diff --git a/app/__init__.py b/app/__init__.py index e5da724bd..d6fda1ddf 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -30,7 +30,6 @@ from notifications_utils.formatters import ( get_lines_with_normalised_whitespace, ) from notifications_utils.recipients import format_phone_number_human_readable -from notifications_utils.sanitise_text import SanitiseASCII from werkzeug.exceptions import HTTPException as WerkzeugHTTPException from werkzeug.exceptions import abort from werkzeug.local import LocalProxy @@ -147,6 +146,7 @@ navigation = { 'org_navigation': OrgNavigation(), } + def _csp(config): asset_domain = config['ASSET_DOMAIN'] logo_domain = config['LOGO_CDN_DOMAIN'] diff --git a/app/templates/admin_template.html b/app/templates/admin_template.html index df66b7ba2..b069905a5 100644 --- a/app/templates/admin_template.html +++ b/app/templates/admin_template.html @@ -19,7 +19,7 @@ {% block extra_stylesheets %} {% endblock %} - {% if g.hide_from_search_engines %} diff --git a/app/templates/main_template.html b/app/templates/main_template.html index 5af33614d..adc95cff4 100644 --- a/app/templates/main_template.html +++ b/app/templates/main_template.html @@ -28,7 +28,7 @@ - + {% block bodyStart %}{% endblock %} {% block skipLink %} diff --git a/app/templates/partials/tour.html b/app/templates/partials/tour.html index a8c92c922..019e70cfd 100644 --- a/app/templates/partials/tour.html +++ b/app/templates/partials/tour.html @@ -4,7 +4,7 @@

Try sending yourself this example

-

1.

+

1.

diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py index dfcb837fa..bfb2633dc 100644 --- a/tests/app/main/views/test_headers.py +++ b/tests/app/main/views/test_headers.py @@ -1,3 +1,4 @@ +from re import search def test_owasp_useful_headers_set( @@ -11,13 +12,13 @@ def test_owasp_useful_headers_set( assert response.headers['X-Frame-Options'] == 'deny' assert response.headers['X-Content-Type-Options'] == 'nosniff' assert response.headers['X-XSS-Protection'] == '1; mode=block' - assert response.headers['Content-Security-Policy'] == ( - "default-src 'self' static.example.com; " - "script-src 'self' static.example.com *.google-analytics.com https://js-agent.newrelic.com " - "https://*.nr-data.net data:; " - "connect-src 'self' *.google-analytics.com https://*.nr-data.net; " - "font-src 'self' static.example.com data:; " - "img-src " - "'self' static.example.com static-logos.test.com" - " *.google-analytics.com data:" + csp = response.headers['Content-Security-Policy'] + assert search(r"default-src 'self' static\.example\.com;", csp) + assert search( + r"script-src 'self' 'unsafe-eval' static\.example\.com \*\.google-analytics\.com https:\/\/js-agent\.newrelic\.com https:\/\/\*\.nr-data\.net data: 'nonce-.*';", # noqa e501 + csp ) + assert search(r"connect-src 'self' \*\.google-analytics\.com https:\/\/\*.nr-data\.net;", csp) + assert search(r"style-src 'self' static\.example\.com 'nonce-.*';", csp) + assert search(r"font-src 'self' static\.example\.com data:;", csp) + assert search(r"img-src 'self' static\.example\.com static-logos\.test\.com \*\.google-analytics\.com data:", csp)