From 426ef4c8460bb0df734962d5218addce0839fa51 Mon Sep 17 00:00:00 2001
From: Jimmy Royer <jimleroyer@gmail.com>
Date: Wed, 8 Nov 2023 14:03:29 -0500
Subject: [PATCH] Added report-to header to CSP (#1712)

* Added report-to header to CSP

* Formatter

* Fixed headers bad positioning + fix tests

---------

Co-authored-by: William B <7444334+whabanks@users.noreply.github.com>
---
 app/__init__.py                      |  7 ++++++-
 tests/app/main/views/test_headers.py | 10 ++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index fb3ae2a68c..abfe8c5d55 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -647,10 +647,13 @@ def useful_headers_after_request(response):
     response.headers.add("Upgrade-Insecure-Requests", "1")
     nonce = safe_get_request_nonce()
     asset_domain = current_app.config["ASSET_DOMAIN"]
+    response.headers.add(
+        "Report-To",
+        """{"group":"default","max_age":1800,"endpoints":[{"url":"https://csp-report-to.security.cdssandbox.xyz/report"}]""",
+    )
     response.headers.add(
         "Content-Security-Policy",
         (
-            "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
             f"default-src 'self' {asset_domain} 'unsafe-inline';"
             f"script-src 'self' {asset_domain} *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
             f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
@@ -662,6 +665,8 @@ def useful_headers_after_request(response):
             "frame-ancestors 'self';"
             "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
             "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
+            "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
+            "report-to default;"
         ),
     )
     if "Cache-Control" in response.headers:
diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
index e164a6ad2c..e1f7ea3717 100644
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -61,8 +61,11 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat
     assert response.headers["X-Frame-Options"] == "deny"
     assert response.headers["X-Content-Type-Options"] == "nosniff"
     assert response.headers["X-XSS-Protection"] == "1; mode=block"
+    assert (
+        response.headers["Report-To"]
+        == """{"group":"default","max_age":1800,"endpoints":[{"url":"https://csp-report-to.security.cdssandbox.xyz/report"}]"""
+    )
     assert response.headers["Content-Security-Policy"] == (
-        "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
         "default-src 'self' static.example.com 'unsafe-inline';"
         f"script-src 'self' static.example.com *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
         f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
@@ -74,6 +77,8 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat
         "frame-ancestors 'self';"
         "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
         "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
+        "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
+        "report-to default;"
     )
 
 
@@ -125,7 +130,6 @@ def test_headers_non_ascii_characters_are_replaced(
 
     assert response.status_code == 200
     assert response.headers["Content-Security-Policy"] == (
-        "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
         "default-src 'self' static.example.com 'unsafe-inline';"
         f"script-src 'self' static.example.com *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
         f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
@@ -137,4 +141,6 @@ def test_headers_non_ascii_characters_are_replaced(
         "frame-ancestors 'self';"
         "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
         "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
+        "report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
+        "report-to default;"
     )