From 30d4337783fc8b570edfc09d41fa0c0550aafbdf Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Fri, 26 Nov 2021 07:54:58 -0700 Subject: [PATCH 1/8] Add new public instance https://whoogle.fossho.st is now an "official" public instance of Whoogle, since it is the only instance maintained and validated by the developer(s) of Whoogle (currently only me). Closes #533 --- README.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f8f7f5a..df89d9e 100644 --- a/README.md +++ b/README.md @@ -496,10 +496,11 @@ A lot of the app currently piggybacks on Google's existing support for fetching ## Public Instances -*Note: Use public instances at your own discretion. Maintainers of Whoogle do not personally validate the integrity of these instances, and popular public instances are more likely to be rate-limited or blocked.* - +*Note: Use public instances at your own discretion. The maintainers of Whoogle are only responsible for https://whoogle.fossho.st, and do not personally validate the integrity of any other instances. Popular public instances are more likely to be rate-limited or blocked.* + | Website | Country | Language | Cloudflare | |-|-|-|-| +| [https://whoogle.fossho.st](https://whoogle.fossho.st) | 🇺🇸 US | Multi-choice | | | [https://search.albony.xyz](https://search.albony.xyz/) | 🇮🇳 IN | Multi-choice | | | [https://whoogle.sdf.org](https://whoogle.sdf.org) | 🇺🇸 US | Multi-choice | | [https://whoogle.kavin.rocks](https://whoogle.kavin.rocks) | 🇮🇳 IN | Unknown | ✅ | @@ -510,9 +511,15 @@ A lot of the app currently piggybacks on Google's existing support for fetching | [https://s.alefvanoon.xyz](https://s.alefvanoon.xyz) | 🇺🇸 US | English | ✅ | | [https://search.flux.industries](https://search.flux.industries) | 🇩🇪 DE | German | ✅ | | [https://www.whooglesearch.ml](https://www.whooglesearch.ml) | 🇺🇸 US | English | | -| [http://whoogledq5f5wly5p4i2ohnvjwlihnlg4oajjum2oeddfwqdwupbuhqd.onion](http://whoogledq5f5wly5p4i2ohnvjwlihnlg4oajjum2oeddfwqdwupbuhqd.onion) | 🇮🇳 IN | Unknown | | -* A checkmark in the "Cloudflare" category here refers to the use of the reverse proxy, [Cloudflare](https://cloudflare). The checkmark will not be listed for a site which uses Cloudflare DNS but rather the proxying service which grants Cloudflare the ability to monitor traffic to the website. +* A checkmark in the "Cloudflare" category here refers to the use of the reverse proxy, [Cloudflare](https://cloudflare.com). The checkmark will not be listed for a site which uses Cloudflare DNS but rather the proxying service which grants Cloudflare the ability to monitor traffic to the website. + +#### Onion Instances + +| Website | Country | Language | +|-|-|-| +| [http://whoogledq5f5wly5p4i2ohnvjwlihnlg4oajjum2oeddfwqdwupbuhqd.onion](http://whoogledq5f5wly5p4i2ohnvjwlihnlg4oajjum2oeddfwqdwupbuhqd.onion) | 🇮🇳 IN | Unknown + ## Screenshots #### Desktop From 9c96f0fd579a9e721469392aaa78b626ddd013d0 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Fri, 26 Nov 2021 08:38:26 -0700 Subject: [PATCH 2/8] Improve default response headers Reponse headers now include the following: - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - Strict-Transport-Security: max-age=63072000 - Only when HTTPS_ONLY is set https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security https://infosec.mozilla.org/guidelines/web_security#x-content-type-options https://infosec.mozilla.org/guidelines/web_security#x-frame-options --- app/routes.