darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-02-05 19:03:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

Allow images to be served from live domain

Browse Source 
Currently images in our email template are hardcoded to be served from
the live domain[1].

In order for the admin app, running locally or in preview/staging, to be
able to load these images when previewing an email template, the CSP
headers need to allow this domain.

Also splits the header string up using string literal concatenation[2]
so that it’s easier to read.

1. https://notifications.service.gov.uk
2. https://docs.python.org/3/reference/lexical_analysis.html#string-literal-concatenation
This commit is contained in:
Chris Hill-Scott
2016-07-05 07:12:21 +01:00
parent 9f91694c71
commit d380eaf060
2 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/__init__.py
View File

@@ -303,8 +303,13 @@ def useful_headers_after_request(response):
response.headers.add('X-Frame-Options', 'deny')
response.headers.add('X-Content-Type-Options', 'nosniff')
response.headers.add('X-XSS-Protection', '1; mode=block')
response.headers.add('Content-Security-Policy',
"default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;") # noqa
response.headers.add('Content-Security-Policy', (
"default-src 'self' 'unsafe-inline';"
"script-src 'self' *.google-analytics.com 'unsafe-inline' data:;"
"object-src 'self';"
"font-src 'self' data:;"
"img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;"
))
if 'Cache-Control' in response.headers:
del response.headers['Cache-Control']
response.headers.add(

8
tests/app/main/views/test_headers.py
View File

@@ -6,4 +6,10 @@ def test_owasp_useful_headers_set(app_):
assert response.headers['X-Frame-Options'] == 'deny'
assert response.headers['X-Content-Type-Options'] == 'nosniff'
assert response.headers['X-XSS-Protection'] == '1; mode=block'
assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;" # noqa
assert response.headers['Content-Security-Policy'] == (
"default-src 'self' 'unsafe-inline';"
"script-src 'self' *.google-analytics.com 'unsafe-inline' data:;"
"object-src 'self';"
"font-src 'self' data:;"
"img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;"
)