mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-03-04 09:21:41 -05:00
1d10ad2247
In https://github.com/alphagov/notifications-admin/pull/1583 we changed our Google Analytics settings to use newer browsers’ `sendBeacon` feature. The advantage of this is that it > [ensures] that the data has been sent during the unloading of a > document [which] is something that has traditionally been difficult > for developers – https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon To transmit this data it uses a AJAX request (`XMLHttpRequest`) underneath. AJAX requests are governed by the `connect-src` content security policy (or the `default-src` if one is not present). `connect-src`: > Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not > allowed the browser emulates a 400 HTTP status code. – https://content-security-policy.com/ Because we didn’t have one in place, `sendBeacon` requests to GA were getting blocked in browsers that support content security policy (pretty much everything better than IE11[1]). 1. https://caniuse.com/#feat=beacon
19 lines
851 B
Python
19 lines
851 B
Python
def test_owasp_useful_headers_set(client, mocker):
|
|
mocker.patch('app.get_cdn_domain', return_value='static-logos.test.com')
|
|
|
|
response = client.get('/')
|
|
|
|
assert response.status_code == 200
|
|
assert response.headers['X-Frame-Options'] == 'deny'
|
|
assert response.headers['X-Content-Type-Options'] == 'nosniff'
|
|
assert response.headers['X-XSS-Protection'] == '1; mode=block'
|
|
assert response.headers['Content-Security-Policy'] == (
|
|
"default-src 'self' 'unsafe-inline';"
|
|
"script-src 'self' *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
|
|
"connect-src 'self' *.google-analytics.com;"
|
|
"object-src 'self';"
|
|
"font-src 'self' data:;"
|
|
"img-src 'self' *.google-analytics.com *.notifications.service.gov.uk static-logos.test.com data:;"
|
|
"frame-src www.youtube.com;"
|
|
)
|