Merge pull request #2490 from GSA/sandbox_scan_fix

app/__init__.py

@@ -145,6 +145,7 @@ def _csp(config):
         "frame-src": [
             "https://www.youtube.com",
             "https://www.youtube-nocookie.com",
+            "https://www.googletagmanager.com",
         ],
         "frame-ancestors": "'none'",
         "form-action": "'self'",
@@ -169,6 +170,11 @@ def _csp(config):
 
 
 def create_app(application):
+    @application.after_request
+    def add_csp_header(response):
+        existing_csp = response.headers.get("Content-Security-Policy", "")
+        response.headers["Content-Security-Policy"] = existing_csp + "; form-action 'self';"
+        return response
     # @application.context_processor
     # def inject_feature_flags():
     # this is where feature flags can be easily added as a dictionary within context

app/templates/base.html

@@ -14,7 +14,7 @@
     <script nonce="{{ csp_nonce() }}">document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script>
     {% block bodyStart %}
       {% block extra_javascripts_before_body %}
-      <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WX5NGWF"
+      <noscript><iframe sandbox src="https://www.googletagmanager.com/ns.html?id=GTM-WX5NGWF"
       height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
       {% endblock %}
     {% endblock %}

tests/app/main/views/test_headers.py

@@ -14,7 +14,7 @@ def test_owasp_useful_headers_set(
     assert response.headers["X-Frame-Options"] == "deny"
     assert response.headers["X-Content-Type-Options"] == "nosniff"
     csp = response.headers["Content-Security-Policy"]
-    assert search(r"default-src 'self' static\.example\.com;", csp)
+    assert search(r"frame-src.*https://www\.googletagmanager\.com", csp)
     assert search(r"frame-ancestors 'none';", csp)
     assert search(r"form-action 'self';", csp)
     assert search(