mirror of
https://github.com/onionshare/onionshare.git
synced 2024-12-28 16:59:35 -05:00
Merge pull request #1030 from mig5/1029_optional_csp
Make setting the Content-Security-Policy header optional so it doesn't break website mode shares
This commit is contained in:
commit
26f2490673
@ -114,6 +114,7 @@ class Settings(object):
|
|||||||
'password': '',
|
'password': '',
|
||||||
'hidservauth_string': '',
|
'hidservauth_string': '',
|
||||||
'data_dir': self.build_default_data_dir(),
|
'data_dir': self.build_default_data_dir(),
|
||||||
|
'csp_header_disabled': False,
|
||||||
'locale': None # this gets defined in fill_in_defaults()
|
'locale': None # this gets defined in fill_in_defaults()
|
||||||
}
|
}
|
||||||
self._settings = {}
|
self._settings = {}
|
||||||
|
@ -92,7 +92,6 @@ class Web:
|
|||||||
Flask.select_jinja_autoescape = self._safe_select_jinja_autoescape
|
Flask.select_jinja_autoescape = self._safe_select_jinja_autoescape
|
||||||
|
|
||||||
self.security_headers = [
|
self.security_headers = [
|
||||||
('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;'),
|
|
||||||
('X-Frame-Options', 'DENY'),
|
('X-Frame-Options', 'DENY'),
|
||||||
('X-Xss-Protection', '1; mode=block'),
|
('X-Xss-Protection', '1; mode=block'),
|
||||||
('X-Content-Type-Options', 'nosniff'),
|
('X-Content-Type-Options', 'nosniff'),
|
||||||
@ -240,6 +239,9 @@ class Web:
|
|||||||
"""
|
"""
|
||||||
for header, value in self.security_headers:
|
for header, value in self.security_headers:
|
||||||
r.headers.set(header, value)
|
r.headers.set(header, value)
|
||||||
|
# Set a CSP header unless in website mode and the user has disabled it
|
||||||
|
if not self.common.settings.get('csp_header_disabled') or self.mode != 'website':
|
||||||
|
r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;')
|
||||||
return r
|
return r
|
||||||
|
|
||||||
def _safe_select_jinja_autoescape(self, filename):
|
def _safe_select_jinja_autoescape(self, filename):
|
||||||
|
@ -238,6 +238,36 @@ class SettingsDialog(QtWidgets.QDialog):
|
|||||||
receiving_group = QtWidgets.QGroupBox(strings._("gui_settings_receiving_label"))
|
receiving_group = QtWidgets.QGroupBox(strings._("gui_settings_receiving_label"))
|
||||||
receiving_group.setLayout(receiving_group_layout)
|
receiving_group.setLayout(receiving_group_layout)
|
||||||
|
|
||||||
|
# Option to disable Content Security Policy (for website sharing)
|
||||||
|
self.csp_header_disabled_checkbox = QtWidgets.QCheckBox()
|
||||||
|
self.csp_header_disabled_checkbox.setCheckState(QtCore.Qt.Unchecked)
|
||||||
|
self.csp_header_disabled_checkbox.setText(strings._("gui_settings_csp_header_disabled_option"))
|
||||||
|
csp_header_label = QtWidgets.QLabel(strings._("gui_settings_whats_this").format("https://github.com/micahflee/onionshare/wiki/Content-Security-Policy"))
|
||||||
|
csp_header_label.setStyleSheet(self.common.css['settings_whats_this'])
|
||||||
|
csp_header_label.setTextInteractionFlags(QtCore.Qt.TextBrowserInteraction)
|
||||||
|
csp_header_label.setOpenExternalLinks(True)
|
||||||
|
csp_header_label.setMinimumSize(csp_header_label.sizeHint())
|
||||||
|
csp_header_layout = QtWidgets.QHBoxLayout()
|
||||||
|
csp_header_layout.addWidget(self.csp_header_disabled_checkbox)
|
||||||
|
csp_header_layout.addWidget(csp_header_label)
|
||||||
|
csp_header_layout.addStretch()
|
||||||
|
csp_header_layout.setContentsMargins(0,0,0,0)
|
||||||
|
self.csp_header_widget = QtWidgets.QWidget()
|
||||||
|
self.csp_header_widget.setLayout(csp_header_layout)
|
||||||
|
|
||||||
|
# Website settings widget
|
||||||
|
website_settings_layout = QtWidgets.QVBoxLayout()
|
||||||
|
website_settings_layout.setContentsMargins(0, 0, 0, 0)
|
||||||
|
website_settings_layout.addWidget(self.csp_header_widget)
|
||||||
|
self.website_settings_widget = QtWidgets.QWidget()
|
||||||
|
self.website_settings_widget.setLayout(website_settings_layout)
|
||||||
|
|
||||||
|
# Website mode options layout
|
||||||
|
website_group_layout = QtWidgets.QVBoxLayout()
|
||||||
|
website_group_layout.addWidget(self.website_settings_widget)
|
||||||
|
website_group = QtWidgets.QGroupBox(strings._("gui_settings_website_label"))
|
||||||
|
website_group.setLayout(website_group_layout)
