diff options
| author | Miguel Jacq <mig@mig5.net> | 2017-05-21 10:03:18 +1000 |
|---|---|---|
| committer | Miguel Jacq <mig@mig5.net> | 2017-05-21 10:03:18 +1000 |
| commit | 38ee7fde21e6c0216137376b390dec6a46408670 (patch) | |
| tree | f3524c8bf85ef7bf261a1c0e3e410fb60c15a3fe | |
| parent | 6c5298884240c3978159db4a5db9bf2c87ed6c1e (diff) | |
| download | onionshare-38ee7fde21e6c0216137376b390dec6a46408670.tar.gz onionshare-38ee7fde21e6c0216137376b390dec6a46408670.zip | |
Remove duplication of security headers
| -rw-r--r-- | onionshare/web.py | 51 |
1 files changed, 20 insertions, 31 deletions
diff --git a/onionshare/web.py b/onionshare/web.py index 0d9e4133..36901f39 100644 --- a/onionshare/web.py +++ b/onionshare/web.py @@ -47,6 +47,16 @@ file_info = [] zip_filename = None zip_filesize = None + +security_headers = [ + ('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'self\' data:;'), + ('X-Frame-Options', 'DENY'), + ('X-Xss-Protection', '1; mode=block'), + ('X-Content-Type-Options', 'nosniff'), + ('Referrer-Policy', 'no-referrer'), + ('Server', 'Onion') +] + def set_file_info(filenames, processed_size_callback=None): """ Using the list of filenames being shared, fill in details that the web @@ -176,12 +186,8 @@ def index(slug_candidate): deny_download = not stay_open and download_in_progress if deny_download: r = make_response(render_template_string(open(common.get_resource_path('html/denied.html')).read())) - r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'self\' data:;') - r.headers.set('X-Frame-Options', 'DENY') - r.headers.set('X-Xss-Protection', '1; mode=block') - r.headers.set('X-Content-Type-Options', 'nosniff') - r.headers.set('Referrer-Policy', 'no-referrer') - r.headers.set('Server', 'Onion') + for header,value in security_headers: + r.headers.set(header, value) return r # If download is allowed to continue, serve download page @@ -193,12 +199,8 @@ def index(slug_candidate): filename=os.path.basename(zip_filename), filesize=zip_filesize, filesize_human=common.human_readable_filesize(zip_filesize))) - r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'unsafe-inline\' data:;') - r.headers.set('X-Frame-Options', 'DENY') - r.headers.set('X-Xss-Protection', '1; mode=block') - r.headers.set('X-Content-Type-Options', 'nosniff') - r.headers.set('Referrer-Policy', 'no-referrer') - r.headers.set('Server', 'Onion') + for header,value in security_headers: + r.headers.set(header, value) return r # If the client closes the OnionShare window while a download is in progress, @@ -219,12 +221,8 @@ def download(slug_candidate): deny_download = not stay_open and download_in_progress if deny_download: r = make_response(render_template_string(open(common.get_resource_path('html/denied.html')).read())) - r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'unsafe-inline\' data:;') - r.headers.set('X-Frame-Options', 'DENY') - r.headers.set('X-Xss-Protection', '1; mode=block') - r.headers.set('X-Content-Type-Options', 'nosniff') - r.headers.set('Referrer-Policy', 'no-referrer') - r.headers.set('Server', 'Onion') + for header,value in security_headers: + r.headers.set(header, value) return r global download_count @@ -310,13 +308,8 @@ def download(slug_candidate): r = Response(generate()) r.headers.set('Content-Length', zip_filesize) r.headers.set('Content-Disposition', 'attachment', filename=basename) - r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'unsafe-inline\' data:;') - r.headers.set('X-Frame-Options', 'DENY') - r.headers.set('X-Xss-Protection', '1; mode=block') - r.headers.set('X-Content-Type-Options', 'nosniff') - r.headers.set('Referrer-Policy', 'no-referrer') - r.headers.set('Server', 'Onion') - + for header,value in security_headers: + r.headers.set(header, value) # guess content type (content_type, _) = mimetypes.guess_type(basename, strict=False) if content_type is not None: @@ -340,12 +333,8 @@ def page_not_found(e): print(strings._('error_rate_limit')) r = make_response(render_template_string(open(common.get_resource_path('html/404.html')).read())) - r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'unsafe-inline\' data:;') - r.headers.set('X-Frame-Options', 'DENY') - r.headers.set('X-Xss-Protection', '1; mode=block') - r.headers.set('X-Content-Type-Options', 'nosniff') - r.headers.set('Referrer-Policy', 'no-referrer') - r.headers.set('Server', 'Onion') + for header,value in security_headers: + r.headers.set(header, value) return r # shutting down the server only works within the context of flask, so the easiest way to do it is over http |