From 542cec15c66bc2a368d51dc740dcb8a401eedbf1 Mon Sep 17 00:00:00 2001
From: Micah Lee <micah@micahflee.com>
Date: Wed, 16 Jul 2014 02:19:22 -0700
Subject: [PATCH] add Content-Security-Policy so if there are other xss vulns
 they won't execute

---
 onionshare_gui/webapp.py | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/onionshare_gui/webapp.py b/onionshare_gui/webapp.py
index 803d43d6..5d9247d3 100644
--- a/onionshare_gui/webapp.py
+++ b/onionshare_gui/webapp.py
@@ -1,4 +1,5 @@
-from flask import Flask, render_template
+from flask import Flask, render_template, make_response
+from functools import wraps
 import threading, json, os, time, platform, sys
 
 onionshare = None
@@ -26,11 +27,36 @@ def debug_mode():
     log_handler.setLevel(logging.WARNING)
     app.logger.addHandler(log_handler)
 
+def add_response_headers(headers={}):
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            resp = make_response(f(*args, **kwargs))
+            h = resp.headers
+            for header, value in headers.items():
+                h[header] = value
+            return resp
+        return decorated_function
+    return decorator
+
+def csp(f):
+    @wraps(f)
+    # disable inline js, external js
+    @add_response_headers({'Content-Security-Policy': "default-src 'self'; connect-src 'self'"})
+    # ugh, webkit embedded in Qt4 is stupid old
+    # TODO: remove webkit, build GUI with normal Qt widgets
+    @add_response_headers({'X-WebKit-CSP': "default-src 'self'; connect-src 'self'"})
+    def decorated_function(*args, **kwargs):
+        return f(*args, **kwargs)
+    return decorated_function
+
 @app.route("/")
+@csp
 def index():
     return render_template('index.html')
 
 @app.route("/init_info")
+@csp
 def init_info():
     global onionshare, filename, stay_open
     basename = os.path.basename(filename)
@@ -42,6 +68,7 @@ def init_info():
     })
 
 @app.route("/start_onionshare")
+@csp
 def start_onionshare():
     global onionshare, onionshare_port, filename, onion_host, url
 
@@ -62,6 +89,7 @@ def start_onionshare():
     })
 
 @app.route("/copy_url")
+@csp
 def copy_url():
     if platform.system() == 'Windows':
         # Qt's QClipboard isn't working in Windows
@@ -82,16 +110,19 @@ def copy_url():
     return ''
 
 @app.route("/stay_open_true")
+@csp
 def stay_open_true():
     global onionshare
     onionshare.set_stay_open(True)
 
 @app.route("/stay_open_false")
+@csp
 def stay_open_false():
     global onionshare
     onionshare.set_stay_open(False)
 
 @app.route("/heartbeat")
+@csp
 def check_for_requests():
     global onionshare
     events = []
@@ -107,6 +138,7 @@ def check_for_requests():
     return json.dumps(events)
 
 @app.route("/close")
+@csp
 def close():
     global qtapp
     time.sleep(1)