fixed site loader and subdirs

2019-11-13 21:06:04 -06:00 · 2019-11-13 21:06:04 -06:00 · 1166c9155a
parent 0cce0f4318
commit 1166c9155a
3 changed files with 9 additions and 8 deletions
--- a/onionr/httpapi/onionrsitesapi/init.py
+++ b/onionr/httpapi/onionrsitesapi/init.py
@ -64,11 +64,11 @@ def site(name: str)->Response:
        abort(404)
    return Response(resp)

-@site_api.route('/site/<name>/<file>', endpoint='siteFile')
+@site_api.route('/site/<name>/<path:file>', endpoint='siteFile')
 def site_file(name: str, file: str)->Response:
    """Accept a site 'name', if pubkey then show multi-page site, if hash show single page site"""
    resp: str = 'Not Found'
-    mime_type = 'text/html'
+    mime_type = mimetypes.MimeTypes().guess_type(file)[0]

    # If necessary convert the name to base32 from mnemonic
    if mnemonickeys.DELIMITER in name:
@ -92,4 +92,4 @@ def site_file(name: str, file: str)->Response:
            pass
    if resp == 'Not Found' or not resp:
        abort(404)
-    return Response(resp)
+    return Response(resp, mimetype=mime_type)
--- a/onionr/httpapi/security/client.py
+++ b/onionr/httpapi/security/client.py
@ -49,6 +49,7 @@ class ClientAPISecurity:

            if request.endpoint in whitelist_endpoints:
                return
+            if request.path.startswith('/site/'): return
            try:
                if not hmac.compare_digest(request.headers['token'], client_api.clientToken):
                    if not hmac.compare_digest(request.form['token'], client_api.clientToken):
@ -61,8 +62,8 @@ class ClientAPISecurity:
        def after_req(resp):
            # Security headers
            resp = httpheaders.set_default_onionr_http_headers(resp)
-            if request.endpoint == 'siteapi.site':
-                resp.headers['Content-Security-Policy'] = "default-src 'none'; style-src data: 'unsafe-inline'; img-src data:"
+            if request.endpoint in ('siteapi.site', 'siteapi.siteFile'):
+                resp.headers['Content-Security-Policy'] = "default-src 'none'; style-src 'self' data: 'unsafe-inline'; img-src 'self' data:; media-src 'self' data:"
            else:
                resp.headers['Content-Security-Policy'] = "default-src 'none'; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'"
-            return resp
+            return resp
--- a/static-data/www/shared/sites.js
+++ b/static-data/www/shared/sites.js
@ -9,12 +9,12 @@ function checkHex(str) {
 document.getElementById('openSite').onclick = function(){
    var hash = document.getElementById('siteViewer').value
    if (hash.length == 0){ return }
-    if (checkHex(hash) && hash.length >= 50){
+    if (checkHex(hash) && hash.length >= 50 || hash.length == 52 || hash.length == 56){
        window.location.href = '/site/' + hash
    }
    else{
        PNotify.notice({
-            text: 'Invalid site hash'
+            text: 'Invalid site hash/ID'
        })
    }
 }