From d380eaf060c72ef79b2d66d0ca23634ac1f69c55 Mon Sep 17 00:00:00 2001
From: Chris Hill-Scott <me@quis.cc>
Date: Tue, 5 Jul 2016 07:12:21 +0100
Subject: [PATCH] Allow images to be served from live domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently images in our email template are hardcoded to be served from
the live domain[1].

In order for the admin app, running locally or in preview/staging, to be
able to load these images when previewing an email template, the CSP
headers need to allow this domain.

Also splits the header string up using string literal concatenation[2]
so that it’s easier to read.

1. https://notifications.service.gov.uk
2. https://docs.python.org/3/reference/lexical_analysis.html#string-literal-concatenation
---
 app/__init__.py                      | 9 +++++++--
 tests/app/main/views/test_headers.py | 8 +++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index e2852b6b3..d013be090 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -303,8 +303,13 @@ def useful_headers_after_request(response):
     response.headers.add('X-Frame-Options', 'deny')
     response.headers.add('X-Content-Type-Options', 'nosniff')
     response.headers.add('X-XSS-Protection', '1; mode=block')
-    response.headers.add('Content-Security-Policy',
-                         "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;")  # noqa
+    response.headers.add('Content-Security-Policy', (
+        "default-src 'self' 'unsafe-inline';"
+        "script-src 'self' *.google-analytics.com 'unsafe-inline' data:;"
+        "object-src 'self';"
+        "font-src 'self' data:;"
+        "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;"
+    ))
     if 'Cache-Control' in response.headers:
         del response.headers['Cache-Control']
     response.headers.add(
diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
index 006855439..53b1f2b32 100644
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -6,4 +6,10 @@ def test_owasp_useful_headers_set(app_):
     assert response.headers['X-Frame-Options'] == 'deny'
     assert response.headers['X-Content-Type-Options'] == 'nosniff'
     assert response.headers['X-XSS-Protection'] == '1; mode=block'
-    assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;"  # noqa
+    assert response.headers['Content-Security-Policy'] == (
+        "default-src 'self' 'unsafe-inline';"
+        "script-src 'self' *.google-analytics.com 'unsafe-inline' data:;"
+        "object-src 'self';"
+        "font-src 'self' data:;"
+        "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;"
+    )