Merge pull request #2544 from GSA/2543-troubleshoot-socketio

2543 troubleshoot socketio
2026-05-20 08:39:21 -04:00 · 2025-04-30 14:20:33 -04:00
parent 7fbed553aa ccdfd0c10e
commit b48377e4b4
3 changed files with 30 additions and 6 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -141,7 +141,9 @@ navigation = {
 def _csp(config):
    asset_domain = config["ASSET_DOMAIN"]
    logo_domain = config["LOGO_CDN_DOMAIN"]
-    return {
+    api_host_name = config["API_HOST_NAME"]
+
+    csp = {
        "default-src": ["'self'", asset_domain],
        "frame-src": [
            "https://www.youtube.com",
@@ -165,13 +167,22 @@ def _csp(config):
            "'self'",
            "https://gov-bam.nr-data.net",
            "https://www.google-analytics.com",
-            "http://localhost:6011",
-            "ws://localhost:6011",
        ],
        "style-src": ["'self'", asset_domain],
        "img-src": ["'self'", asset_domain, logo_domain],
    }

+    if api_host_name:
+        csp["connect-src"].append(api_host_name)
+        # this is for web socket
+        if api_host_name.startswith("http://"):
+            ws_url = api_host_name.replace("http://", "ws://")
+            csp["connect-src"].append(ws_url)
+        elif api_host_name.startswith("https://"):
+            ws_url = api_host_name.replace("https://", "wss://")
+            csp["connect-src"].append(ws_url)
+    return csp
+

 def create_app(application):
    @application.after_request
--- a/pytest.ini
+++ b/pytest.ini
@@ -5,7 +5,7 @@ log_level = 999
 env =
    NOTIFY_ENVIRONMENT=test
    ADMIN_CLIENT_SECRET=dev-notify-secret-key
-    API_HOST_NAME=test
+    API_HOST_NAME=http://you-forgot-to-mock-an-api-call-to
    DANGEROUS_SALT=dev-notify-salt
    SECRET_KEY=dev-notify-secret-key
    ZENDESK_API_KEY=test
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -1,5 +1,7 @@
 from re import search

+from flask import current_app
+

 def test_owasp_useful_headers_set(
    client_request,
@@ -26,9 +28,20 @@ def test_owasp_useful_headers_set(
    )
    assert search(r"'nonce-[^']+';", csp)
    assert search(
-        r"connect-src 'self' https:\/\/gov-bam\.nr-data\.net https:\/\/www\.google-analytics\."
-        r"com http:\/\/localhost:6011 ws:\/\/localhost:6011;",
+        r"connect-src 'self' https:\/\/gov-bam\.nr-data\.net https:\/\/www\.google-analytics\.",
        csp,
    )
    assert search(r"style-src 'self' static\.example\.com 'nonce-.*';", csp)
    assert search(r"img-src 'self' static\.example\.com static-logos\.test\.com", csp)
+    api_host_name = current_app.config.get("API_HOST_NAME")
+    assert api_host_name is not None, f"API_HOST_NAME: {api_host_name} — is missing"
+
+    assert api_host_name in csp
+    if api_host_name.startswith("http://"):
+        assert api_host_name.replace("http://", "ws://") in csp
+    elif api_host_name.startswith("https://"):
+        assert api_host_name.replace("https://", "wss://") in csp
+    else:
+        raise AssertionError(
+            f"Unexpected API_HOST_NAME format: {api_host_name} — must start with 'http://' or 'https://'"
+        )