|
||||||
|
|
||||||
# Automatic updates options
|
# Automatic updates options
|
||||||
|
|
||||||
# Autoupdate
|
# Autoupdate
|
||||||
@ -482,6 +512,7 @@ class SettingsDialog(QtWidgets.QDialog):
|
|||||||
left_col_layout.addWidget(onion_group)
|
left_col_layout.addWidget(onion_group)
|
||||||
left_col_layout.addWidget(sharing_group)
|
left_col_layout.addWidget(sharing_group)
|
||||||
left_col_layout.addWidget(receiving_group)
|
left_col_layout.addWidget(receiving_group)
|
||||||
|
left_col_layout.addWidget(website_group)
|
||||||
left_col_layout.addWidget(autoupdate_group)
|
left_col_layout.addWidget(autoupdate_group)
|
||||||
left_col_layout.addLayout(language_layout)
|
left_col_layout.addLayout(language_layout)
|
||||||
left_col_layout.addStretch()
|
left_col_layout.addStretch()
|
||||||
@ -517,6 +548,12 @@ class SettingsDialog(QtWidgets.QDialog):
|
|||||||
else:
|
else:
|
||||||
self.close_after_first_download_checkbox.setCheckState(QtCore.Qt.Unchecked)
|
self.close_after_first_download_checkbox.setCheckState(QtCore.Qt.Unchecked)
|
||||||
|
|
||||||
|
csp_header_disabled = self.old_settings.get('csp_header_disabled')
|
||||||
|
if csp_header_disabled:
|
||||||
|
self.csp_header_disabled_checkbox.setCheckState(QtCore.Qt.Checked)
|
||||||
|
else:
|
||||||
|
self.csp_header_disabled_checkbox.setCheckState(QtCore.Qt.Unchecked)
|
||||||
|
|
||||||
autostart_timer = self.old_settings.get('autostart_timer')
|
autostart_timer = self.old_settings.get('autostart_timer')
|
||||||
if autostart_timer:
|
if autostart_timer:
|
||||||
self.autostart_timer_checkbox.setCheckState(QtCore.Qt.Checked)
|
self.autostart_timer_checkbox.setCheckState(QtCore.Qt.Checked)
|
||||||
@ -982,6 +1019,7 @@ class SettingsDialog(QtWidgets.QDialog):
|
|||||||
settings.load() # To get the last update timestamp
|
settings.load() # To get the last update timestamp
|
||||||
|
|
||||||
settings.set('close_after_first_download', self.close_after_first_download_checkbox.isChecked())
|
settings.set('close_after_first_download', self.close_after_first_download_checkbox.isChecked())
|
||||||
|
settings.set('csp_header_disabled', self.csp_header_disabled_checkbox.isChecked())
|
||||||
settings.set('autostart_timer', self.autostart_timer_checkbox.isChecked())
|
settings.set('autostart_timer', self.autostart_timer_checkbox.isChecked())
|
||||||
settings.set('autostop_timer', self.autostop_timer_checkbox.isChecked())
|
settings.set('autostop_timer', self.autostop_timer_checkbox.isChecked())
|
||||||
|
|
||||||
|
@ -52,6 +52,7 @@
|
|||||||
"gui_settings_onion_label": "Onion settings",
|
"gui_settings_onion_label": "Onion settings",
|
||||||
"gui_settings_sharing_label": "Sharing settings",
|
"gui_settings_sharing_label": "Sharing settings",
|
||||||
"gui_settings_close_after_first_download_option": "Stop sharing after files have been sent",
|
"gui_settings_close_after_first_download_option": "Stop sharing after files have been sent",
|
||||||
|
"gui_settings_csp_header_disabled_option": "Disable Content Security Policy header",
|
||||||
"gui_settings_individual_downloads_label": "Uncheck to allow downloading individual files",
|
"gui_settings_individual_downloads_label": "Uncheck to allow downloading individual files",
|
||||||
"gui_settings_connection_type_label": "How should OnionShare connect to Tor?",
|
"gui_settings_connection_type_label": "How should OnionShare connect to Tor?",
|
||||||
"gui_settings_connection_type_bundled_option": "Use the Tor version built into OnionShare",
|
"gui_settings_connection_type_bundled_option": "Use the Tor version built into OnionShare",
|
||||||
@ -141,6 +142,7 @@
|
|||||||
"gui_mode_receive_button": "Receive Files",
|
"gui_mode_receive_button": "Receive Files",
|
||||||
"gui_mode_website_button": "Publish Website",
|
"gui_mode_website_button": "Publish Website",
|
||||||
"gui_settings_receiving_label": "Receiving settings",
|
"gui_settings_receiving_label": "Receiving settings",
|
||||||
|
"gui_settings_website_label": "Website settings",
|
||||||
"gui_settings_data_dir_label": "Save files to",
|
"gui_settings_data_dir_label": "Save files to",
|
||||||
"gui_settings_data_dir_browse_button": "Browse",
|
"gui_settings_data_dir_browse_button": "Browse",
|
||||||
