Disable in-app CSP unless enabled via WHOOGLE_CSP
The default CSP is only helpful for some, and can break instances for others. Since these aren't always necessary and are occasionally set by the user's preferred reverse proxy, it is being disabled unless explicitly enabled by setting `WHOOGLE_CSP`. Fixes #493main
parent
f73e4b9239
commit
3e20788857
|
@ -164,7 +164,7 @@ See the [available environment variables](#environment-variables) for additional
|
||||||
|
|
||||||
### F) Manual
|
### F) Manual
|
||||||
|
|
||||||
*Note: `Content-Security-Policy` headers are already sent by Whoogle -- you don't/shouldn't need to apply a CSP header yourself*
|
*Note: `Content-Security-Policy` headers can be sent by Whoogle if you set `WHOOGLE_CSP`.*
|
||||||
|
|
||||||
Clone the repo and run the following commands to start the app in a local-only environment:
|
Clone the repo and run the following commands to start the app in a local-only environment:
|
||||||
|
|
||||||
|
@ -330,6 +330,7 @@ There are a few optional environment variables available for customizing a Whoog
|
||||||
| WHOOGLE_ALT_MD | The medium.com alternative to use when site alternatives are enabled in the config. |
|
| WHOOGLE_ALT_MD | The medium.com alternative to use when site alternatives are enabled in the config. |
|
||||||
| WHOOGLE_AUTOCOMPLETE | Controls visibility of autocomplete/search suggestions. Default on -- use '0' to disable |
|
| WHOOGLE_AUTOCOMPLETE | Controls visibility of autocomplete/search suggestions. Default on -- use '0' to disable |
|
||||||
| WHOOGLE_MINIMAL | Remove everything except basic result cards from all search queries. |
|
| WHOOGLE_MINIMAL | Remove everything except basic result cards from all search queries. |
|
||||||
|
| WHOOGLE_CSP | Sets a default set of 'Content-Security-Policy' headers |
|
||||||
|
|
||||||
### Config Environment Variables
|
### Config Environment Variables
|
||||||
These environment variables allow setting default config values, but can be overwritten manually by using the home page config menu. These allow a shortcut for destroying/rebuilding an instance to the same config state every time.
|
These environment variables allow setting default config values, but can be overwritten manually by using the home page config menu. These allow a shortcut for destroying/rebuilding an instance to the same config state every time.
|
||||||
|
|
|
@ -147,10 +147,11 @@ def before_request_func():
|
||||||
def after_request_func(resp):
|
def after_request_func(resp):
|
||||||
resp.headers['X-Content-Type-Options'] = 'nosniff'
|
resp.headers['X-Content-Type-Options'] = 'nosniff'
|
||||||
resp.headers['X-Frame-Options'] = 'DENY'
|
resp.headers['X-Frame-Options'] = 'DENY'
|
||||||
|
|
||||||
|
if os.getenv('WHOOGLE_CSP', False):
|
||||||
resp.headers['Content-Security-Policy'] = app.config['CSP']
|
resp.headers['Content-Security-Policy'] = app.config['CSP']
|
||||||
if os.environ.get('HTTPS_ONLY', False):
|
if os.environ.get('HTTPS_ONLY', False):
|
||||||
resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests'
|
resp.headers['Content-Security-Policy'] += 'upgrade-insecure-requests'
|
||||||
resp.headers['Strict-Transport-Security'] = 'max-age=63072000'
|
|
||||||
|
|
||||||
return resp
|
return resp
|
||||||
|
|
||||||
|
|
|
@ -19,6 +19,7 @@
|
||||||
#WHOOGLE_PROXY_PASS=""
|
#WHOOGLE_PROXY_PASS=""
|
||||||
#WHOOGLE_PROXY_TYPE=""
|
#WHOOGLE_PROXY_TYPE=""
|
||||||
#WHOOGLE_PROXY_LOC=""
|
#WHOOGLE_PROXY_LOC=""
|
||||||
|
#WHOOGLE_CSP=1
|
||||||
#HTTPS_ONLY=1
|
#HTTPS_ONLY=1
|
||||||
|
|
||||||
# Restrict results to only those near a particular city
|
# Restrict results to only those near a particular city
|
||||||
|
|
Loading…
Reference in New Issue