From 0308dc78d9a98bb856816bdfbfa74c47c063a74b Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Thu, 20 Jul 2017 15:35:00 +0200
Subject: [PATCH] ensure "default-src 'none'" CSP is added to APIHandlers

even if custom Content-Security-Policy header is applied,

which was previously setting the same value for both APIHandlers and page handlers
---
 notebook/base/handlers.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index 48a7b0980..76651e9e0 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -62,6 +62,10 @@ class AuthenticatedHandler(web.RequestHandler):
         
         Can be overridden by defining Content-Security-Policy in settings['headers']
         """
+        if 'Content-Security-Policy' in self.settings.get('headers', {}):
+            # user-specified, don't override
+            return self.settings['headers']['Content-Security-Policy']
+
         return '; '.join([
             "frame-ancestors 'self'",
             # Make sure the report-uri is relative to the base_url
@@ -72,9 +76,8 @@ class AuthenticatedHandler(web.RequestHandler):
         headers = {}
         headers.update(self.settings.get('headers', {}))
 
-        if "Content-Security-Policy" not in headers:
-            headers["Content-Security-Policy"] = self.content_security_policy
-        
+        headers["Content-Security-Policy"] = self.content_security_policy
+
         # Allow for overriding headers
         for header_name, value in headers.items():
             try: