Allow gradual rollout of new vite-based widget by adding urls to an allowlist that gets checked against the "Origin" http header of request fetching the widget js

2026-04-26 23:52:35 +00:00 · 2026-03-10 14:45:00 +01:00
parent 504191c005
commit 2dade31f23
3 changed files with 25 additions and 3 deletions
--- a/src/pretix/base/settings.py
+++ b/src/pretix/base/settings.py
--- a/src/pretix/control/forms/global_settings.py
+++ b/src/pretix/control/forms/global_settings.py
@@ -104,6 +104,12 @@ class GlobalSettingsForm(SettingsForm):
                help_text=_("Will be served at {domain}/.well-known/apple-developer-merchantid-domain-association").format(
                    domain=settings.SITE_URL
                )
+            )),
+            ('widget_vite_origins', forms.CharField(
+                widget=forms.Textarea(attrs={'rows': '3'}),
+                required=False,
+                label=_("Vite widget origins"),
+                help_text=_("One origin per line (e.g. https://example.com). Requests from these origins will be served the new vite-based widget."),
            ))
        ])
        responses = register_global_settings.send(self)
--- a/src/pretix/presale/views/widget.py
+++ b/src/pretix/presale/views/widget.py
@@ -121,9 +121,21 @@ def widget_css_etag(request, version, **kwargs):
        return f'{_get_source_cache_key(version)}-{request.organizer.cache.get_or_set("css_version", default=lambda: int(time.time()))}'


+def _use_vite(request):
+    if getattr(settings, 'PRETIX_WIDGET_VITE', False):
+        return True
+    origin = request.META.get('HTTP_ORIGIN', '')
+    gs = GlobalSettingsObject()
+    vite_origins = gs.settings.get('widget_vite_origins', as_type=str, default='')
+    if origin and vite_origins:
+        origins_list = [o.strip() for o in vite_origins.strip().splitlines() if o.strip()]
+        return origin in origins_list
+    return False
+
+
 def widget_js_etag(request, version, lang, **kwargs):
    gs = GlobalSettingsObject()
-    variant = 'vite' if getattr(settings, 'PRETIX_WIDGET_VITE', False) else 'legacy'
+    variant = 'vite' if _use_vite(request) else 'legacy'
    return gs.settings.get('widget_checksum_{}_{}_{}'.format(version, lang, variant))


@@ -222,7 +234,7 @@ def widget_js(request, version, lang, **kwargs):
    if version < version_min:
        version = version_min

-    use_vite = getattr(settings, 'PRETIX_WIDGET_VITE', False)
+    use_vite = _use_vite(request)
    variant = 'vite' if use_vite else 'legacy'
    cache_prefix = 'widget_js_data_v{}_{}_{}'.format(version, lang, variant)