diff --git a/api/config/settings/common.py b/api/config/settings/common.py index b87eed782..5865bf9a0 100644 --- a/api/config/settings/common.py +++ b/api/config/settings/common.py @@ -2,7 +2,7 @@ import logging.config import sys import warnings from collections import OrderedDict -from urllib.parse import urlsplit +from urllib.parse import urlparse, urlsplit import environ from celery.schedules import crontab @@ -224,6 +224,13 @@ ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=[]) + [FUNKWHALE_HOSTNA List of allowed hostnames for which the Funkwhale server will answer. """ +CSRF_TRUSTED_ORIGINS = [urlparse(o, FUNKWHALE_PROTOCOL).geturl() for o in ALLOWED_HOSTS] +""" +List of origins that are trusted for unsafe requests +We simply consider all allowed hosts to be trusted origins +See https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins +""" + # APP CONFIGURATION # ------------------------------------------------------------------------------ DJANGO_APPS = ( diff --git a/api/config/settings/local.py b/api/config/settings/local.py index b1dc93f19..10cfbdbc3 100644 --- a/api/config/settings/local.py +++ b/api/config/settings/local.py @@ -96,8 +96,6 @@ CELERY_TASK_ALWAYS_EAGER = False # Your local stuff: Below this line define 3rd party library settings -CSRF_TRUSTED_ORIGINS = [o for o in ALLOWED_HOSTS] - REST_FRAMEWORK["DEFAULT_SCHEMA_CLASS"] = "funkwhale_api.schema.CustomAutoSchema" SPECTACULAR_SETTINGS = { "TITLE": "Funkwhale API", diff --git a/api/config/settings/production.py b/api/config/settings/production.py index 589286ab2..815828bd5 100644 --- a/api/config/settings/production.py +++ b/api/config/settings/production.py @@ -41,14 +41,6 @@ SECRET_KEY = env("DJANGO_SECRET_KEY") # SESSION_COOKIE_HTTPONLY = True # SECURE_SSL_REDIRECT = env.bool("DJANGO_SECURE_SSL_REDIRECT", default=True) -# SITE CONFIGURATION -# ------------------------------------------------------------------------------ -# Hosts/domain names that are valid for this site -# See https://docs.djangoproject.com/en/1.6/ref/settings/#allowed-hosts -CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS - -# END SITE CONFIGURATION - # Static Assets # ------------------------ STATICFILES_STORAGE = "django.contrib.staticfiles.storage.StaticFilesStorage"