Make setting the Content-Security-Policy header optional so it doesn't break website mode shares

4 files changed, 44 insertions, 1 deletions

diff --git a/tests/GuiWebsiteTest.py b/tests/GuiWebsiteTest.py
index 7b88bfdf..f58f4aa2 100644
--- a/tests/GuiWebsiteTest.py
+++ b/tests/GuiWebsiteTest.py
@@ -65,6 +65,20 @@ class GuiWebsiteTest(GuiShareTest):
         QtTest.QTest.qWait(2000)
         self.assertTrue('This is a test website hosted by OnionShare' in r.text)
 
+    def check_csp_header(self, public_mode, csp_header_enabled):
+        '''Test that the CSP header is present when enabled or vice versa'''
+        url = "http://127.0.0.1:{}/".format(self.gui.app.port)
+        if public_mode:
+            r = requests.get(url)
+        else:
+            r = requests.get(url, auth=requests.auth.HTTPBasicAuth('onionshare', self.gui.website_mode.server_status.web.password))
+
+        QtTest.QTest.qWait(2000)
+        if csp_header_enabled:
+            self.assertTrue('Content-Security-Policy' in r.headers)
+        else:
+            self.assertFalse('Content-Security-Policy' in r.headers)
+
     def run_all_website_mode_setup_tests(self):
         """Tests in website mode prior to starting a share"""
         self.click_mode(self.gui.website_mode)
@@ -92,6 +106,7 @@ class GuiWebsiteTest(GuiShareTest):
         self.run_all_website_mode_setup_tests()
         self.run_all_website_mode_started_tests(public_mode, startup_time=2000)
         self.view_website(public_mode)
+        self.check_csp_header(public_mode, self.gui.common.settings.get('csp_header_enabled'))
         self.history_widgets_present(self.gui.website_mode)
         self.server_is_stopped(self.gui.website_mode, False)
         self.web_server_is_stopped()
diff --git a/tests/local_onionshare_website_mode_csp_enabled_test.py b/tests/local_onionshare_website_mode_csp_enabled_test.py
new file mode 100644
index 00000000..3cf79440
--- /dev/null
+++ b/tests/local_onionshare_website_mode_csp_enabled_test.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+import pytest
+import unittest
+
+from .GuiWebsiteTest import GuiWebsiteTest
+
+class LocalWebsiteModeCSPEnabledTest(unittest.TestCase, GuiWebsiteTest):
+    @classmethod
+    def setUpClass(cls):
+        test_settings = {
+            "csp_header_enabled": True,
+        }
+        cls.gui = GuiWebsiteTest.set_up(test_settings)
+
+    @classmethod
+    def tearDownClass(cls):
+        GuiWebsiteTest.tear_down()
+
+    @pytest.mark.gui
+    @pytest.mark.skipif(pytest.__version__ < '2.9', reason="requires newer pytest")
+    def test_gui(self):
+        #self.run_all_common_setup_tests()
+        self.run_all_website_mode_download_tests(False)
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/local_onionshare_website_mode_test.py b/tests/local_onionshare_website_mode_test.py
index 051adb3c..5a7334a4 100644
--- a/tests/local_onionshare_website_mode_test.py
+++ b/tests/local_onionshare_website_mode_test.py
@@ -8,6 +8,7 @@ class LocalWebsiteModeTest(unittest.TestCase, GuiWebsiteTest):
     @classmethod
     def setUpClass(cls):
         test_settings = {
+            "csp_header_enabled": False
         }
         cls.gui = GuiWebsiteTest.set_up(test_settings)
 
diff --git a/tests/test_onionshare_settings.py b/tests/test_onionshare_settings.py
index 05878899..d46c599b 100644
--- a/tests/test_onionshare_settings.py
+++ b/tests/test_onionshare_settings.py
@@ -66,7 +66,8 @@ class TestSettings:
             'password': '',
             'hidservauth_string': '',
             'data_dir': os.path.expanduser('~/OnionShare'),
-            'public_mode': False
+            'public_mode': False,
+            'csp_header_enabled': True
         }
         for key in settings_obj._settings:
             # Skip locale, it will not always default to the same thing