From 3e20788857776cc484b3c4eeb162c21d10adf261 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Mon, 29 Nov 2021 15:49:35 -0700 Subject: [PATCH] Disable in-app CSP unless enabled via WHOOGLE_CSP The default CSP is only helpful for some, and can break instances for others. Since these aren't always necessary and are occasionally set by the user's preferred reverse proxy, it is being disabled unless explicitly enabled by setting `WHOOGLE_CSP`. Fixes #493 --- README.md | 3 ++- app/routes.py | 9 +++++---- whoogle.template.env | 1 + 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 21bf892..2320f04 100644 --- a/README.md +++ b/README.md @@ -164,7 +164,7 @@ See the [available environment variables](#environment-variables) for additional ### F) Manual -*Note: `Content-Security-Policy` headers are already sent by Whoogle -- you don't/shouldn't need to apply a CSP header yourself* +*Note: `Content-Security-Policy` headers can be sent by Whoogle if you set `WHOOGLE_CSP`.* Clone the repo and run the following commands to start the app in a local-only environment: @@ -330,6 +330,7 @@ There are a few optional environment variables available for customizing a Whoog | WHOOGLE_ALT_MD | The medium.com alternative to use when site alternatives are enabled in the config. | | WHOOGLE_AUTOCOMPLETE | Controls visibility of autocomplete/search suggestions. Default on -- use '0' to disable | | WHOOGLE_MINIMAL | Remove everything except basic result cards from all search queries. | +| WHOOGLE_CSP | Sets a default set of 'Content-Security-Policy' headers | ### Config Environment Variables These environment variables allow setting default config values, but can be overwritten manually by using the home page config menu. These allow a shortcut for destroying/rebuilding an instance to the same config state every time. diff --git a/app/routes.py b/app/routes.py index 9f66d74..e8ac9f4 100644 --- a/app/routes.py +++ b/app/routes.py @@ -147,10 +147,11 @@ def before_request_func(): def after_request_func(resp): resp.headers['X-Content-Type-Options'] = 'nosniff' resp.headers['X-Frame-Options'] = 'DENY' - resp.headers['Content-Security-Policy'] = app.config['CSP'] - if os.environ.get('HTTPS_ONLY', False): - resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests' - resp.headers['Strict-Transport-Security'] = 'max-age=63072000' + + if os.getenv('WHOOGLE_CSP', False): + resp.headers['Content-Security-Policy'] = app.config['CSP'] + if os.environ.get('HTTPS_ONLY', False): + resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests' return resp diff --git a/whoogle.template.env b/whoogle.template.env index 754686c..425cef5 100644 --- a/whoogle.template.env +++ b/whoogle.template.env @@ -19,6 +19,7 @@ #WHOOGLE_PROXY_PASS="" #WHOOGLE_PROXY_TYPE="" #WHOOGLE_PROXY_LOC="" +#WHOOGLE_CSP=1 #HTTPS_ONLY=1 # Restrict results to only those near a particular city