From e525ea2431ab25bcb251ce835133732e19e13242 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Tue, 11 Jul 2017 23:00:33 +0200
Subject: [PATCH] Rev2144, Fix CSP header in FilePack plugin, Allow media-src
 and font-src from self source

---
 plugins/FilePack/FilePackPlugin.py |  2 +-
 src/Config.py                      |  2 +-
 src/Ui/UiRequest.py                | 10 ++++++----
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/plugins/FilePack/FilePackPlugin.py b/plugins/FilePack/FilePackPlugin.py
index 0d413b60..8db8429e 100644
--- a/plugins/FilePack/FilePackPlugin.py
+++ b/plugins/FilePack/FilePackPlugin.py
@@ -57,7 +57,7 @@ class UiRequestPlugin(object):
             try:
                 file = openArchive(archive_path, path_within)
                 content_type = self.getContentType(file_path)
-                self.sendHeader(200, content_type=content_type)
+                self.sendHeader(200, content_type=content_type, noscript=kwargs.get("header_noscript", False))
                 return self.streamFile(file)
             except Exception, err:
                 self.log.debug("Error opening archive file: %s" % err)
diff --git a/src/Config.py b/src/Config.py
index 1ee4a35e..8c1159c6 100644
--- a/src/Config.py
+++ b/src/Config.py
@@ -10,7 +10,7 @@ class Config(object):
 
     def __init__(self, argv):
         self.version = "0.5.6"
-        self.rev = 2142
+        self.rev = 2144
         self.argv = argv
         self.action = None
         self.config_file = "zeronet.conf"
diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 547bc3e3..6edf82e7 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -184,7 +184,7 @@ class UiRequest(object):
             return referer
 
     # Send response headers
-    def sendHeader(self, status=200, content_type="text/html", extra_headers=[]):
+    def sendHeader(self, status=200, content_type="text/html", noscript=False, extra_headers=[]):
         headers = []
         headers.append(("Version", "HTTP/1.1"))
         headers.append(("Connection", "Keep-Alive"))
@@ -192,6 +192,10 @@ class UiRequest(object):
         headers.append(("X-Frame-Options", "SAMEORIGIN"))
         if content_type != "text/html" and self.env.get("HTTP_REFERER") and self.isSameOrigin(self.getReferer(), self.getRequestUrl()):
            headers.append(("Access-Control-Allow-Origin", "*"))  # Allow load font files from css
+
+        if noscript:
+            headers.append(("Content-Security-Policy", "default-src 'none'; sandbox allow-top-navigation; img-src 'self'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline';"))
+
         if self.env["REQUEST_METHOD"] == "OPTIONS":
             # Allow json access
             headers.append(("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Cookie"))
@@ -498,8 +502,6 @@ class UiRequest(object):
                 extra_headers["Accept-Ranges"] = "bytes"
                 if header_length:
                     extra_headers["Content-Length"] = str(file_size)
-                if header_noscript:
-                    extra_headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation; img-src 'self'; style-src 'self' 'unsafe-inline';"
                 if range:
                     range_start = int(re.match(".*?([0-9]+)", range).group(1))
                     if re.match(".*?-([0-9]+)", range):
@@ -512,7 +514,7 @@ class UiRequest(object):
                     status = 206
                 else:
                     status = 200
-                self.sendHeader(status, content_type=content_type, extra_headers=extra_headers.items())
+                self.sendHeader(status, content_type=content_type, noscript=header_noscript, extra_headers=extra_headers.items())
             if self.env["REQUEST_METHOD"] != "OPTIONS":
                 file = open(file_path, "rb")
                 if range_start: