Rev2144, Fix CSP header in FilePack plugin, Allow media-src and font-src from self source

2017-07-11 23:00:33 +02:00 · 2017-07-11 23:00:33 +02:00 · e525ea2431
parent c8f37674c6
commit e525ea2431
3 changed files with 8 additions and 6 deletions
--- a/plugins/FilePack/FilePackPlugin.py
+++ b/plugins/FilePack/FilePackPlugin.py
@ -57,7 +57,7 @@ class UiRequestPlugin(object):
            try:
                file = openArchive(archive_path, path_within)
                content_type = self.getContentType(file_path)
-                self.sendHeader(200, content_type=content_type)
+                self.sendHeader(200, content_type=content_type, noscript=kwargs.get("header_noscript", False))
                return self.streamFile(file)
            except Exception, err:
                self.log.debug("Error opening archive file: %s" % err)
--- a/src/Config.py
+++ b/src/Config.py
@ -10,7 +10,7 @@ class Config(object):

    def __init__(self, argv):
        self.version = "0.5.6"
-        self.rev = 2142
+        self.rev = 2144
        self.argv = argv
        self.action = None
        self.config_file = "zeronet.conf"
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@ -184,7 +184,7 @@ class UiRequest(object):
            return referer

    # Send response headers
-    def sendHeader(self, status=200, content_type="text/html", extra_headers=[]):
+    def sendHeader(self, status=200, content_type="text/html", noscript=False, extra_headers=[]):
        headers = []
        headers.append(("Version", "HTTP/1.1"))
        headers.append(("Connection", "Keep-Alive"))
@ -192,6 +192,10 @@ class UiRequest(object):
        headers.append(("X-Frame-Options", "SAMEORIGIN"))
        if content_type != "text/html" and self.env.get("HTTP_REFERER") and self.isSameOrigin(self.getReferer(), self.getRequestUrl()):
           headers.append(("Access-Control-Allow-Origin", "*"))  # Allow load font files from css
+
+        if noscript:
+            headers.append(("Content-Security-Policy", "default-src 'none'; sandbox allow-top-navigation; img-src 'self'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline';"))
+
        if self.env["REQUEST_METHOD"] == "OPTIONS":
            # Allow json access
            headers.append(("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Cookie"))
@ -498,8 +502,6 @@ class UiRequest(object):
                extra_headers["Accept-Ranges"] = "bytes"
                if header_length:
                    extra_headers["Content-Length"] = str(file_size)
-                if header_noscript:
-                    extra_headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation; img-src 'self'; style-src 'self' 'unsafe-inline';"
                if range:
                    range_start = int(re.match(".*?([0-9]+)", range).group(1))
                    if re.match(".*?-([0-9]+)", range):
@ -512,7 +514,7 @@ class UiRequest(object):
                    status = 206
                else:
                    status = 200
-                self.sendHeader(status, content_type=content_type, extra_headers=extra_headers.items())
+                self.sendHeader(status, content_type=content_type, noscript=header_noscript, extra_headers=extra_headers.items())
            if self.env["REQUEST_METHOD"] != "OPTIONS":
                file = open(file_path, "rb")
                if range_start: