Merge pull request #2321 from GSA/notify-admin-2315

dynamic scan warnings
2025-12-10 15:13:40 -05:00 · 2025-02-10 14:05:22 -05:00
parent 22f729d652 208891a71a
commit a4963b8263
4 changed files with 22 additions and 4 deletions
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -14,10 +14,8 @@
    <script nonce="{{ csp_nonce() }}">document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script>
    {% block bodyStart %}
      {% block extra_javascripts_before_body %}
-      <!-- Google Tag Manager (noscript) -->
      <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WX5NGWF"
      height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
-      <!-- End Google Tag Manager (noscript) -->
      {% endblock %}
    {% endblock %}

@@ -145,10 +143,8 @@
    {% block bodyEnd %}
      {% block extra_javascripts %}
      {% endblock %}
-      <!--[if gt IE 8]><!-->
      <script type="text/javascript" src="{{ asset_url('javascripts/all.js') }}"></script>
      <script type="text/javascript" src="{{ asset_url('js/uswds.min.js') }}"></script>
-      <!--<![endif]-->
    {% endblock %}
  </body>
 </html>
--- a/application.py
+++ b/application.py
@@ -1,7 +1,10 @@
 from flask import Flask
+from werkzeug.serving import WSGIRequestHandler

 from app import create_app

+WSGIRequestHandler.version_string = lambda self: "SecureServer"
+
 application = Flask("app")

 create_app(application)
--- a/notifications_utils/request_helper.py
+++ b/notifications_utils/request_helper.py
@@ -75,6 +75,24 @@ class ResponseHeaderMiddleware(object):
            if SPAN_ID_HEADER.lower() not in lower_existing_header_names:
                headers.append((SPAN_ID_HEADER, str(req.span_id)))

+            # Some dynamic scan findings
+            headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
+            headers.append(("Cross-Origin-Embedder-Policy", "require-corp"))
+            headers.append(("Cross-Origin-Resource-Policy", "same-origin"))
+            headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
+
+            # svg content type should not contain charset
+            found_svg = False
+            for _, v in headers:
+                if "svg+xml" in v:
+                    found_svg = True
+            if found_svg:
+                new_headers = [
+                    (k, v) for k, v in headers if k.lower() != "content-type"
+                ]
+                new_headers.append(("Content-Type", "image/svg+xml"))
+                return start_response(status, new_headers, exc_info)
+
            return start_response(status, headers, exc_info)

        return self._app(environ, rewrite_response_headers)
--- a/zap.conf
+++ b/zap.conf
@@ -53,6 +53,7 @@
 10096	WARN	(Timestamp Disclosure - Passive/release)
 10097	WARN	(Hash Disclosure - Passive/beta)
 10098	WARN	(Cross-Domain Misconfiguration - Passive/release)
+10099	IGNORE	(Source Code Disclosure - Java)
 10104	WARN	(User Agent Fuzzer - Active/beta)
 10105	WARN	(Weak Authentication Method - Passive/release)
 10106	IGNORE	(HTTP Only Site - Active/beta)