mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-02-26 13:20:54 -05:00
d380eaf060
Currently images in our email template are hardcoded to be served from the live domain[1]. In order for the admin app, running locally or in preview/staging, to be able to load these images when previewing an email template, the CSP headers need to allow this domain. Also splits the header string up using string literal concatenation[2] so that it’s easier to read. 1. https://notifications.service.gov.uk 2. https://docs.python.org/3/reference/lexical_analysis.html#string-literal-concatenation
16 lines
691 B
Python
16 lines
691 B
Python
|
|
def test_owasp_useful_headers_set(app_):
|
|
with app_.test_request_context():
|
|
response = app_.test_client().get('/')
|
|
assert response.status_code == 200
|
|
assert response.headers['X-Frame-Options'] == 'deny'
|
|
assert response.headers['X-Content-Type-Options'] == 'nosniff'
|
|
assert response.headers['X-XSS-Protection'] == '1; mode=block'
|
|
assert response.headers['Content-Security-Policy'] == (
|
|
"default-src 'self' 'unsafe-inline';"
|
|
"script-src 'self' *.google-analytics.com 'unsafe-inline' data:;"
|
|
"object-src 'self';"
|
|
"font-src 'self' data:;"
|
|
"img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;"
|
|
)
|