Use csp nonces for inline scripts and styles

2026-02-06 11:23:48 -05:00 · 2023-03-07 16:08:51 -05:00
parent e8e8c889d6
commit 2a6bc62003
5 changed files with 14 additions and 13 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -30,7 +30,6 @@ from notifications_utils.formatters import (
    get_lines_with_normalised_whitespace,
 )
 from notifications_utils.recipients import format_phone_number_human_readable
-from notifications_utils.sanitise_text import SanitiseASCII
 from werkzeug.exceptions import HTTPException as WerkzeugHTTPException
 from werkzeug.exceptions import abort
 from werkzeug.local import LocalProxy
@@ -147,6 +146,7 @@ navigation = {
    'org_navigation': OrgNavigation(),
 }

+
 def _csp(config):
    asset_domain = config['ASSET_DOMAIN']
    logo_domain = config['LOGO_CDN_DOMAIN']
--- a/app/templates/admin_template.html
+++ b/app/templates/admin_template.html
@@ -19,7 +19,7 @@
  <link rel="stylesheet" media="print" href="{{ asset_url('stylesheets/print.css') }}" />
  {% block extra_stylesheets %}
  {% endblock %}
-  <style>
+  <style nonce="{{ csp_nonce() }}">
      .govuk-header__container { border-color: {{header_colour}} }
  </style>
  {% if g.hide_from_search_engines %}
--- a/app/templates/main_template.html
+++ b/app/templates/main_template.html
@@ -28,7 +28,7 @@
    <!-- <meta property="og:image" content="{{ assetUrl | default('/assets') }}/images/govuk-opengraph-image.png"> -->
  </head>
  <body class="govuk-template__body {{ bodyClasses }}">
-    <script>document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script>
+    <script nonce="{{ csp_nonce() }}">document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script>
    {% block bodyStart %}{% endblock %}

    {% block skipLink %}
--- a/app/templates/partials/tour.html
+++ b/app/templates/partials/tour.html
@@ -4,7 +4,7 @@
    <p class="heading-medium">Try sending yourself this example</p>
    <div class="govuk-grid-row bottom-gutter {% if help != '1' %}greyed-out-step{% endif %}">
      <div class="govuk-grid-column-one-sixth">
-        <p class="heading-large" style="float: left;">1.</p>
+        <p class="heading-large">1.</p>
      </div>
      <div class="govuk-grid-column-five-sixths">
        <p class="govuk-body">
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -1,3 +1,4 @@
+from re import search


 def test_owasp_useful_headers_set(
@@ -11,13 +12,13 @@ def test_owasp_useful_headers_set(
    assert response.headers['X-Frame-Options'] == 'deny'
    assert response.headers['X-Content-Type-Options'] == 'nosniff'
    assert response.headers['X-XSS-Protection'] == '1; mode=block'
-    assert response.headers['Content-Security-Policy'] == (
-        "default-src 'self' static.example.com; "
-        "script-src 'self' static.example.com *.google-analytics.com https://js-agent.newrelic.com "
-        "https://*.nr-data.net data:; "
-        "connect-src 'self' *.google-analytics.com https://*.nr-data.net; "
-        "font-src 'self' static.example.com data:; "
-        "img-src "
-        "'self' static.example.com static-logos.test.com"
-        " *.google-analytics.com data:"
+    csp = response.headers['Content-Security-Policy']
+    assert search(r"default-src 'self' static\.example\.com;", csp)
+    assert search(
+        r"script-src 'self' 'unsafe-eval' static\.example\.com \*\.google-analytics\.com https:\/\/js-agent\.newrelic\.com https:\/\/\*\.nr-data\.net data: 'nonce-.*';", # noqa e501
+        csp
    )
+    assert search(r"connect-src 'self' \*\.google-analytics\.com https:\/\/\*.nr-data\.net;", csp)
+    assert search(r"style-src 'self' static\.example\.com 'nonce-.*';", csp)
+    assert search(r"font-src 'self' static\.example\.com data:;", csp)
+    assert search(r"img-src 'self' static\.example\.com static-logos\.test\.com \*\.google-analytics\.com data:", csp)