diff options
author | Miguel Jacq <mig@mig5.net> | 2019-09-22 16:49:31 +1000 |
---|---|---|
committer | Miguel Jacq <mig@mig5.net> | 2019-09-22 16:49:31 +1000 |
commit | d8c0bc4e4fb8ce95c5a472f1b86d7ec86547162b (patch) | |
tree | 54e15605528be26cfd71437350cc1f0ea526f950 /onionshare | |
parent | 17063e54db1c3123bff6210ab787eadfe5e75965 (diff) | |
download | onionshare-d8c0bc4e4fb8ce95c5a472f1b86d7ec86547162b.tar.gz onionshare-d8c0bc4e4fb8ce95c5a472f1b86d7ec86547162b.zip |
Invert the CSP header setting and put it in its own Website Mode settings group. Make the CSP header mandatory for share/receive modes, optional for website mode only.
Diffstat (limited to 'onionshare')
-rw-r--r-- | onionshare/settings.py | 2 | ||||
-rw-r--r-- | onionshare/web/web.py | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/onionshare/settings.py b/onionshare/settings.py index 28523b89..7a017bf0 100644 --- a/onionshare/settings.py +++ b/onionshare/settings.py @@ -114,7 +114,7 @@ class Settings(object): 'password': '', 'hidservauth_string': '', 'data_dir': self.build_default_data_dir(), - 'csp_header_enabled': True, + 'csp_header_disabled': False, 'locale': None # this gets defined in fill_in_defaults() } self._settings = {} diff --git a/onionshare/web/web.py b/onionshare/web/web.py index c1a9ce4c..f3e1e07a 100644 --- a/onionshare/web/web.py +++ b/onionshare/web/web.py @@ -239,7 +239,8 @@ class Web: """ for header, value in self.security_headers: r.headers.set(header, value) - if self.common.settings.get('csp_header_enabled'): + # Set a CSP header unless in website mode and the user has disabled it + if not self.common.settings.get('csp_header_disabled') or self.mode != 'website': r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;') return r |