rewriterapp: add default csp header, overridable via 'csp-header' config setting

2025-03-15 00:03:28 +01:00 · 2017-10-05 19:59:37 -07:00 · 2017-10-05 19:59:37 -07:00 · 902f6659f4
commit 902f6659f4
parent 31209db311
2 changed files with 21 additions and 0 deletions
--- a/pywb/apps/rewriterapp.py
+++ b/pywb/apps/rewriterapp.py
@ -48,6 +48,8 @@ class UpstreamException(WbException):
 class RewriterApp(object):
    VIDEO_INFO_CONTENT_TYPE = 'application/vnd.youtube-dl_formats+json'

+    DEFAULT_CSP = "default-src 'unsafe-eval' 'unsafe-inline' 'self' data: blob: mediastream: ws: wss: ; form-action 'self'"
+
    def __init__(self, framed_replay=False, jinja_env=None, config=None, paths=None):
        self.loader = ArcWarcRecordLoader()

@ -89,6 +91,16 @@ class RewriterApp(object):

        self.enable_memento = self.config.get('enable_memento')

+        csp_header = self.config.get('csp-header', self.DEFAULT_CSP)
+        if csp_header:
+            self.csp_header = ('Content-Security-Policy', csp_header)
+        else:
+            self.csp_header = None
+
+    def add_csp_header(self, wb_url, status_headers):
+        if self.csp_header and wb_url.mod == self.replay_mod:
+            status_headers.headers.append(self.csp_header)
+
    def _html_templ(self, name):
        value = self.config.get(name)
        if not value:
@ -302,6 +314,10 @@ class RewriterApp(object):
        if set_content_loc:
            status_headers.headers.append(('Content-Location', urlrewriter.get_new_url(timestamp=cdx['timestamp'],
                                                                                       url=cdx['url'])))
+
+        if not is_proxy:
+            self.add_csp_header(wb_url, status_headers)
+
        response = WbResponse(status_headers, gen)

        return response
--- a/tests/test_integration.py
+++ b/tests/test_integration.py
@ -78,6 +78,8 @@ class TestWbIntegration(BaseConfigTest):
        assert '"20140127171238"' in resp.text
        assert 'http://www.iana.org/' in resp.text, resp.text

+        assert 'Content-Security-Policy' not in resp.headers
+
    def test_replay_content(self, fmod):
        resp = self.get('/pywb/20140127171238{0}/http://www.iana.org/', fmod)
        self._assert_basic_html(resp)
@ -89,6 +91,9 @@ class TestWbIntegration(BaseConfigTest):

        assert ('wbinfo.is_framed = ' + ('true' if fmod else 'false')) in resp.text

+        csp = "default-src 'unsafe-eval' 'unsafe-inline' 'self' data: blob: mediastream: ws: wss: ; form-action 'self'"
+        assert resp.headers['Content-Security-Policy'] == csp
+
    def test_replay_fuzzy_1(self, fmod):
        resp = self.get('/pywb/20140127171238{0}/http://www.iana.org/?_=123', fmod)
        assert resp.status_int == 200