From 9615f9d0c2a649b44a2fd63e3490e0239925b0fc Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Mon, 23 Jan 2023 11:05:51 -0500 Subject: [PATCH] Fix header test --- app/__init__.py | 3 ++- tests/app/main/views/test_headers.py | 10 ++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/app/__init__.py b/app/__init__.py index 185d48aef..40619aac3 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -356,7 +356,8 @@ def useful_headers_after_request(response): response.headers.add('X-XSS-Protection', '1; mode=block') response.headers.add('Content-Security-Policy', ( "default-src 'self' {asset_domain} 'unsafe-inline';" - "script-src 'self' {asset_domain} *.google-analytics.com https://js-agent.newrelic.com https://*.nr-data.net 'unsafe-inline' 'unsafe-eval' data:;" + "script-src 'self' {asset_domain} *.google-analytics.com https://js-agent.newrelic.com https://*.nr-data.net " + "'unsafe-inline' 'unsafe-eval' data:;" "connect-src 'self' *.google-analytics.com https://*.nr-data.net;" "object-src 'self';" "font-src 'self' {asset_domain} data:;" diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py index d43e7efc9..e19e0b4c1 100644 --- a/tests/app/main/views/test_headers.py +++ b/tests/app/main/views/test_headers.py @@ -13,8 +13,9 @@ def test_owasp_useful_headers_set( assert response.headers['X-XSS-Protection'] == '1; mode=block' assert response.headers['Content-Security-Policy'] == ( "default-src 'self' static.example.com 'unsafe-inline';" - "script-src 'self' static.example.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;" - "connect-src 'self' *.google-analytics.com;" + "script-src 'self' static.example.com *.google-analytics.com https://js-agent.newrelic.com " + "https://*.nr-data.net 'unsafe-inline' 'unsafe-eval' data:;" + "connect-src 'self' *.google-analytics.com https://*.nr-data.net;" "object-src 'self';" "font-src 'self' static.example.com data:;" "img-src " @@ -43,8 +44,9 @@ def test_headers_non_ascii_characters_are_replaced( assert response.headers['Content-Security-Policy'] == ( "default-src 'self' static.example.com 'unsafe-inline';" - "script-src 'self' static.example.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;" - "connect-src 'self' *.google-analytics.com;" + "script-src 'self' static.example.com *.google-analytics.com https://js-agent.newrelic.com " + "https://*.nr-data.net 'unsafe-inline' 'unsafe-eval' data:;" + "connect-src 'self' *.google-analytics.com https://*.nr-data.net;" "object-src 'self';" "font-src 'self' static.example.com data:;" "img-src"