diff options
author | Miguel Jacq <mig@mig5.net> | 2019-09-16 12:10:17 +1000 |
---|---|---|
committer | Miguel Jacq <mig@mig5.net> | 2019-09-16 12:10:17 +1000 |
commit | 2524ddaf9485e484c87f2cea51414fc0d362187b (patch) | |
tree | d120ce70a6d987bc4bfcf137bd004ed58f34b40b /onionshare | |
parent | 957d3e9c6d424fdfc394bef529b87f52e16f371f (diff) | |
download | onionshare-2524ddaf9485e484c87f2cea51414fc0d362187b.tar.gz onionshare-2524ddaf9485e484c87f2cea51414fc0d362187b.zip |
Make setting the Content-Security-Policy header optional so it doesn't break website mode shares
Diffstat (limited to 'onionshare')
-rw-r--r-- | onionshare/settings.py | 1 | ||||
-rw-r--r-- | onionshare/web/web.py | 24 |
2 files changed, 16 insertions, 9 deletions
diff --git a/onionshare/settings.py b/onionshare/settings.py index 762c6dc2..28523b89 100644 --- a/onionshare/settings.py +++ b/onionshare/settings.py @@ -114,6 +114,7 @@ class Settings(object): 'password': '', 'hidservauth_string': '', 'data_dir': self.build_default_data_dir(), + 'csp_header_enabled': True, 'locale': None # this gets defined in fill_in_defaults() } self._settings = {} diff --git a/onionshare/web/web.py b/onionshare/web/web.py index ecd9edc2..825e690c 100644 --- a/onionshare/web/web.py +++ b/onionshare/web/web.py @@ -91,15 +91,6 @@ class Web: # Monkey-patch in the fix from https://github.com/pallets/flask/commit/99c99c4c16b1327288fd76c44bc8635a1de452bc Flask.select_jinja_autoescape = self._safe_select_jinja_autoescape - self.security_headers = [ - ('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;'), - ('X-Frame-Options', 'DENY'), - ('X-Xss-Protection', '1; mode=block'), - ('X-Content-Type-Options', 'nosniff'), - ('Referrer-Policy', 'no-referrer'), - ('Server', 'OnionShare') - ] - self.q = queue.Queue() self.password = None @@ -293,6 +284,20 @@ class Web: pass self.running = False + def set_security_headers(self): + """ + Set the security headers for the web service each time we start it. + """ + self.security_headers = [ + ('X-Frame-Options', 'DENY'), + ('X-Xss-Protection', '1; mode=block'), + ('X-Content-Type-Options', 'nosniff'), + ('Referrer-Policy', 'no-referrer'), + ('Server', 'OnionShare') + ] + if self.common.settings.get('csp_header_enabled'): + self.security_headers.append(('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;')) + def start(self, port, stay_open=False, public_mode=False, password=None): """ Start the flask web server. @@ -315,6 +320,7 @@ class Web: host = '127.0.0.1' self.running = True + self.set_security_headers() self.app.run(host=host, port=port, threaded=True) def stop(self, port): |