Invert the CSP header setting and put it in its own Website Mode settings group. Make the CSP header mandatory for share/receive modes, optional for website mode only.

tests/GuiWebsiteTest.py

@@ -65,7 +65,7 @@ class GuiWebsiteTest(GuiShareTest):
         QtTest.QTest.qWait(2000)
         self.assertTrue('This is a test website hosted by OnionShare' in r.text)
 
-    def check_csp_header(self, public_mode, csp_header_enabled):
+    def check_csp_header(self, public_mode, csp_header_disabled):
         '''Test that the CSP header is present when enabled or vice versa'''
         url = "http://127.0.0.1:{}/".format(self.gui.app.port)
         if public_mode:
@@ -74,10 +74,10 @@ class GuiWebsiteTest(GuiShareTest):
             r = requests.get(url, auth=requests.auth.HTTPBasicAuth('onionshare', self.gui.website_mode.server_status.web.password))
 
         QtTest.QTest.qWait(2000)
-        if csp_header_enabled:
-            self.assertTrue('Content-Security-Policy' in r.headers)
-        else:
+        if csp_header_disabled:
             self.assertFalse('Content-Security-Policy' in r.headers)
+        else:
+            self.assertTrue('Content-Security-Policy' in r.headers)
 
     def run_all_website_mode_setup_tests(self):
         """Tests in website mode prior to starting a share"""
@@ -106,7 +106,7 @@ class GuiWebsiteTest(GuiShareTest):
         self.run_all_website_mode_setup_tests()
         self.run_all_website_mode_started_tests(public_mode, startup_time=2000)
         self.view_website(public_mode)
-        self.check_csp_header(public_mode, self.gui.common.settings.get('csp_header_enabled'))
+        self.check_csp_header(public_mode, self.gui.common.settings.get('csp_header_disabled'))
         self.history_widgets_present(self.gui.website_mode)
         self.server_is_stopped(self.gui.website_mode, False)
         self.web_server_is_stopped()