Merge branch 'develop' into 1470_tempfiles

2025-05-02 06:26:10 -04:00 · 2021-12-01 20:37:45 -08:00 · 2021-12-01 20:37:45 -08:00 · 5322d4f037
commit 5322d4f037
parent 2ff5f53c69 01aa8a36f3
127 changed files with 4456 additions and 1626 deletions
--- a/cli/onionshare_cli/web/web.py
+++ b/cli/onionshare_cli/web/web.py
@ -199,15 +199,20 @@ class Web:
            """
            for header, value in self.security_headers:
                r.headers.set(header, value)
+
            # Set a CSP header unless in website mode and the user has disabled it
-            if (
+            default_csp = "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;"
+            if self.mode != "website" or (
                not self.settings.get("website", "disable_csp")
-                or self.mode != "website"
+                and not self.settings.get("website", "custom_csp")
            ):
-                r.headers.set(
-                    "Content-Security-Policy",
-                    "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;",
-                )
+                r.headers.set("Content-Security-Policy", default_csp)
+            else:
+                if self.settings.get("website", "custom_csp"):
+                    r.headers.set(
+                        "Content-Security-Policy",
+                        self.settings.get("website", "custom_csp"),
+                    )
            return r

        @self.app.errorhandler(404)