Use csp nonces for inline scripts and styles

This commit is contained in:
Ryan Ahearn
2023-03-07 16:08:51 -05:00
parent e8e8c889d6
commit 2a6bc62003
5 changed files with 14 additions and 13 deletions

View File

@@ -1,3 +1,4 @@
from re import search
def test_owasp_useful_headers_set(
@@ -11,13 +12,13 @@ def test_owasp_useful_headers_set(
assert response.headers['X-Frame-Options'] == 'deny'
assert response.headers['X-Content-Type-Options'] == 'nosniff'
assert response.headers['X-XSS-Protection'] == '1; mode=block'
assert response.headers['Content-Security-Policy'] == (
"default-src 'self' static.example.com; "
"script-src 'self' static.example.com *.google-analytics.com https://js-agent.newrelic.com "
"https://*.nr-data.net data:; "
"connect-src 'self' *.google-analytics.com https://*.nr-data.net; "
"font-src 'self' static.example.com data:; "
"img-src "
"'self' static.example.com static-logos.test.com"
" *.google-analytics.com data:"
csp = response.headers['Content-Security-Policy']
assert search(r"default-src 'self' static\.example\.com;", csp)
assert search(
r"script-src 'self' 'unsafe-eval' static\.example\.com \*\.google-analytics\.com https:\/\/js-agent\.newrelic\.com https:\/\/\*\.nr-data\.net data: 'nonce-.*';", # noqa e501
csp
)
assert search(r"connect-src 'self' \*\.google-analytics\.com https:\/\/\*.nr-data\.net;", csp)
assert search(r"style-src 'self' static\.example\.com 'nonce-.*';", csp)
assert search(r"font-src 'self' static\.example\.com data:;", csp)
assert search(r"img-src 'self' static\.example\.com static-logos\.test\.com \*\.google-analytics\.com data:", csp)