Merge 12a3327 into 7435b91

FlexMeasures · Dec 7, 2023 · 52ee493 · 52ee493
2 parents 7435b91 + 12a3327
commit 52ee493
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 0 deletions.
diff --git a/documentation/configuration.rst b/documentation/configuration.rst
@@ -235,6 +235,12 @@ FLEXMEASURES_JS_VERSIONS
 
 Default: ``{"vega": "5.22.1", "vegaembed": "6.20.8", "vegalite": "5.2.0"}``
 
+FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When ``FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY`` is set to ``true``, insecure ``http`` connections are automatically upgraded to secure ``https``.
+
+Default: ``False``
 
 Timing
 ------

diff --git a/flexmeasures/ui/templates/base.html b/flexmeasures/ui/templates/base.html
@@ -11,6 +11,9 @@
     </title>
     {% endblock head %}
     <meta charset="windows-1252">
+    {% if FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY == true %}
+      <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+    {% endif %}
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <link rel="icon" href="/favicon.ico" type="image/x-icon" />
     <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />

diff --git a/flexmeasures/ui/utils/view_utils.py b/flexmeasures/ui/utils/view_utils.py
@@ -19,6 +19,9 @@
 def render_flexmeasures_template(html_filename: str, **variables):
     """Render template and add all expected template variables, plus the ones given as **variables."""
     variables["flask_env"] = current_app.env
+    variables["FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY"] = current_app.config.get(
+        "FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY"
+    )
     variables["documentation_exists"] = False
     if os.path.exists(
         "%s/static/documentation/html/index.html" % flexmeasures_ui.root_path

diff --git a/flexmeasures/utils/config_defaults.py b/flexmeasures/utils/config_defaults.py
@@ -135,6 +135,9 @@ class Config(object):
     FLEXMEASURES_API_SUNSET_DATE: str | None = None  # e.g. 2023-05-01
     FLEXMEASURES_API_SUNSET_LINK: str | None = None  # e.g. https://flexmeasures.readthedocs.io/en/latest/api/introduction.html#deprecation-and-sunset
 
+    # if True, the content could be accessed via HTTPS.
+    FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY: bool = False
+
 
 #  names of settings which cannot be None
 #  SECRET_KEY is also required but utils.app_utils.set_secret_key takes care of this better.