Make setting the Content-Security-Policy header optional so it doesn't break website mode shares

2025-08-10 15:20:38 -04:00 · 2019-09-16 12:10:17 +10:00 · 2019-09-16 12:10:17 +10:00 · a0d4e2880f
commit a0d4e2880f
parent 320cac0ad1
8 changed files with 86 additions and 10 deletions
--- a/tests/GuiWebsiteTest.py
+++ b/tests/GuiWebsiteTest.py
@ -65,6 +65,20 @@ class GuiWebsiteTest(GuiShareTest):
        QtTest.QTest.qWait(2000)
        self.assertTrue('This is a test website hosted by OnionShare' in r.text)

+    def check_csp_header(self, public_mode, csp_header_enabled):
+        '''Test that the CSP header is present when enabled or vice versa'''
+        url = "http://127.0.0.1:{}/".format(self.gui.app.port)
+        if public_mode:
+            r = requests.get(url)
+        else:
+            r = requests.get(url, auth=requests.auth.HTTPBasicAuth('onionshare', self.gui.website_mode.server_status.web.password))
+
+        QtTest.QTest.qWait(2000)
+        if csp_header_enabled:
+            self.assertTrue('Content-Security-Policy' in r.headers)
+        else:
+            self.assertFalse('Content-Security-Policy' in r.headers)
+
    def run_all_website_mode_setup_tests(self):
        """Tests in website mode prior to starting a share"""
        self.click_mode(self.gui.website_mode)
@ -92,6 +106,7 @@ class GuiWebsiteTest(GuiShareTest):
        self.run_all_website_mode_setup_tests()
        self.run_all_website_mode_started_tests(public_mode, startup_time=2000)
        self.view_website(public_mode)
+        self.check_csp_header(public_mode, self.gui.common.settings.get('csp_header_enabled'))
        self.history_widgets_present(self.gui.website_mode)
        self.server_is_stopped(self.gui.website_mode, False)
        self.web_server_is_stopped()
--- a/tests/local_onionshare_website_mode_csp_enabled_test.py
+++ b/tests/local_onionshare_website_mode_csp_enabled_test.py
@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+import pytest
+import unittest
+
+from .GuiWebsiteTest import GuiWebsiteTest
+
+class LocalWebsiteModeCSPEnabledTest(unittest.TestCase, GuiWebsiteTest):
+    @classmethod
+    def setUpClass(cls):
+        test_settings = {
+            "csp_header_enabled": True,
+        }
+        cls.gui = GuiWebsiteTest.set_up(test_settings)
+
+    @classmethod
+    def tearDownClass(cls):
+        GuiWebsiteTest.tear_down()
+
+    @pytest.mark.gui
+    @pytest.mark.skipif(pytest.__version__ < '2.9', reason="requires newer pytest")
+    def test_gui(self):
+        #self.run_all_common_setup_tests()
+        self.run_all_website_mode_download_tests(False)
+
+if __name__ == "__main__":
+    unittest.main()
--- a/tests/local_onionshare_website_mode_test.py
+++ b/tests/local_onionshare_website_mode_test.py
@ -8,6 +8,7 @@ class LocalWebsiteModeTest(unittest.TestCase, GuiWebsiteTest):
    @classmethod
    def setUpClass(cls):
        test_settings = {
+            "csp_header_enabled": False
        }
        cls.gui = GuiWebsiteTest.set_up(test_settings)

--- a/tests/test_onionshare_settings.py
+++ b/tests/test_onionshare_settings.py
@ -66,7 +66,8 @@ class TestSettings:
            'password': '',
            'hidservauth_string': '',
            'data_dir': os.path.expanduser('~/OnionShare'),
-            'public_mode': False
+            'public_mode': False,
+            'csp_header_enabled': True
        }
        for key in settings_obj._settings:
            # Skip locale, it will not always default to the same thing