darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-02-23 11:51:05 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
ee03eb07676ebdfe95dc7e894e00a0e1d1ae66e1
notifications-admin/tests/app/main/views/test_headers.py
Chris Hill-Scott d0d3fc6857 Add a map 
So you can check you’ve chosen the right areas, and to give you a clear
idea of where the boundaries of an area are.

The Javascript and CSS for the map is only loaded on this page because
it adds quite a few kb, and we don’t want to be sending assets to the
majority of our users who will never see them.
2020-07-08 10:27:50 +01:00

50 lines
1.9 KiB
Python
Raw Blame History

def test_owasp_useful_headers_set(
client,
mocker,
mock_get_service_and_organisation_counts,
):
mocker.patch('app.get_logo_cdn_domain', return_value='static-logos.test.com')
response = client.get('/')
assert response.status_code == 200
assert response.headers['X-Frame-Options'] == 'deny'
assert response.headers['X-Content-Type-Options'] == 'nosniff'
assert response.headers['X-XSS-Protection'] == '1; mode=block'
assert response.headers['Content-Security-Policy'] == (
"default-src 'self' static.example.com 'unsafe-inline';"
"script-src 'self' static.example.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
"connect-src 'self' *.google-analytics.com;"
"object-src 'self';"
"font-src 'self' static.example.com data:;"
"img-src "
"'self' static.example.com *.tile.openstreetmap.org *.google-analytics.com"
" *.notifications.service.gov.uk static-logos.test.com data:;"
"frame-src 'self' www.youtube-nocookie.com;"
)
def test_headers_non_ascii_characters_are_replaced(
client,
mocker,
mock_get_service_and_organisation_counts,
):
mocker.patch('app.get_logo_cdn_domain', return_value='static-logos۾.test.com')
response = client.get('/')
assert response.status_code == 200
assert response.headers['Content-Security-Policy'] == (
"default-src 'self' static.example.com 'unsafe-inline';"
"script-src 'self' static.example.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
"connect-src 'self' *.google-analytics.com;"
"object-src 'self';"
"font-src 'self' static.example.com data:;"
"img-src"
" 'self' static.example.com *.tile.openstreetmap.org *.google-analytics.com"
" *.notifications.service.gov.uk static-logos??.test.com data:;"
"frame-src 'self' www.youtube-nocookie.com;"
)
Reference in New Issue View Git Blame Copy Permalink