diff options
| author | Micah Lee <micah@micahflee.com> | 2019-09-22 12:57:13 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-22 12:57:13 -0700 |
| commit | 26f24906731139834ca2bdadfe79cdfd07dd354f (patch) | |
| tree | 01a1cbd721de82386271b371c53fdf1a1526cd11 | |
| parent | c0bbe120763bb5b71b914e13164a888f5227a010 (diff) | |
| parent | d8c0bc4e4fb8ce95c5a472f1b86d7ec86547162b (diff) | |
| download | onionshare-26f24906731139834ca2bdadfe79cdfd07dd354f.tar.gz onionshare-26f24906731139834ca2bdadfe79cdfd07dd354f.zip | |
Merge pull request #1030 from mig5/1029_optional_csp
Make setting the Content-Security-Policy header optional so it doesn't break website mode shares
| -rw-r--r-- | onionshare/settings.py | 1 | ||||
| -rw-r--r-- | onionshare/web/web.py | 4 | ||||
| -rw-r--r-- | onionshare_gui/settings_dialog.py | 38 | ||||
| -rw-r--r-- | share/locale/en.json | 2 | ||||
| -rw-r--r-- | tests/GuiWebsiteTest.py | 15 | ||||
| -rw-r--r-- | tests/local_onionshare_website_mode_csp_enabled_test.py | 26 | ||||
| -rw-r--r-- | tests/local_onionshare_website_mode_test.py | 1 | ||||
| -rw-r--r-- | tests/test_onionshare_settings.py | 3 |
8 files changed, 88 insertions, 2 deletions
diff --git a/onionshare/settings.py b/onionshare/settings.py index 762c6dc2..7a017bf0 100644 --- a/onionshare/settings.py +++ b/onionshare/settings.py @@ -114,6 +114,7 @@ class Settings(object): 'password': '', 'hidservauth_string': '', 'data_dir': self.build_default_data_dir(), + 'csp_header_disabled': False, 'locale': None # this gets defined in fill_in_defaults() } self._settings = {} diff --git a/onionshare/web/web.py b/onionshare/web/web.py index ecd9edc2..f3e1e07a 100644 --- a/onionshare/web/web.py +++ b/onionshare/web/web.py @@ -92,7 +92,6 @@ class Web: Flask.select_jinja_autoescape = self._safe_select_jinja_autoescape self.security_headers = [ - ('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;'), ('X-Frame-Options', 'DENY'), ('X-Xss-Protection', '1; mode=block'), ('X-Content-Type-Options', 'nosniff'), @@ -240,6 +239,9 @@ class Web: """ for header, value in self.security_headers: r.headers.set(header, value) + # Set a CSP header unless in website mode and the user has disabled it + if not self.common.settings.get('csp_header_disabled') or self.mode != 'website': + r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;') return r def _safe_select_jinja_autoescape(self, filename): diff --git a/onionshare_gui/settings_dialog.py b/onionshare_gui/settings_dialog.py index 25165688..ec91a491 100644 --- a/onionshare_gui/settings_dialog.py +++ b/onionshare_gui/settings_dialog.py @@ -238,6 +238,36 @@ class SettingsDialog(QtWidgets.QDialog): receiving_group = QtWidgets.QGroupBox(strings._("gui_settings_receiving_label")) receiving_group.setLayout(receiving_group_layout) + # Option to disable Content Security Policy (for website sharing) + self.csp_header_disabled_checkbox = QtWidgets.QCheckBox() + self.csp_header_disabled_checkbox.setCheckState(QtCore.Qt.Unchecked) + self.csp_header_disabled_checkbox.setText(strings._("gui_settings_csp_header_disabled_option")) + csp_header_label = QtWidgets.QLabel(strings._("gui_settings_whats_this").format("https://github.com/micahflee/onionshare/wiki/Content-Security-Policy")) + csp_header_label.setStyleSheet(self.common.css['settings_whats_this']) + csp_header_label.setTextInteractionFlags(QtCore.Qt.TextBrowserInteraction) + csp_header_label.setOpenExternalLinks(True) + csp_header_label.setMinimumSize(csp_header_label.sizeHint()) + csp_header_layout = QtWidgets.QHBoxLayout() + csp_header_layout.addWidget(self.csp_header_disabled_checkbox) + csp_header_layout.addWidget(csp_header_label) + csp_header_layout.addStretch() + csp_header_layout.setContentsMargins(0,0,0,0) + self.csp_header_widget = QtWidgets.QWidget() + self.csp_header_widget.setLayout(csp_header_layout) + + # Website settings widget + website_settings_layout = QtWidgets.QVBoxLayout() + website_settings_layout.setContentsMargins(0, 0, 0, 0) + website_settings_layout.addWidget(self.csp_header_widget) + self.website_settings_widget = QtWidgets.QWidget() + self.website_settings_widget.setLayout(website_settings_layout) + + # Website mode options layout + website_group_layout = QtWidgets.QVBoxLayout() + website_group_layout.addWidget(self.website_settings_widget) + website_group = QtWidgets.QGroupBox(strings._("gui_settings_website_label")) + website_group.setLayout(website_group_layout) + # Automatic updates options # Autoupdate @@ -482,6 +512,7 @@ class SettingsDialog(QtWidgets.QDialog): left_col_layout.addWidget(onion_group) left_col_layout.addWidget(sharing_group) left_col_layout.addWidget(receiving_group) + left_col_layout.addWidget(website_group) left_col_layout.addWidget(autoupdate_group) left_col_layout.addLayout(language_layout) left_col_layout.addStretch() @@ -517,6 +548,12 @@ class SettingsDialog(QtWidgets.QDialog): else: self.close_after_first_download_checkbox.setCheckState(QtCore.Qt.Unchecked) + csp_header_disabled = self.old_settings.get('csp_header_disabled') + if csp_header_disabled: + self.csp_header_disabled_checkbox.setCheckState(QtCore.Qt.Checked) + else: + self.csp_header_disabled_checkbox.setCheckState(QtCore.Qt.Unchecked) + autostart_timer = self.old_settings.get('autostart_timer') if autostart_timer: self.autostart_timer_checkbox.setCheckState(QtCore.Qt.Checked) @@ -982,6 +1019,7 @@ class SettingsDialog(QtWidgets.QDialog): settings.load() # To get the last update timestamp settings.set('close_after_first_download', self.close_after_first_download_checkbox.isChecked()) + settings.set('csp_header_disabled', self.csp_header_disabled_checkbox.isChecked()) settings.set('autostart_timer', self.autostart_timer_checkbox.isChecked()) settings.set('autostop_timer', self.autostop_timer_checkbox.isChecked()) diff --git a/share/locale/en.json b/share/locale/en.json index bb5b9094..a5a948b0 100644 --- a/share/locale/en.json +++ b/share/locale/en.json @@ -52,6 +52,7 @@ "gui_settings_onion_label": "Onion settings", "gui_settings_sharing_label": "Sharing settings", "gui_settings_close_after_first_download_option": "Stop sharing after files have been sent", + "gui_settings_csp_header_disabled_option": "Disable Content Security Policy header", "gui_settings_individual_downloads_label": "Uncheck to allow downloading individual files", "gui_settings_connection_type_label": "How should OnionShare connect to Tor?", "gui_settings_connection_type_bundled_option": "Use the Tor version built into OnionShare", @@ -141,6 +142,7 @@ "gui_mode_receive_button": "Receive Files", "gui_mode_website_button": "Publish Website", "gui_settings_receiving_label": "Receiving settings", + "gui_settings_website_label": "Website settings", "gui_settings_data_dir_label": "Save files to", "gui_settings_data_dir_browse_button": "Browse", "gui_settings_public_mode_checkbox": "Public mode", diff --git a/tests/GuiWebsiteTest.py b/tests/GuiWebsiteTest.py index 7b88bfdf..798c619a 100644 --- a/tests/GuiWebsiteTest.py +++ b/tests/GuiWebsiteTest.py @@ -65,6 +65,20 @@ class GuiWebsiteTest(GuiShareTest): QtTest.QTest.qWait(2000) self.assertTrue('This is a test website hosted by OnionShare' in r.text) + def check_csp_header(self, public_mode, csp_header_disabled): + '''Test that the CSP header is present when enabled or vice versa''' + url = "http://127.0.0.1:{}/".format(self.gui.app.port) + if public_mode: + r = requests.get(url) + else: + r = requests.get(url, auth=requests.auth.HTTPBasicAuth('onionshare', self.gui.website_mode.server_status.web.password)) + + QtTest.QTest.qWait(2000) + if csp_header_disabled: + self.assertFalse('Content-Security-Policy' in r.headers) + else: + self.assertTrue('Content-Security-Policy' in r.headers) + def run_all_website_mode_setup_tests(self): """Tests in website mode prior to starting a share""" self.click_mode(self.gui.website_mode) @@ -92,6 +106,7 @@ class GuiWebsiteTest(GuiShareTest): self.run_all_website_mode_setup_tests() self.run_all_website_mode_started_tests(public_mode, startup_time=2000) self.view_website(public_mode) + self.check_csp_header(public_mode, self.gui.common.settings.get('csp_header_disabled')) self.history_widgets_present(self.gui.website_mode) self.server_is_stopped(self.gui.website_mode, False) self.web_server_is_stopped() diff --git a/tests/local_onionshare_website_mode_csp_enabled_test.py b/tests/local_onionshare_website_mode_csp_enabled_test.py new file mode 100644 index 00000000..fbdc07ea --- /dev/null +++ b/tests/local_onionshare_website_mode_csp_enabled_test.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python3 +import pytest +import unittest + +from .GuiWebsiteTest import GuiWebsiteTest + +class LocalWebsiteModeCSPEnabledTest(unittest.TestCase, GuiWebsiteTest): + @classmethod + def setUpClass(cls): + test_settings = { + "csp_header_disabled": False, + } + cls.gui = GuiWebsiteTest.set_up(test_settings) + + @classmethod + def tearDownClass(cls): + GuiWebsiteTest.tear_down() + + @pytest.mark.gui + @pytest.mark.skipif(pytest.__version__ < '2.9', reason="requires newer pytest") + def test_gui(self): + #self.run_all_common_setup_tests() + self.run_all_website_mode_download_tests(False) + +if __name__ == "__main__": + unittest.main() diff --git a/tests/local_onionshare_website_mode_test.py b/tests/local_onionshare_website_mode_test.py index 051adb3c..fc560f70 100644 --- a/tests/local_onionshare_website_mode_test.py +++ b/tests/local_onionshare_website_mode_test.py @@ -8,6 +8,7 @@ class LocalWebsiteModeTest(unittest.TestCase, GuiWebsiteTest): @classmethod def setUpClass(cls): test_settings = { + "csp_header_disabled": True } cls.gui = GuiWebsiteTest.set_up(test_settings) diff --git a/tests/test_onionshare_settings.py b/tests/test_onionshare_settings.py index 05878899..12200b70 100644 --- a/tests/test_onionshare_settings.py +++ b/tests/test_onionshare_settings.py @@ -66,7 +66,8 @@ class TestSettings: 'password': '', 'hidservauth_string': '', 'data_dir': os.path.expanduser('~/OnionShare'), - 'public_mode': False + 'public_mode': False, + 'csp_header_disabled': False } for key in settings_obj._settings: # Skip locale, it will not always default to the same thing |