Skip to content

Commit

Permalink
Remove integrity attributes on google fonts (#1717)
Browse files Browse the repository at this point in the history 
* Remove integrity attributes on google fonts

- Add corresponding domains to the font-src and style-src csp headers

* fix tests
  • Loading branch information
@whabanks
whabanks authored Nov 9, 2023
1 parent 5b443d3 commit 0b6e0bc
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 8 deletions.
4 changes: 2 additions & 2 deletions app/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -659,8 +659,8 @@ def useful_headers_after_request(response):
f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
"connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
"object-src 'self';"
f"style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'nonce-{nonce}' 'unsafe-inline';"
f"font-src 'self' {asset_domain} *.googleapis.com *.gstatic.com data:;"
f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
f"font-src 'self' {asset_domain} fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;"
f"img-src 'self' {asset_domain} *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"frame-ancestors 'self';"
"form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
Expand Down
2 changes: 0 additions & 2 deletions app/templates/main_template.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,10 @@
<link
href="https://fonts.googleapis.com/css?family=Lato:400,700,900&display=swap"
rel="stylesheet"
integrity="sha256-8UHCn8HdwwrFIG1pimLw1DpQRfkPvTq8jHZLXJwpPo4=" crossorigin="anonymous"
/>
<link
href="https://fonts.googleapis.com/css?family=Noto+Sans&display=swap"
rel="stylesheet"
integrity="sha256-AueP75pGAtROGzX2BIyKoY/QBX+tH40az+OXhkTthKU=" crossorigin="anonymous"
/>
<meta name="theme-color" content="#0b0c0c"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
Expand Down
8 changes: 4 additions & 4 deletions tests/app/main/views/test_headers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat
f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
"connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
"object-src 'self';"
f"style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'nonce-{nonce}' 'unsafe-inline';"
"font-src 'self' static.example.com *.googleapis.com *.gstatic.com data:;"
f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
"font-src 'self' static.example.com fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;"
"img-src 'self' static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"frame-ancestors 'self';"
"form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
Expand Down Expand Up @@ -135,8 +135,8 @@ def test_headers_non_ascii_characters_are_replaced(
f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
"connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
"object-src 'self';"
f"style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'nonce-{nonce}' 'unsafe-inline';"
"font-src 'self' static.example.com *.googleapis.com *.gstatic.com data:;"
f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
"font-src 'self' static.example.com fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;"
"img-src 'self' static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"frame-ancestors 'self';"
"form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
Expand Down

0 comments on commit 0b6e0bc

Please sign in to comment.