diff options
author | Micah Lee <micah@micahflee.com> | 2019-09-22 12:57:13 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-22 12:57:13 -0700 |
commit | 26f24906731139834ca2bdadfe79cdfd07dd354f (patch) | |
tree | 01a1cbd721de82386271b371c53fdf1a1526cd11 /onionshare | |
parent | c0bbe120763bb5b71b914e13164a888f5227a010 (diff) | |
parent | d8c0bc4e4fb8ce95c5a472f1b86d7ec86547162b (diff) | |
download | onionshare-26f24906731139834ca2bdadfe79cdfd07dd354f.tar.gz onionshare-26f24906731139834ca2bdadfe79cdfd07dd354f.zip |
Merge pull request #1030 from mig5/1029_optional_csp
Make setting the Content-Security-Policy header optional so it doesn't break website mode shares
Diffstat (limited to 'onionshare')
-rw-r--r-- | onionshare/settings.py | 1 | ||||
-rw-r--r-- | onionshare/web/web.py | 4 |
2 files changed, 4 insertions, 1 deletions
diff --git a/onionshare/settings.py b/onionshare/settings.py index 762c6dc2..7a017bf0 100644 --- a/onionshare/settings.py +++ b/onionshare/settings.py @@ -114,6 +114,7 @@ class Settings(object): 'password': '', 'hidservauth_string': '', 'data_dir': self.build_default_data_dir(), + 'csp_header_disabled': False, 'locale': None # this gets defined in fill_in_defaults() } self._settings = {} diff --git a/onionshare/web/web.py b/onionshare/web/web.py index ecd9edc2..f3e1e07a 100644 --- a/onionshare/web/web.py +++ b/onionshare/web/web.py @@ -92,7 +92,6 @@ class Web: Flask.select_jinja_autoescape = self._safe_select_jinja_autoescape self.security_headers = [ - ('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;'), ('X-Frame-Options', 'DENY'), ('X-Xss-Protection', '1; mode=block'), ('X-Content-Type-Options', 'nosniff'), @@ -240,6 +239,9 @@ class Web: """ for header, value in self.security_headers: r.headers.set(header, value) + # Set a CSP header unless in website mode and the user has disabled it + if not self.common.settings.get('csp_header_disabled') or self.mode != 'website': + r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;') return r def _safe_select_jinja_autoescape(self, filename): |