add argument to add/remove x-csp header

README.rst

@@ -103,6 +103,7 @@ Options
 -  ``content_security_policy_report_uri``, default ``None``, a string
    indicating the report URI used for `CSP violation reports
    <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports>`_
+- ``legacy_content_security_policy_header``, default ``True``, Whether to add X-CSP header
 -  ``referrer_policy``, default ``strict-origin-when-cross-origin``, a string
    that sets the Referrer Policy header to send a full URL when performing a same-origin
    request, only send the origin of the document to an equally secure destination

flask_talisman/talisman.py

@@ -74,6 +74,7 @@ def init_app(
             content_security_policy_report_uri=None,
             content_security_policy_report_only=False,
             content_security_policy_nonce_in=None,
+            legacy_content_security_policy_header=True,
             referrer_policy=DEFAULT_REFERRER_POLICY,
             session_cookie_secure=True,
             session_cookie_http_only=True):
@@ -108,6 +109,7 @@ def init_app(
                 the POST data
             content_security_policy_nonce_in: A list of csp sections to include
                 a per-request nonce value in
+            legacy_content_security_policy_header: Whether to add X-CSP header
             referrer_policy: A string describing the referrer policy for the
                 response.
             session_cookie_secure: Forces the session cookie to only be sent
@@ -157,6 +159,9 @@ def init_app(
 
         app.jinja_env.globals['csp_nonce'] = self._get_nonce
 
+        self.legacy_content_security_policy_header = \
+            legacy_content_security_policy_header
+
         self.referrer_policy = referrer_policy
 
         self.session_cookie_secure = session_cookie_secure
@@ -306,7 +311,8 @@ def _set_content_security_policy_headers(self, headers, options):
 
         headers[csp_header] = policy
         # IE 10-11, Older Firefox.
-        headers['X-' + csp_header] = policy
+        if self.legacy_content_security_policy_header:
+            headers['X-' + csp_header] = policy
 
     def _set_hsts_headers(self, headers):
         criteria = [

flask_talisman/talisman_test.py

@@ -84,6 +84,19 @@ def testForceSslOptionOptions(self):
         response = self.client.get('/')
         self.assertEqual(response.status_code, 200)
 
+    def testLegacyContentSecurityPolicyHeaderOption(self):
+        # No header X-Content-Security-Policy present
+        self.talisman.legacy_content_security_policy_header = False
+
+        response = self.client.get('/', environ_overrides=HTTPS_ENVIRON)
+        self.assertNotIn('X-Content-Security-Policy', response.headers)
+
+        # Header X-Content-Security-Policy present
+        self.talisman.legacy_content_security_policy_header = True
+
+        response = self.client.get('/', environ_overrides=HTTPS_ENVIRON)
+        self.assertIn('X-Content-Security-Policy', response.headers)
+
     def testHstsOptions(self):
         self.talisman.force_ssl = False