Merge pull request #2674 from minrk/csp-fixes

rgbkrk · web-flow · commit c64104257a62 · 2017-07-20T07:18:35.000-07:00
ensure "default-src 'none'" CSP is added to APIHandlers
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
@@ -62,6 +62,10 @@ def content_security_policy(self):
         
         Can be overridden by defining Content-Security-Policy in settings['headers']
         """
+        if 'Content-Security-Policy' in self.settings.get('headers', {}):
+            # user-specified, don't override
+            return self.settings['headers']['Content-Security-Policy']
+
         return '; '.join([
             "frame-ancestors 'self'",
             # Make sure the report-uri is relative to the base_url
@@ -72,9 +76,8 @@ def set_default_headers(self):
         headers = {}
         headers.update(self.settings.get('headers', {}))
 
-        if "Content-Security-Policy" not in headers:
-            headers["Content-Security-Policy"] = self.content_security_policy
-        
+        headers["Content-Security-Policy"] = self.content_security_policy
+
         # Allow for overriding headers
         for header_name, value in headers.items():
             try:
