Merge pull request #1030 from mig5/1029_optional_csp

Make setting the Content-Security-Policy header optional so it doesn't break website mode shares

2 files changed, 4 insertions, 1 deletions

diff --git a/onionshare/settings.py b/onionshare/settings.py
index 762c6dc2..7a017bf0 100644
--- a/onionshare/settings.py
+++ b/onionshare/settings.py
@@ -114,6 +114,7 @@ class Settings(object):
             'password': '',
             'hidservauth_string': '',
             'data_dir': self.build_default_data_dir(),
+            'csp_header_disabled': False,
             'locale': None # this gets defined in fill_in_defaults()
         }
         self._settings = {}
diff --git a/onionshare/web/web.py b/onionshare/web/web.py
index ecd9edc2..f3e1e07a 100644
--- a/onionshare/web/web.py
+++ b/onionshare/web/web.py
@@ -92,7 +92,6 @@ class Web:
             Flask.select_jinja_autoescape = self._safe_select_jinja_autoescape
 
         self.security_headers = [
-            ('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;'),
             ('X-Frame-Options', 'DENY'),
             ('X-Xss-Protection', '1; mode=block'),
             ('X-Content-Type-Options', 'nosniff'),
@@ -240,6 +239,9 @@ class Web:
         """
         for header, value in self.security_headers:
             r.headers.set(header, value)
+        # Set a CSP header unless in website mode and the user has disabled it
+        if not self.common.settings.get('csp_header_disabled') or self.mode != 'website':
+            r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;')
         return r
 
     def _safe_select_jinja_autoescape(self, filename):