[Pkg-privacy-commits] [onionshare] 214/256: Remove duplication of security headers

Ulrike Uhlig ulrike at moszumanska.debian.org
Fri May 26 12:53:43 UTC 2017 

This is an automated email from the git hooks/post-receive script.

ulrike pushed a commit to branch master
in repository onionshare.

commit 38ee7fde21e6c0216137376b390dec6a46408670
Author: Miguel Jacq <mig at mig5.net>
Date:   Sun May 21 10:03:18 2017 +1000

    Remove duplication of security headers
---
 onionshare/web.py | 51 ++++++++++++++++++++-------------------------------
 1 file changed, 20 insertions(+), 31 deletions(-)

diff --git a/onionshare/web.py b/onionshare/web.py
index 0d9e413..36901f3 100644
--- a/onionshare/web.py
+++ b/onionshare/web.py
@@ -47,6 +47,16 @@ file_info = []
 zip_filename = None
 zip_filesize = None
 
+
+security_headers = [
+    ('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'self\' data:;'),
+    ('X-Frame-Options', 'DENY'),
+    ('X-Xss-Protection', '1; mode=block'),
+    ('X-Content-Type-Options', 'nosniff'),
+    ('Referrer-Policy', 'no-referrer'),
+    ('Server', 'Onion')
+]
+
 def set_file_info(filenames, processed_size_callback=None):
     """
     Using the list of filenames being shared, fill in details that the web
@@ -176,12 +186,8 @@ def index(slug_candidate):
     deny_download = not stay_open and download_in_progress
     if deny_download:
         r = make_response(render_template_string(open(common.get_resource_path('html/denied.html')).read()))
-        r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'self\' data:;')
-        r.headers.set('X-Frame-Options', 'DENY')
-        r.headers.set('X-Xss-Protection', '1; mode=block')
-        r.headers.set('X-Content-Type-Options', 'nosniff')
-        r.headers.set('Referrer-Policy', 'no-referrer')
-        r.headers.set('Server', 'Onion')
+        for header,value in security_headers:
+            r.headers.set(header, value)
         return r
 
     # If download is allowed to continue, serve download page
@@ -193,12 +199,8 @@ def index(slug_candidate):
         filename=os.path.basename(zip_filename),
         filesize=zip_filesize,
         filesize_human=common.human_readable_filesize(zip_filesize)))
-    r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'unsafe-inline\' data:;')
-    r.headers.set('X-Frame-Options', 'DENY')
-    r.headers.set('X-Xss-Protection', '1; mode=block')
-    r.headers.set('X-Content-Type-Options', 'nosniff')
-    r.headers.set('Referrer-Policy', 'no-referrer')
-    r.headers.set('Server', 'Onion')
+    for header,value in security_headers:
+        r.headers.set(header, value)
     return r
 
 # If the client closes the OnionShare window while a download is in progress,
@@ -219,12 +221,8 @@ def download(slug_candidate):
     deny_download = not stay_open and download_in_progress
     if deny_download:
         r = make_response(render_template_string(open(common.get_resource_path('html/denied.html')).read()))
-        r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'unsafe-inline\' data:;')
-        r.headers.set('X-Frame-Options', 'DENY')
-        r.headers.set('X-Xss-Protection', '1; mode=block')
-        r.headers.set('X-Content-Type-Options', 'nosniff')
-        r.headers.set('Referrer-Policy', 'no-referrer')
-        r.headers.set('Server', 'Onion')
+        for header,value in security_headers:
+            r.headers.set(header, value)
         return r
 
     global download_count
@@ -310,13 +308,8 @@ def download(slug_candidate):
     r = Response(generate())
     r.headers.set('Content-Length', zip_filesize)
     r.headers.set('Content-Disposition', 'attachment', filename=basename)
-    r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'unsafe-inline\' data:;')
-    r.headers.set('X-Frame-Options', 'DENY')
-    r.headers.set('X-Xss-Protection', '1; mode=block')
-    r.headers.set('X-Content-Type-Options', 'nosniff')
-    r.headers.set('Referrer-Policy', 'no-referrer')
-    r.headers.set('Server', 'Onion')
-
+    for header,value in security_headers:
+        r.headers.set(header, value)
     # guess content type
     (content_type, _) = mimetypes.guess_type(basename, strict=False)
     if content_type is not None:
@@ -340,12 +333,8 @@ def page_not_found(e):
             print(strings._('error_rate_limit'))
 
     r = make_response(render_template_string(open(common.get_resource_path('html/404.html')).read()))
-    r.headers.set('Content-Security-Policy', 'default-src \'self\'; style-src \'unsafe-inline\'; img-src \'unsafe-inline\' data:;')
-    r.headers.set('X-Frame-Options', 'DENY')
-    r.headers.set('X-Xss-Protection', '1; mode=block')
-    r.headers.set('X-Content-Type-Options', 'nosniff')
-    r.headers.set('Referrer-Policy', 'no-referrer')
-    r.headers.set('Server', 'Onion')
+    for header,value in security_headers:
+        r.headers.set(header, value)
     return r
 
 # shutting down the server only works within the context of flask, so the easiest way to do it is over http

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/onionshare.git

More information about the Pkg-privacy-commits mailing list