Invert the CSP header setting and put it in its own Website Mode settings group. Make the CSP header mandatory for share/receive modes, optional for website mode only.

2 files changed, 3 insertions, 2 deletions

diff --git a/onionshare/settings.py b/onionshare/settings.py
index 28523b89..7a017bf0 100644
--- a/onionshare/settings.py
+++ b/onionshare/settings.py
@@ -114,7 +114,7 @@ class Settings(object):
             'password': '',
             'hidservauth_string': '',
             'data_dir': self.build_default_data_dir(),
-            'csp_header_enabled': True,
+            'csp_header_disabled': False,
             'locale': None # this gets defined in fill_in_defaults()
         }
         self._settings = {}
diff --git a/onionshare/web/web.py b/onionshare/web/web.py
index c1a9ce4c..f3e1e07a 100644
--- a/onionshare/web/web.py
+++ b/onionshare/web/web.py
@@ -239,7 +239,8 @@ class Web:
         """
         for header, value in self.security_headers:
             r.headers.set(header, value)
-        if self.common.settings.get('csp_header_enabled'):
+        # Set a CSP header unless in website mode and the user has disabled it
+        if not self.common.settings.get('csp_header_disabled') or self.mode != 'website':
             r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;')
         return r