Git-Mirrors/onionshare
1
0
Fork 0
mirror of https://github.com/onionshare/onionshare.git synced 2025-07-30 09:59:02 -04:00
Code Issues Projects Releases Packages Wiki Activity

Support sending a custom Content-Security-Policy header in Website mode

Browse source
This commit is contained in:
Micah Lee 2021-11-23 18:44:14 -08:00
commit aa72b7e65a
6 changed files with 103 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

5
desktop/src/onionshare/resources/locale/en.json
View file

@ -203,7 +203,8 @@
"mode_settings_receive_disable_text_checkbox": "Disable submitting text",
"mode_settings_receive_disable_files_checkbox": "Disable uploading files",
"mode_settings_receive_webhook_url_checkbox": "Use notification webhook",
"mode_settings_website_disable_csp_checkbox": "Don't send Content Security Policy header (allows your website to use third-party resources)",
"mode_settings_website_disable_csp_checkbox": "Don't send default Content Security Policy header (allows your website to use third-party resources)",
"mode_settings_website_custom_csp_checkbox": "Send a custom Content Security Policy header",
"gui_all_modes_transfer_finished_range": "Transferred {} - {}",
"gui_all_modes_transfer_finished": "Transferred {}",
"gui_all_modes_transfer_canceled_range": "Canceled {} - {}",
@ -232,4 +233,4 @@
"moat_captcha_error": "The solution is not correct. Please try again.",
"moat_solution_empty_error": "You must enter the characters from the image",
"mode_tor_not_connected_label": "OnionShare is not connected to the Tor network"
}
}

54
desktop/src/onionshare/tab/mode/website_mode/__init__.py
View file

@ -49,6 +49,7 @@ class WebsiteMode(Mode):
self.web = Web(self.common, True, self.settings, "website")
# Settings
# Disable CSP option
self.disable_csp_checkbox = QtWidgets.QCheckBox()
self.disable_csp_checkbox.clicked.connect(self.disable_csp_checkbox_clicked)
self.disable_csp_checkbox.setText(
@ -63,6 +64,26 @@ class WebsiteMode(Mode):
self.disable_csp_checkbox
)
# Custom CSP option
self.custom_csp_checkbox = QtWidgets.QCheckBox()
self.custom_csp_checkbox.clicked.connect(self.custom_csp_checkbox_clicked)
self.custom_csp_checkbox.setText(strings._("mode_settings_website_custom_csp_checkbox"))
if self.settings.get("website", "custom_csp") and not self.settings.get("website", "disable_csp"):
self.custom_csp_checkbox.setCheckState(QtCore.Qt.Checked)
else:
self.custom_csp_checkbox.setCheckState(QtCore.Qt.Unchecked)
self.custom_csp = QtWidgets.QLineEdit()
self.custom_csp.setPlaceholderText(
"default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;"
)
self.custom_csp.editingFinished.connect(self.custom_csp_editing_finished)
custom_csp_layout = QtWidgets.QHBoxLayout()
custom_csp_layout.setContentsMargins(0, 0, 0, 0)
custom_csp_layout.addWidget(self.custom_csp_checkbox)
custom_csp_layout.addWidget(self.custom_csp)
self.mode_settings_widget.mode_specific_layout.addLayout(custom_csp_layout)
# File selection
self.file_selection = FileSelection(
self.common,
@ -181,11 +202,42 @@ class WebsiteMode(Mode):
def disable_csp_checkbox_clicked(self):
"""
Save disable CSP setting to the tab settings
Save disable CSP setting to the tab settings. Uncheck 'custom CSP'
setting if disabling CSP altogether.
"""
self.settings.set(
"website", "disable_csp", self.disable_csp_checkbox.isChecked()
)
if self.disable_csp_checkbox.isChecked():
self.custom_csp_checkbox.setCheckState(QtCore.Qt.Unchecked)
self.custom_csp_checkbox.setEnabled(False)
else:
self.custom_csp_checkbox.setEnabled(True)
def custom_csp_checkbox_clicked(self):
"""
Uncheck 'disable CSP' setting if custom CSP is used.
"""
if self.custom_csp_checkbox.isChecked():
self.disable_csp_checkbox.setCheckState(QtCore.Qt.Unchecked)
self.disable_csp_checkbox.setEnabled(False)
self.settings.set(
"website", "custom_csp", self.custom_csp
)
else:
self.disable_csp_checkbox.setEnabled(True)
self.custom_csp.setText("")
self.settings.set(
"website", "custom_csp", None
)
def custom_csp_editing_finished(self):
if self.custom_csp.text().strip() == "":
self.custom_csp.setText("")
self.settings.set("website", "custom_csp", None)
else:
custom_csp = self.custom_csp.text()
self.settings.set("website", "custom_csp", custom_csp)
def get_stop_server_autostop_timer_text(self):
"""

18
desktop/tests/test_gui_website.py
View file

@ -22,8 +22,10 @@ class TestWebsite(GuiBaseTest):
QtTest.QTest.qWait(500, self.gui.qtapp)
if tab.settings.get("website", "disable_csp"):
self.assertFalse("Content-Security-Policy" in r.headers)
elif tab.settings.get("website", "custom_csp"):
self.assertEqual(tab.settings.get("website", "custom_csp"), r.headers["Content-Security-Policy"])
else:
self.assertTrue("Content-Security-Policy" in r.headers)
self.assertEqual("default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;", r.headers["Content-Security-Policy"])
def run_all_website_mode_setup_tests(self, tab):
"""Tests in website mode prior to starting a share"""
@ -77,12 +79,24 @@ class TestWebsite(GuiBaseTest):
self.run_all_website_mode_download_tests(tab)
self.close_all_tabs()
def test_csp_enabled(self):
def test_csp_disabled(self):
"""
Test disabling CSP
"""
tab = self.new_website_tab()
tab.get_mode().disable_csp_checkbox.click()
self.assertFalse(tab.get_mode().custom_csp_checkbox.isEnabled())
self.run_all_website_mode_download_tests(tab)
self.close_all_tabs()
def test_csp_custom(self):
"""
Test a custom CSP
"""
tab = self.new_website_tab()
tab.get_mode().custom_csp_checkbox.click()
self.assertFalse(tab.get_mode().disable_csp_checkbox.isEnabled())
tab.settings.set("website", "custom_csp", "default-src 'self'")
self.run_all_website_mode_download_tests(tab)
self.close_all_tabs()