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/routes.py b/app/routes.py index 1790c0d..9f66d74 100644 --- a/app/routes.py +++ b/app/routes.py @@ -145,9 +145,12 @@ def before_request_func(): @app.after_request def after_request_func(resp): + resp.headers['X-Content-Type-Options'] = 'nosniff' + resp.headers['X-Frame-Options'] = 'DENY' resp.headers['Content-Security-Policy'] = app.config['CSP'] if os.environ.get('HTTPS_ONLY', False): resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests' + resp.headers['Strict-Transport-Security'] = 'max-age=63072000' return resp From 15391379be2e512afde07a853611912f305bf44f Mon Sep 17 00:00:00 2001 From: alefvanoon <53198048+alefvanoon@users.noreply.github.com> Date: Fri, 26 Nov 2021 23:08:44 +0100 Subject: [PATCH 3/8] Remove dead instances & add onion instance (#555) --- README.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index df89d9e..21bf892 100644 --- a/README.md +++ b/README.md @@ -503,13 +503,10 @@ A lot of the app currently piggybacks on Google's existing support for fetching | [https://whoogle.fossho.st](https://whoogle.fossho.st) | 🇺🇸 US | Multi-choice | | | [https://search.albony.xyz](https://search.albony.xyz/) | 🇮🇳 IN | Multi-choice | | | [https://whoogle.sdf.org](https://whoogle.sdf.org) | 🇺🇸 US | Multi-choice | -| [https://whoogle.kavin.rocks](https://whoogle.kavin.rocks) | 🇮🇳 IN | Unknown | ✅ | | [https://search.garudalinux.org](https://search.garudalinux.org) | 🇩🇪 DE | Multi-choice | | | [https://whooglesearch.net](https://whooglesearch.net) | 🇩🇪 DE | Spanish | | -| [https://search.flawcra.cc](https://search.flawcra.cc) |🇩🇪 DE | Unknown | ✅ | | [https://search.exonip.de](https://search.exonip.de) | 🇳🇱 NL | Multi-choice | | -| [https://s.alefvanoon.xyz](https://s.alefvanoon.xyz) | 🇺🇸 US | English | ✅ | -| [https://search.flux.industries](https://search.flux.industries) | 🇩🇪 DE | German | ✅ | +| [https://s.alefvanoon.xyz](https://s.alefvanoon.xyz) | 🇺🇸 US | Multi-choice | ✅ | | [https://www.whooglesearch.ml](https://www.whooglesearch.ml) | 🇺🇸 US | English | | * A checkmark in the "Cloudflare" category here refers to the use of the reverse proxy, [Cloudflare](https://cloudflare.com). The checkmark will not be listed for a site which uses Cloudflare DNS but rather the proxying service which grants Cloudflare the ability to monitor traffic to the website. @@ -518,8 +515,7 @@ A lot of the app currently piggybacks on Google's existing support for fetching | Website | Country | Language | |-|-|-| -| [http://whoogledq5f5wly5p4i2ohnvjwlihnlg4oajjum2oeddfwqdwupbuhqd.onion](http://whoogledq5f5wly5p4i2ohnvjwlihnlg4oajjum2oeddfwqdwupbuhqd.onion) | 🇮🇳 IN | Unknown - +| [http://whoglqjdkgt2an4tdepberwqz3hk7tjo4kqgdnuj77rt7nshw2xqhqad.onion](http://whoglqjdkgt2an4tdepberwqz3hk7tjo4kqgdnuj77rt7nshw2xqhqad.onion) | 🇺🇸 US | Multi-choice ## Screenshots #### Desktop From 27051363ff7715282ce9e241448f82857370f74b Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Sat, 27 Nov 2021 20:03:06 -0700 Subject: [PATCH 4/8] Adjust logo css for mobile devices Fixes #557 --- app/static/css/logo.css | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/static/css/logo.css b/app/static/css/logo.css index 6aebfa4..0dfe8bb 100644 --- a/app/static/css/logo.css +++ b/app/static/css/logo.css @@ -12,6 +12,7 @@ a { @media (max-width: 1000px) { svg { - margin-top: .7em; + margin-top: .3em; + height: 70%; } } From f73e4b9239e767ddd3e2a62de3acee4d09bb2545 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Mon, 29 Nov 2021 15:34:13 -0700 Subject: [PATCH 5/8] Fix height for homepage logo --- app/static/css/main.css | 1 + 1 file changed, 1 insertion(+) diff --git a/app/static/css/main.css b/app/static/css/main.css index 9801657..6e60535 100644 --- a/app/static/css/main.css +++ b/app/static/css/main.css @@ -144,6 +144,7 @@ footer { .whoogle-svg { width: 80%; + height: initial; display: block; margin: auto; padding-bottom: 10px; From 3e20788857776cc484b3c4eeb162c21d10adf261 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Mon, 29 Nov 2021 15:49:35 -0700 Subject: [PATCH 6/8] Disable in-app CSP unless enabled via WHOOGLE_CSP The default CSP is only helpful for some, and can break instances for others. Since these aren't always necessary and are occasionally set by the user's preferred reverse proxy, it is being disabled unless explicitly enabled by setting `WHOOGLE_CSP`. Fixes #493 --- README.md | 3 ++- app/routes.py | 9 +++++---- whoogle.template.env | 1 + 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 21bf892..2320f04 100644 --- a/README.md +++ b/README.md @@ -164,7 +164,7 @@ See the [available environment variables](#environment-variables) for additional ### F) Manual -*Note: `Content-Security-Policy` headers are already sent by Whoogle -- you don't/shouldn't need to apply a CSP header yourself* +*Note: `Content-Security-Policy` headers can be sent by Whoogle if you set `WHOOGLE_CSP`.* Clone the repo and run the following commands to start the app in a local-only environment: @@ -330,6 +330,7 @@ There are a few optional environment variables available for customizing a Whoog | WHOOGLE_ALT_MD | The medium.com alternative to use when site alternatives are enabled in the config. | | WHOOGLE_AUTOCOMPLETE | Controls visibility of autocomplete/search suggestions. Default on -- use '0' to disable | | WHOOGLE_MINIMAL | Remove everything except basic result cards from all search queries. | +| WHOOGLE_CSP | Sets a default set of 'Content-Security-Policy' headers | ### Config Environment Variables These environment variables allow setting default config values, but can be overwritten manually by using the home page config menu. These allow a shortcut for destroying/rebuilding an instance to the same config state every time. diff --git a/app/routes.py b/app/routes.py index 9f66d74..e8ac9f4 100644 --- a/app/routes.py +++ b/app/routes.py @@ -147,10 +147,11 @@ def before_request_func(): def after_request_func(resp): resp.headers['X-Content-Type-Options'] = 'nosniff' resp.headers['X-Frame-Options'] = 'DENY' - resp.headers['Content-Security-Policy'] = app.config['CSP'] - if os.environ.get('HTTPS_ONLY', False): - resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests' - resp.headers['Strict-Transport-Security'] = 'max-age=63072000' + + if os.getenv('WHOOGLE_CSP', False): + resp.headers['Content-Security-Policy'] = app.config['CSP'] + if os.environ.get('HTTPS_ONLY', False): + resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests' return resp diff --git a/whoogle.template.env b/whoogle.template.env index 754686c..425cef5 100644 --- a/whoogle.template.env +++ b/whoogle.template.env @@ -19,6 +19,7 @@ #WHOOGLE_PROXY_PASS="" #WHOOGLE_PROXY_TYPE="" #WHOOGLE_PROXY_LOC="" +#WHOOGLE_CSP=1 #HTTPS_ONLY=1 # Restrict results to only those near a particular city From b75ff0782db177c0fd738d575352b512c6ea3def Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Mon, 29 Nov 2021 15:58:19 -0700 Subject: [PATCH 7/8] pep8: fix CSP header line length --- app/routes.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/routes.py b/app/routes.py index e8ac9f4..b949f65 100644 --- a/app/routes.py +++ b/app/routes.py @@ -151,7 +151,8 @@ def after_request_func(resp): if os.getenv('WHOOGLE_CSP', False): resp.headers['Content-Security-Policy'] = app.config['CSP'] if os.environ.get('HTTPS_ONLY', False): - resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests' + resp.headers['Content-Security-Policy'] += \ + 'upgrade-insecure-requests' return resp From e16038bf28b1b3842f61c7b2eb32c25156d75f39 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Tue, 30 Nov 2021 20:18:40 -0700 Subject: [PATCH 8/8] Make country var value compatible with `gl` param --- whoogle.template.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whoogle.template.env b/whoogle.template.env index 425cef5..40dfbef 100644 --- a/whoogle.template.env +++ b/whoogle.template.env @@ -26,7 +26,7 @@ #WHOOGLE_CONFIG_NEAR=denver # See app/static/settings/countries.json for values -#WHOOGLE_CONFIG_COUNTRY=countryUK +#WHOOGLE_CONFIG_COUNTRY=US # See app/static/settings/languages.json for values #WHOOGLE_CONFIG_LANGUAGE=lang_en