Git-Mirrors/onionshare
1
0
Fork 0
mirror of https://github.com/onionshare/onionshare.git synced 2025-06-17 11:09:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

Support sending a custom Content-Security-Policy header in Website mode

Browse source
This commit is contained in:
Miguel Jacq 2021-11-08 16:31:05 +11:00
parent 5346278ad3
commit ff45a5c76b
6 changed files with 103 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

11
cli/onionshare_cli/web/web.py
View file

@ -199,11 +199,18 @@ class Web:
for header, value in self.security_headers:
r.headers.set(header, value)
# Set a CSP header unless in website mode and the user has disabled it
if not self.settings.get("website", "disable_csp") or self.mode != "website":
default_csp = "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;"
if self.mode != "website" or (not self.settings.get("website", "disable_csp") and not self.settings.get("website", "custom_csp")):
r.headers.set(
"Content-Security-Policy",
"default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;",
default_csp
)
else:
if self.settings.get("website", "custom_csp"):
r.headers.set(
"Content-Security-Policy",
self.settings.get("website", "custom_csp")
)
return r
@self.app.errorhandler(404)