to requests for cross domain
policy information. policy information.
If the path is /crossdomain.xml it will respond with an xml cross domain If the path is ``/crossdomain.xml`` it will respond with an xml cross
policy document. This allows web pages hosted elsewhere to use client domain policy document. This allows web pages hosted elsewhere to use
side technologies such as Flash, Java and Silverlight to interact client side technologies such as Flash, Java and Silverlight to interact
with the Swift API. with the Swift API.
To enable this middleware, add it to the pipeline in your proxy-server.conf To enable this middleware, add it to the pipeline in your proxy-server.conf
file. It should be added before any authentication (e.g., tempauth or file. It should be added before any authentication (e.g., tempauth or
keystone) middleware. In this example ellipsis (...) indicate other keystone) middleware. In this example ellipsis (...) indicate other
middleware you may have chosen to use:: middleware you may have chosen to use:
.. code:: cfg
[pipeline:main] [pipeline:main]
pipeline = ... crossdomain ... authtoken ... proxy-server pipeline = ... crossdomain ... authtoken ... proxy-server
And add a filter section, such as:: And add a filter section, such as:
.. code:: cfg
[filter:crossdomain] [filter:crossdomain]
use = egg:swift#crossdomain use = egg:swift#crossdomain
@ -45,13 +49,22 @@ class CrossDomainMiddleware(object):
For continuation lines, put some whitespace before the continuation For continuation lines, put some whitespace before the continuation
text. Ensure you put a completely blank line to terminate the text. Ensure you put a completely blank line to terminate the
cross_domain_policy value. ``cross_domain_policy`` value.
The cross_domain_policy name/value is optional. If omitted, the policy The ``cross_domain_policy`` name/value is optional. If omitted, the policy
defaults as if you had specified:: defaults as if you had specified:
.. code:: cfg
cross_domain_policy = <allow-access-from domain="*" secure="false" /> cross_domain_policy = <allow-access-from domain="*" secure="false" />
.. note::
The default policy is very permissive; this is appropriate
for most public cloud deployments, but may not be appropriate
for all deployments. See also:
`CWE-942 <https://cwe.mitre.org/data/definitions/942.html>`__
""" """