Make setting the Content-Security-Policy header optional so it doesn't break website mode shares

2025-08-25 06:29:54 -04:00 · 2019-09-16 12:10:17 +10:00 · 2019-09-16 12:10:17 +10:00 · a0d4e2880f
commit a0d4e2880f
parent 320cac0ad1
8 changed files with 86 additions and 10 deletions
--- a/onionshare/settings.py
+++ b/onionshare/settings.py
@ -114,6 +114,7 @@ class Settings(object):
            'password': '',
            'hidservauth_string': '',
            'data_dir': self.build_default_data_dir(),
+            'csp_header_enabled': True,
            'locale': None # this gets defined in fill_in_defaults()
        }
        self._settings = {}
--- a/onionshare/web/web.py
+++ b/onionshare/web/web.py
@ -91,15 +91,6 @@ class Web:
            # Monkey-patch in the fix from https://github.com/pallets/flask/commit/99c99c4c16b1327288fd76c44bc8635a1de452bc
            Flask.select_jinja_autoescape = self._safe_select_jinja_autoescape

-        self.security_headers = [
-            ('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;'),
-            ('X-Frame-Options', 'DENY'),
-            ('X-Xss-Protection', '1; mode=block'),
-            ('X-Content-Type-Options', 'nosniff'),
-            ('Referrer-Policy', 'no-referrer'),
-            ('Server', 'OnionShare')
-        ]
-
        self.q = queue.Queue()
        self.password = None

@ -293,6 +284,20 @@ class Web:
            pass
        self.running = False

+    def set_security_headers(self):
+        """
+        Set the security headers for the web service each time we start it.
+        """
+        self.security_headers = [
+            ('X-Frame-Options', 'DENY'),
+            ('X-Xss-Protection', '1; mode=block'),
+            ('X-Content-Type-Options', 'nosniff'),
+            ('Referrer-Policy', 'no-referrer'),
+            ('Server', 'OnionShare')
+        ]
+        if self.common.settings.get('csp_header_enabled'):
+            self.security_headers.append(('Content-Security-Policy', 'default-src \'self\'; style-src \'self\'; script-src \'self\'; img-src \'self\' data:;'))
+
    def start(self, port, stay_open=False, public_mode=False, password=None):
        """
        Start the flask web server.
@ -315,6 +320,7 @@ class Web:
            host = '127.0.0.1'

        self.running = True
+        self.set_security_headers()
        self.app.run(host=host, port=port, threaded=True)

    def stop(self, port):