Merge pull request #2032 from maxberger/master

Move CSP to config and update changelog

Author: pbiering

CHANGELOG.md

@@ -3,12 +3,19 @@
 ## 3.7.0.dev
 
 * Feature: collection sharing by map or token incl. management API and WebUI extension
+* Feature: share address book collection as birthday calendar
 * Add: [auth] oauth2: allow custom client_id and client_secret (optional)
 * Cleanup: deprecate config option 'ldap_use_ssl' for good
+* Cleanup: WebUI is now split into smaller javascript files
+* Cleanup: WebUI is now fit for strict content security policy
+* Cleanup: WebUI: Simplfied Caching and Navigation internally
+* Cleanup: WebUI: Unified error handling
+* Cleanup: Added integration test for verification of end-to-end behavior of WebUI
 * Performance: improve `path_to_filesystem()`
 * Performance: preload access rights from file
 * Add: [server] delay_on_error option
 * Add: [logging] limit_content option
+* Add: [headers] Content-Security-Policy is now set to be strict on new configs
 
 ## 3.6.1
 

config

@@ -431,6 +431,9 @@
 # Additional HTTP headers
 #Access-Control-Allow-Origin = *
 
+# Set CSP to disallow execution of unknown javascript
+# This may become the default in future versions, override if you need a different CSP.
+Content-Security-Policy = default-src 'self'; object-src 'none'
 
 [hook]
 

integ_tests/common.py

@@ -53,6 +53,8 @@ def start_radicale_server(tmp_path: pathlib.Path) -> Generator[str, Any, None]:
 htpasswd_filename = {user_path}
 [web]
 type = internal
+[headers]
+Content-Security-Policy = default-src 'self'; object-src 'none'
 [sharing]
 type = csv
 collection_by_map = true

radicale/httputils.py

@@ -200,7 +200,6 @@ def _serve_traversable(
         os.path.splitext(traversable.name)[1].lower(), FALLBACK_MIMETYPE)
     headers = {
         "Content-Type": content_type,
-        "Content-Security-Policy": "default-src 'self'; object-src 'none'"
     }
     if isinstance(traversable, pathlib.Path):
         headers["Last-Modified"] = time.strftime(