From 1adb00d13ed61182783947c7f9044612aff3dd69 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Wed, 27 Mar 2024 21:14:34 +0800 Subject: [PATCH 1/3] Refactor render (#30136) --- routers/web/repo/render.go | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/routers/web/repo/render.go b/routers/web/repo/render.go index f146debb032c8..f62f0b853f0d0 100644 --- a/routers/web/repo/render.go +++ b/routers/web/repo/render.go @@ -12,6 +12,7 @@ import ( "code.gitea.io/gitea/modules/charset" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/git" + "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/markup" "code.gitea.io/gitea/modules/typesniffer" "code.gitea.io/gitea/modules/util" @@ -44,20 +45,17 @@ func RenderFile(ctx *context.Context) { isTextFile := st.IsText() rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc), charset.ConvertOpts{}) + ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts") if markupType := markup.Type(blob.Name()); markupType == "" { if isTextFile { - _, err = io.Copy(ctx.Resp, rd) - if err != nil { - ctx.ServerError("Copy", err) - } - return + _, _ = io.Copy(ctx.Resp, rd) + } else { + http.Error(ctx.Resp, "Unsupported file type render", http.StatusInternalServerError) } - ctx.Error(http.StatusInternalServerError, "Unsupported file type render") return } - ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts") err = markup.Render(&markup.RenderContext{ Ctx: ctx, RelativePath: ctx.Repo.TreePath, @@ -71,7 +69,8 @@ func RenderFile(ctx *context.Context) { InStandalonePage: true, }, rd, ctx.Resp) if err != nil { - ctx.ServerError("Render", err) + log.Error("Failed to render file %q: %v", ctx.Repo.TreePath, err) + http.Error(ctx.Resp, "Failed to render file", http.StatusInternalServerError) return } } From 5b2d7b6a1fdc7795c5cc20e84cb9c2cc8265ad31 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 8 Apr 2024 23:21:08 +0800 Subject: [PATCH 2/3] Add frame-ancestors 'self' --- routers/web/repo/render.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/web/repo/render.go b/routers/web/repo/render.go index f62f0b853f0d0..668d6a6322348 100644 --- a/routers/web/repo/render.go +++ b/routers/web/repo/render.go @@ -45,7 +45,7 @@ func RenderFile(ctx *context.Context) { isTextFile := st.IsText() rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc), charset.ConvertOpts{}) - ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts") + ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; frame-ancestors 'self'; sandbox allow-scripts") if markupType := markup.Type(blob.Name()); markupType == "" { if isTextFile { From 07e1ba911f5696ee02aedcafca6abb9591b63da4 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Tue, 9 Apr 2024 00:21:22 +0800 Subject: [PATCH 3/3] Revert "Add frame-ancestors 'self'" This reverts commit 5b2d7b6a1fdc7795c5cc20e84cb9c2cc8265ad31. --- routers/web/repo/render.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/web/repo/render.go b/routers/web/repo/render.go index 668d6a6322348..f62f0b853f0d0 100644 --- a/routers/web/repo/render.go +++ b/routers/web/repo/render.go @@ -45,7 +45,7 @@ func RenderFile(ctx *context.Context) { isTextFile := st.IsText() rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc), charset.ConvertOpts{}) - ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; frame-ancestors 'self'; sandbox allow-scripts") + ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts") if markupType := markup.Type(blob.Name()); markupType == "" { if isTextFile {