mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-07-08 10:28:57 -04:00
Use csp nonces for inline scripts and styles
This commit is contained in:
@@ -1,3 +1,4 @@
|
||||
from re import search
|
||||
|
||||
|
||||
def test_owasp_useful_headers_set(
|
||||
@@ -11,13 +12,13 @@ def test_owasp_useful_headers_set(
|
||||
assert response.headers['X-Frame-Options'] == 'deny'
|
||||
assert response.headers['X-Content-Type-Options'] == 'nosniff'
|
||||
assert response.headers['X-XSS-Protection'] == '1; mode=block'
|
||||
assert response.headers['Content-Security-Policy'] == (
|
||||
"default-src 'self' static.example.com; "
|
||||
"script-src 'self' static.example.com *.google-analytics.com https://js-agent.newrelic.com "
|
||||
"https://*.nr-data.net data:; "
|
||||
"connect-src 'self' *.google-analytics.com https://*.nr-data.net; "
|
||||
"font-src 'self' static.example.com data:; "
|
||||
"img-src "
|
||||
"'self' static.example.com static-logos.test.com"
|
||||
" *.google-analytics.com data:"
|
||||
csp = response.headers['Content-Security-Policy']
|
||||
assert search(r"default-src 'self' static\.example\.com;", csp)
|
||||
assert search(
|
||||
r"script-src 'self' 'unsafe-eval' static\.example\.com \*\.google-analytics\.com https:\/\/js-agent\.newrelic\.com https:\/\/\*\.nr-data\.net data: 'nonce-.*';", # noqa e501
|
||||
csp
|
||||
)
|
||||
assert search(r"connect-src 'self' \*\.google-analytics\.com https:\/\/\*.nr-data\.net;", csp)
|
||||
assert search(r"style-src 'self' static\.example\.com 'nonce-.*';", csp)
|
||||
assert search(r"font-src 'self' static\.example\.com data:;", csp)
|
||||
assert search(r"img-src 'self' static\.example\.com static-logos\.test\.com \*\.google-analytics\.com data:", csp)
|
||||
|
||||
Reference in New Issue
Block a user