"gui_settings_public_mode_checkbox": "Public mode",
|
"gui_settings_public_mode_checkbox": "Public mode",
|
||||||
|
@ -65,6 +65,20 @@ class GuiWebsiteTest(GuiShareTest):
|
|||||||
QtTest.QTest.qWait(2000)
|
QtTest.QTest.qWait(2000)
|
||||||
self.assertTrue('This is a test website hosted by OnionShare' in r.text)
|
self.assertTrue('This is a test website hosted by OnionShare' in r.text)
|
||||||
|
|
||||||
|
def check_csp_header(self, public_mode, csp_header_disabled):
|
||||||
|
'''Test that the CSP header is present when enabled or vice versa'''
|
||||||
|
url = "http://127.0.0.1:{}/".format(self.gui.app.port)
|
||||||
|
if public_mode:
|
||||||
|
r = requests.get(url)
|
||||||
|
else:
|
||||||
|
r = requests.get(url, auth=requests.auth.HTTPBasicAuth('onionshare', self.gui.website_mode.server_status.web.password))
|
||||||
|
|
||||||
|
QtTest.QTest.qWait(2000)
|
||||||
|
if csp_header_disabled:
|
||||||
|
self.assertFalse('Content-Security-Policy' in r.headers)
|
||||||
|
else:
|
||||||
|
self.assertTrue('Content-Security-Policy' in r.headers)
|
||||||
|
|
||||||
def run_all_website_mode_setup_tests(self):
|
def run_all_website_mode_setup_tests(self):
|
||||||
"""Tests in website mode prior to starting a share"""
|
"""Tests in website mode prior to starting a share"""
|
||||||
self.click_mode(self.gui.website_mode)
|
self.click_mode(self.gui.website_mode)
|
||||||
@ -92,6 +106,7 @@ class GuiWebsiteTest(GuiShareTest):
|
|||||||
self.run_all_website_mode_setup_tests()
|
self.run_all_website_mode_setup_tests()
|
||||||
self.run_all_website_mode_started_tests(public_mode, startup_time=2000)
|
self.run_all_website_mode_started_tests(public_mode, startup_time=2000)
|
||||||
self.view_website(public_mode)
|
self.view_website(public_mode)
|
||||||
|
self.check_csp_header(public_mode, self.gui.common.settings.get('csp_header_disabled'))
|
||||||
self.history_widgets_present(self.gui.website_mode)
|
self.history_widgets_present(self.gui.website_mode)
|
||||||
self.server_is_stopped(self.gui.website_mode, False)
|
self.server_is_stopped(self.gui.website_mode, False)
|
||||||
self.web_server_is_stopped()
|
self.web_server_is_stopped()
|
||||||
|
26
tests/local_onionshare_website_mode_csp_enabled_test.py
Normal file
26
tests/local_onionshare_website_mode_csp_enabled_test.py
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
import pytest
|
||||||
|
import unittest
|
||||||
|
|
||||||
|
from .GuiWebsiteTest import GuiWebsiteTest
|
||||||
|
|
||||||
|
class LocalWebsiteModeCSPEnabledTest(unittest.TestCase, GuiWebsiteTest):
|
||||||
|
@classmethod
|
||||||
|
def setUpClass(cls):
|
||||||
|
test_settings = {
|
||||||
|
"csp_header_disabled": False,
|
||||||
|
}
|
||||||
|
cls.gui = GuiWebsiteTest.set_up(test_settings)
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def tearDownClass(cls):
|
||||||
|
GuiWebsiteTest.tear_down()
|
||||||
|
|
||||||
|
@pytest.mark.gui
|
||||||
|
@pytest.mark.skipif(pytest.__version__ < '2.9', reason="requires newer pytest")
|
||||||
|
def test_gui(self):
|
||||||
|
#self.run_all_common_setup_tests()
|
||||||
|
self.run_all_website_mode_download_tests(False)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
unittest.main()
|
@ -8,6 +8,7 @@ class LocalWebsiteModeTest(unittest.TestCase, GuiWebsiteTest):
|
|||||||
@classmethod
|
@classmethod
|
||||||
def setUpClass(cls):
|
def setUpClass(cls):
|
||||||
test_settings = {
|
test_settings = {
|
||||||
|
"csp_header_disabled": True
|
||||||
}
|
}
|
||||||
cls.gui = GuiWebsiteTest.set_up(test_settings)
|
cls.gui = GuiWebsiteTest.set_up(test_settings)
|
||||||
|
|
||||||
|
@ -66,7 +66,8 @@ class TestSettings:
|
|||||||
'password': '',
|
'password': '',
|
||||||
'hidservauth_string': '',
|
'hidservauth_string': '',
|
||||||
'data_dir': os.path.expanduser('~/OnionShare'),
|
'data_dir': os.path.expanduser('~/OnionShare'),
|
||||||
'public_mode': False
|
'public_mode': False,
|
||||||
|
'csp_header_disabled': False
|
||||||
}
|
}
|
||||||
for key in settings_obj._settings:
|
for key in settings_obj._settings:
|
||||||
# Skip locale, it will not always default to the same thing
|
# Skip locale, it will not always default to the same thing
|
||||||
|
Loading…
Reference in New Issue
Block a user