merge from main

2026-04-11 21:01:06 -04:00 · 2025-04-14 07:54:42 -07:00
parent f3c3a60875 d3e17c743b
commit 16b1429eb0
7 changed files with 138 additions and 182 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -145,6 +145,7 @@ def _csp(config):
        "frame-src": [
            "https://www.youtube.com",
            "https://www.youtube-nocookie.com",
+            "https://www.googletagmanager.com",
        ],
        "frame-ancestors": "'none'",
        "form-action": "'self'",
@@ -169,6 +170,11 @@ def _csp(config):


 def create_app(application):
+    @application.after_request
+    def add_csp_header(response):
+        existing_csp = response.headers.get("Content-Security-Policy", "")
+        response.headers["Content-Security-Policy"] = existing_csp + "; form-action 'self';"
+        return response
    # @application.context_processor
    # def inject_feature_flags():
    # this is where feature flags can be easily added as a dictionary within context
--- a/app/assets/sass/uswds/_legacy-styles.scss
+++ b/app/assets/sass/uswds/_legacy-styles.scss
@@ -49,12 +49,12 @@
 }

 .sms-message-sender, .sms-message-file-name, .sms-message-scheduler, .sms-message-template, .sms-message-sender {
-  margin:0.25rem 0 0;
+  margin: units(0.5) 0 0;
 }

 .sms-message-recipient {
  color: color('gray-cool-90');
-  margin: units(1) 0 units(1);
+  margin: units(0.5) 0 units(2);
 }

 .sms-message-status {
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -14,7 +14,7 @@
    <script nonce="{{ csp_nonce() }}">document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script>
    {% block bodyStart %}
      {% block extra_javascripts_before_body %}
-      <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WX5NGWF"
+      <noscript><iframe sandbox src="https://www.googletagmanager.com/ns.html?id=GTM-WX5NGWF"
      height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
      {% endblock %}
    {% endblock %}
--- a/app/templates/components/file-upload.html
+++ b/app/templates/components/file-upload.html
@@ -29,7 +29,7 @@
      'class': 'file-upload-field',
      'accept': allowed_file_extensions|format_list_items('.{item}')|join(',')|e
    }) }}
-    <label class="file-upload-button" for="{{ field.name }}">
+    <label class="file-upload-button usa-button" for="{{ field.name }}">
      {{ button_text }}
    </label>
    {% if alternate_link and alternate_link_text %}
--- a/app/templates/views/send.html
+++ b/app/templates/views/send.html
@@ -7,7 +7,7 @@
 <script type="text/javascript" src="{{ asset_url('js/setTimezone.js') }}"></script>

 {% block service_page_title %}
-  Upload a list of {{ 999|recipient_count_label(template.template_type) }}
+  Upload your bulk-sending spreadsheet
 {% endblock %}


@@ -15,20 +15,61 @@
  {{ usaBackLink(params) }}
 {% endblock %}

+{% set phone_numbers = [
+  {
+      "svg_src": "#check_circle",
+      "card_heading": "Label column A (the first column) as Phone number",
+    },
+    {
+      "svg_src": "#check_circle",
+      "card_heading": "Double check it's the only column with Phone number as its label",
+    },
+    {
+      "svg_src": "#check_circle",
+      "card_heading": "Make sure no duplicate phone numbers are listed in Column A",
+    }
+  ]
+%}
+
+{% set additional_data = [
+  {
+    "svg_src": "#check_circle",
+    "card_heading": "Match column labels one-to-one to the message template placeholders",
+  },
+  {
+    "svg_src": "#check_circle",
+    "card_heading": "Label each additional <a class=\"usa-link\" href=\"/using-notify/how-to#personalize-content\">personalized placeholder</a> separately",
+  },
+  {
+    "svg_src": "#check_circle",
+    "card_heading": "Separate each word in a column label with a space or dash, but no commas",
+  },
+  {
+    "svg_src": "#check_circle",
+    "card_heading": "Fill in each personalized placeholder with the appropriate data or information",
+  },
+  {
+    "svg_src": "#check_circle",
+    "card_heading": "Fill in each <a class=\"usa-link\" href=\"/using-notify/how-to#conditional-content\">conditional placeholder</a> column with a Yes (Y) or No (N) to “answer” whether the recipient meets its criteria",
+  }
+  ]
+%}
+
 {% block maincolumn_content %}

-  {{ page_header('Upload a list of {}'.format(999|recipient_count_label(template.template_type))) }}
+  {{ page_header('Upload your bulk-sending spreadsheet')}}
+  <p class="font-sans-lg text-base">Organize phone numbers and information in a single spreadsheet and upload when you have multiple messages to send. Column headers in the spreadsheet will place the data in the right spots within the template that's selected.</p>

-  <div class="page-footer bottom-gutter">
+  <div class="page-footer bottom-gutter margin-top-3">
    {{file_upload(
      form.file,
      allowed_file_extensions=allowed_file_extensions,
-      button_text='Choose a file',
+      button_text='Choose and upload a spreadsheet',
      show_errors=False
    )}}
  </div>

-  <h2 class="font-body-lg">Your file needs to look like this example</h2>
+  <h2 class="font-body-lg">A spreadsheet is available to use</h2>

  <div class="spreadsheet" data-module="fullscreen-table">
    {% call(item, row_number) list_table(
@@ -44,14 +85,71 @@
    {% endcall %}
  </div>
  <p class="hint">
-    Save your spreadsheet as a <abbr title="Comma Separated Values">CSV</abbr> file for bulk messaging. It is the most reliable when uploading your contact list. Start by downloading this example for your message template.
+    Each template saved in Notify is given an example <abbr title="Comma Separated Values">CSV</abbr> formatted spreadsheet like this. It's the most reliable file format for uploading your contact list. Use this example to populate your template with the right data items. Start by downloading this example for your message template. Then save it as a <abbr title="Comma Separated Values">CSV</abbr> file for bulk messaging.
  </p>
  <p class="table-show-more-link">
    <a class="usa-link display-flex margin-top-1" href="{{ url_for('.get_example_csv', service_id=current_service.id, template_id=template.id) }}" download>Download this example (<abbr title="Comma separated values">CSV</abbr>)
      <img class="margin-left-05" src="{{ asset_url('img/material-icons/download.svg') }}" alt="" />
    </a>
  </p>
-  <h2 class="font-body-lg margin-bottom-1">Your file will populate this template:<br><span class="font-body-lg">({{ template.name }})</span></h2>
+  <h2 class="font-body-lg">Your bulk-sending spreadsheet checklist</h2>
+  <div class="grid-container margin-top-2 padding-0">
+    <div class="grid-row">
+      <div class="grid-col-12">
+        <h3>Phone numbers</h3>
+        <ul class="usa-icon-list">
+          {% for item in phone_numbers %}
+          <li class="usa-icon-list__item">
+            <div class="usa-icon-list__icon text-green">
+              <svg aria-hidden="true" focusable="false" role="img" class="usa-icon">
+                <use xlink:href="{{ asset_url('img/sprite.svg') }}{{ item.svg_src }}"></use>
+              </svg>
+            </div>
+            <div class="usa-icon-list__content">
+              {{item.card_heading | safe }}
+            </div>
+          </li>
+          {% endfor %}
+        </ul>
+      </div>
+      <div class="grid-col-12">
+        <h3>Additional data</h3>
+        <ul class="usa-icon-list">
+          {% for item in additional_data %}
+          <li class="usa-icon-list__item">
+            <div class="usa-icon-list__icon text-green">
+              <svg aria-hidden="true" focusable="false" role="img" class="usa-icon">
+                <use xlink:href="{{ asset_url('img/sprite.svg') }}{{ item.svg_src }}"></use>
+              </svg>
+            </div>
+            <div class="usa-icon-list__content">
+              {{item.card_heading | safe }}
+            </div>
+          </li>
+          {% endfor %}
+        </ul>
+      </div>
+      <div class="grid-col-12">
+        <h3>If an error occurs</h3>
+        <ul class="usa-icon-list">
+          <li class="usa-icon-list__item">
+            <div class="usa-icon-list__icon text-red">
+              <svg aria-hidden="true" focusable="false" role="img" class="usa-icon">
+                <use xlink:href="{{ asset_url('img/sprite.svg') }}#error"></use>
+              </svg>
+            </div>
+            <div class="usa-icon-list__content">
+              If you're receiving any errors, double check your file format and make sure your data is pasted in with values only
+            </div>
+          </li>
+        </ul>
+        </div>
+    </div>
+  </div>
+
+  <h2 class="font-body-lg margin-bottom-2">You are filling in this template</h2>
+  <p>Template: {{ template.name }}</p>
  {{ template|string }}

+
 {% endblock %}
--- a/poetry.lock
+++ b/poetry.lock
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -14,7 +14,7 @@ def test_owasp_useful_headers_set(
    assert response.headers["X-Frame-Options"] == "deny"
    assert response.headers["X-Content-Type-Options"] == "nosniff"
    csp = response.headers["Content-Security-Policy"]
-    assert search(r"default-src 'self' static\.example\.com;", csp)
+    assert search(r"frame-src.*https://www\.googletagmanager\.com", csp)
    assert search(r"frame-ancestors 'none';", csp)
    assert search(r"form-action 'self';", csp)
    assert search(