Disable in-app CSP unless enabled via WHOOGLE_CSP

The default CSP is only helpful for some, and can break instances for
others. Since these aren't always necessary and are occasionally set by
the user's preferred reverse proxy, it is being disabled unless
explicitly enabled by setting `WHOOGLE_CSP`.

Fixes #493
main
Ben Busby 2021-11-29 15:49:35 -07:00
parent f73e4b9239
commit 3e20788857
No known key found for this signature in database
GPG Key ID: B9B7231E01D924A1
3 changed files with 8 additions and 5 deletions

View File

@ -164,7 +164,7 @@ See the [available environment variables](#environment-variables) for additional
### F) Manual
*Note: `Content-Security-Policy` headers are already sent by Whoogle -- you don't/shouldn't need to apply a CSP header yourself*
*Note: `Content-Security-Policy` headers can be sent by Whoogle if you set `WHOOGLE_CSP`.*
Clone the repo and run the following commands to start the app in a local-only environment:
@ -330,6 +330,7 @@ There are a few optional environment variables available for customizing a Whoog
| WHOOGLE_ALT_MD | The medium.com alternative to use when site alternatives are enabled in the config. |
| WHOOGLE_AUTOCOMPLETE | Controls visibility of autocomplete/search suggestions. Default on -- use '0' to disable |
| WHOOGLE_MINIMAL | Remove everything except basic result cards from all search queries. |
| WHOOGLE_CSP | Sets a default set of 'Content-Security-Policy' headers |
### Config Environment Variables
These environment variables allow setting default config values, but can be overwritten manually by using the home page config menu. These allow a shortcut for destroying/rebuilding an instance to the same config state every time.

View File

@ -147,10 +147,11 @@ def before_request_func():
def after_request_func(resp):
resp.headers['X-Content-Type-Options'] = 'nosniff'
resp.headers['X-Frame-Options'] = 'DENY'
resp.headers['Content-Security-Policy'] = app.config['CSP']
if os.environ.get('HTTPS_ONLY', False):
resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests'
resp.headers['Strict-Transport-Security'] = 'max-age=63072000'
if os.getenv('WHOOGLE_CSP', False):
resp.headers['Content-Security-Policy'] = app.config['CSP']
if os.environ.get('HTTPS_ONLY', False):
resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests'
return resp

View File

@ -19,6 +19,7 @@
#WHOOGLE_PROXY_PASS=""
#WHOOGLE_PROXY_TYPE=""
#WHOOGLE_PROXY_LOC=""
#WHOOGLE_CSP=1
#HTTPS_ONLY=1
# Restrict results to only those near a particular city