Upgrade secure headers modules

ikus060 · ikus060 · commit d081308ac62d · 2025-08-07T18:39:11.000Z
Signed-off-by: Patrik Dufresne &lt;patrik@ikus-soft.com&gt;
diff --git a/rdiffweb/controller/tests/test_secure_headers.py b/rdiffweb/controller/tests/test_secure_headers.py
@@ -171,7 +171,7 @@ def test_content_security_policy(self):
         self.assertStatus(200)
         self.assertHeaderItemValue(
             'Content-Security-Policy',
-            "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:;",
+            "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:",
         )
 
     def test_strict_transport_security(self):
diff --git a/rdiffweb/rdw_app.py b/rdiffweb/rdw_app.py
@@ -110,7 +110,12 @@ def default(o):
 @cherrypy.tools.enrich_session()
 @cherrypy.tools.proxy(local=None, remote='X-Real-IP')
 @cherrypy.tools.secure_headers(
-    csp="default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:;"
+    csp={
+        "default-src": "'self'",
+        "style-src": ("'self'", "'unsafe-inline'"),
+        "script-src": ("'self'", "'unsafe-inline'"),
+        "img-src": ("'self'", "data:"),
+    }
 )
 class Root(LocationsPage):
     def __init__(self):
diff --git a/rdiffweb/tools/secure_headers.py b/rdiffweb/tools/secure_headers.py
@@ -22,6 +22,12 @@
 # Define the logger
 logger = logging.getLogger(__name__)
 
+DEFAULT_CSP = {
+    'default-src': 'self',
+    'style-src': ('self', 'unsafe-inline'),
+    'script-src': ('self' 'unsafe-inline'),
+}
+
 #
 # Patch Morsel prior to 3.8
 # Allow SameSite attribute to be define on the cookie.
@@ -30,13 +36,22 @@
     http.cookies.Morsel._reserved['samesite'] = 'SameSite'
 
 
+def _build_csp(csp):
+    if isinstance(csp, dict):
+        return "; ".join(
+            f"{directive} {' '.join(sources) if isinstance(sources, (list,tuple)) else str(sources)}"
+            for directive, sources in csp.items()
+        )
+    return str(csp)
+
+
 def set_headers(
     xfo='DENY',
     no_cache=True,
     referrer='same-origin',
     nosniff=True,
     xxp='1; mode=block',
-    csp="default-src 'self'",
+    csp=DEFAULT_CSP,
 ):
     """
     This tool provide CSRF mitigation.
@@ -98,7 +113,7 @@ def set_headers(
 
     # Add Content-Security-Policy
     if csp:
-        response.headers['Content-Security-Policy'] = csp
+        response.headers['Content-Security-Policy'] = _build_csp(csp)
 
     # Add Strict-Transport-Security to force https use.
     if https:

Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,7 @@ def test_content_security_policy(self):`
`171`	`171`	`self.assertStatus(200)`
`172`	`172`	`self.assertHeaderItemValue(`
`173`	`173`	`'Content-Security-Policy',`
`174`		`- "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:;",`
	`174`	`+ "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:",`
`175`	`175`	`)`
`176`	`176`
`177`	`177`	`def test_strict_transport_security(self):`