As gluon-web uses standard multipart/form-data requests, browsers don't
enforce any cross-origin restrictions. To prevent malicious injection of
POST requests into the config mode, match the Origin header against the
Host header of the request.
(cherry picked from commit a83466be6e)
Actually raise an error and turn it into an HTTP 400 return code when
something goes wrong, rather than ignoring the error.
We also improve the conditions under which errors are thrown before
pump() is called: We don't need to check for the multipart/form-data
content-type twice, and a POST without this content-type is now always
an error.
(cherry picked from commit f3960eeb47)
- CGI script and index.html are moved from gluon-web to
gluon-config-mode-core, the script is renamed to 'config'
- gluon-web and gluon-web-model base views and i18n files are symlinked
into the new path
- gluon-web-theme is renamed to gluon-config-mode-theme and installs
directly into the new path
- all gluon-web-* models, controllers and views are moved into the new
path
If a value is unset or optional, an empty choice is added to the selection.
This empty choice will be marked as invalid if the value is not optional.
This is properly supported for the 'select' widget only for now, and not
for 'radio'.