make security headers optional work with office.js via CDN

xlwings · Mar 28, 2024 · 0e35146 · 0e35146
1 parent 5497398
commit 0e35146
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/app/config.py b/app/config.py
@@ -5,6 +5,7 @@
 
 
 class Settings(BaseSettings):
+    add_security_headers: bool = True
     base_dir: Path = Path(__file__).resolve().parent
     cors_allow_origins: List[str] = ["*"]
     development: bool = False

diff --git a/app/main.py b/app/main.py
@@ -43,11 +43,19 @@ async def add_security_headers(request, call_next):
     # https://owasp.org/www-project-secure-headers/index.html#configuration-proposal
     # https://owasp.org/www-project-secure-headers/ci/headers_add.json
     response = await call_next(request)
-    with open(settings.base_dir / "security_headers.json", "r") as f:
-        data = json.load(f)
-
-    for header in data["headers"]:
-        response.headers[header["name"]] = header["value"]
+    if settings.add_security_headers:
+        with open(settings.base_dir / "security_headers.json", "r") as f:
+            data = json.load(f)
+
+        for header in data["headers"]:
+            response.headers[header["name"]] = header["value"]
+        if settings.public_addin_store:
+            response.headers["Content-Security-Policy"] = (
+                response.headers["Content-Security-Policy"]
+                + "; script-src 'self' https://appsforoffice.microsoft.com;"
+            )
+            response.headers["Cross-Origin-Resource-Policy"] = "cross-origin"
+            del response.headers["Cross-Origin-Embedder-Policy"]
     return response