diff --git a/app/__init__.py b/app/__init__.py index e2852b6b3..d013be090 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -303,8 +303,13 @@ def useful_headers_after_request(response): response.headers.add('X-Frame-Options', 'deny') response.headers.add('X-Content-Type-Options', 'nosniff') response.headers.add('X-XSS-Protection', '1; mode=block') - response.headers.add('Content-Security-Policy', - "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;") # noqa + response.headers.add('Content-Security-Policy', ( + "default-src 'self' 'unsafe-inline';" + "script-src 'self' *.google-analytics.com 'unsafe-inline' data:;" + "object-src 'self';" + "font-src 'self' data:;" + "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;" + )) if 'Cache-Control' in response.headers: del response.headers['Cache-Control'] response.headers.add( diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py index 006855439..53b1f2b32 100644 --- a/tests/app/main/views/test_headers.py +++ b/tests/app/main/views/test_headers.py @@ -6,4 +6,10 @@ def test_owasp_useful_headers_set(app_): assert response.headers['X-Frame-Options'] == 'deny' assert response.headers['X-Content-Type-Options'] == 'nosniff' assert response.headers['X-XSS-Protection'] == '1; mode=block' - assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;" # noqa + assert response.headers['Content-Security-Policy'] == ( + "default-src 'self' 'unsafe-inline';" + "script-src 'self' *.google-analytics.com 'unsafe-inline' data:;" + "object-src 'self';" + "font-src 'self' data:;" + "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;" + )