mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-02-17 17:04:55 -05:00
bb34081599
When a browser loads a Notify page it does the following: - DNS and TLS handshake for notifications.service.gov.uk - download some HTML - sees that the HTML needs to load some CSS - DNS and TLS handshake for static.notifications.service.gov.uk - downloads the CSS We can speed things up a bit in modern browsers by parallelizing this process a bit. Modern browsers support some HTTP headers[1] that allow them to connect to other origins sooner. After this change the steps are: - DNS and TLS handshake for notifications.service.gov.uk - receive response headers and simultaneously: - download some HTML - DNS and TLS handshake for static.notifications.service.gov.uk - sees that the HTML needs to load some CSS - downloads the CSS 1. https://developer.mozilla.org/en-US/docs/Web/Performance/dns-prefetch
54 lines
2.1 KiB
Python
54 lines
2.1 KiB
Python
|
|
|
|
def test_owasp_useful_headers_set(
|
|
client,
|
|
mocker,
|
|
mock_get_service_and_organisation_counts,
|
|
):
|
|
mocker.patch('app.get_logo_cdn_domain', return_value='static-logos.test.com')
|
|
|
|
response = client.get('/')
|
|
|
|
assert response.status_code == 200
|
|
assert response.headers['X-Frame-Options'] == 'deny'
|
|
assert response.headers['X-Content-Type-Options'] == 'nosniff'
|
|
assert response.headers['X-XSS-Protection'] == '1; mode=block'
|
|
assert response.headers['Content-Security-Policy'] == (
|
|
"default-src 'self' static.example.com 'unsafe-inline';"
|
|
"script-src 'self' static.example.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
|
|
"connect-src 'self' *.google-analytics.com;"
|
|
"object-src 'self';"
|
|
"font-src 'self' static.example.com data:;"
|
|
"img-src "
|
|
"'self' static.example.com *.tile.openstreetmap.org *.google-analytics.com"
|
|
" *.notifications.service.gov.uk static-logos.test.com data:;"
|
|
"frame-src 'self' www.youtube-nocookie.com;"
|
|
)
|
|
assert response.headers['Link'] == (
|
|
'<https://static.example.com>; rel=dns-prefetch, '
|
|
'<https://static.example.com>; rel=preconnect'
|
|
)
|
|
|
|
|
|
def test_headers_non_ascii_characters_are_replaced(
|
|
client,
|
|
mocker,
|
|
mock_get_service_and_organisation_counts,
|
|
):
|
|
mocker.patch('app.get_logo_cdn_domain', return_value='static-logos۾.test.com')
|
|
|
|
response = client.get('/')
|
|
|
|
assert response.status_code == 200
|
|
assert response.headers['Content-Security-Policy'] == (
|
|
"default-src 'self' static.example.com 'unsafe-inline';"
|
|
"script-src 'self' static.example.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
|
|
"connect-src 'self' *.google-analytics.com;"
|
|
"object-src 'self';"
|
|
"font-src 'self' static.example.com data:;"
|
|
"img-src"
|
|
" 'self' static.example.com *.tile.openstreetmap.org *.google-analytics.com"
|
|
" *.notifications.service.gov.uk static-logos??.test.com data:;"
|
|
"frame-src 'self' www.youtube-nocookie.com;"
|
|
)
|