Add qualtrics to form-action header (#1710)

- Added Upgrade-Insecure-Requests header (wildcard fix maybe?) - Added a nonce to the style-src header - Added nonces to each <style> tag
cds-snc · Nov 8, 2023 · 7a6afdc · 7a6afdc
1 parent c8dc1b3
commit 7a6afdc
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 15 deletions.
diff --git a/app/__init__.py b/app/__init__.py
@@ -644,6 +644,7 @@ def useful_headers_after_request(response):
     response.headers.add("X-Frame-Options", "deny")
     response.headers.add("X-Content-Type-Options", "nosniff")
     response.headers.add("X-XSS-Protection", "1; mode=block")
+    response.headers.add("Upgrade-Insecure-Requests", "1")
     nonce = safe_get_request_nonce()
     asset_domain = current_app.config["ASSET_DOMAIN"]
     response.headers.add(
@@ -655,11 +656,11 @@ def useful_headers_after_request(response):
             f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
             "connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
             "object-src 'self';"
-            "style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
+            f"style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'nonce-{nonce}' 'unsafe-inline';"
             f"font-src 'self' {asset_domain} *.googleapis.com *.gstatic.com data:;"
             f"img-src 'self' {asset_domain} *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;"  # noqa: E501
             "frame-ancestors 'self';"
-            "form-action 'self';"
+            "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
             "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
         ),
     )

diff --git a/app/templates/main_template.html b/app/templates/main_template.html
@@ -26,10 +26,14 @@
   <link
     href="https://fonts.googleapis.com/css?family=Lato:400,700,900&display=swap"
     rel="stylesheet"
+    integrity="sha384-kVxP/aXwg+PkN511FuqryM/THiiQlE94Vnv1Su+pNFJY+4yvw+4vncZFNZbgY7UL"
+    crossorigin="anonymous"
   />
   <link
     href="https://fonts.googleapis.com/css?family=Noto+Sans&display=swap"
     rel="stylesheet"
+    integrity="sha384-tGeHQVuE+OkHZJbt49ODye8E3Hz+UVXmOBzwDcGwcab8YQer8siRT442XmkDqYpp"
+    crossorigin="anonymous"
   />
   <meta name="theme-color" content="#0b0c0c"/>
   <meta name="viewport" content="width=device-width, initial-scale=1"/>
@@ -96,7 +100,7 @@
     }
 
   </script>
-  <style title="CSS strings">
+  <style title="CSS strings" nonce="{{ request_nonce }}">
     :root {
       --opens-in-new-tab: "{{ _("Opens in a new tab") }}";
     }

diff --git a/app/templates/views/add-service.html b/app/templates/views/add-service.html
@@ -18,7 +18,7 @@
     sub_text=sub_text
   ) }}
 
-<style>
+<style nonce="{{ request_nonce }}">
     /* inline this as the */
     .form-wrap .form-group .form-label{
       font-weight:bold;

diff --git a/app/templates/views/edit-email-template.html b/app/templates/views/edit-email-template.html
@@ -62,7 +62,7 @@
 
 {% block page_script %}
 {{ super() }}
-<script nonce="{{ request_nonce }}">
+<script type="text/javascript" nonce="{{ request_nonce }}">
   const loadContent = templateId => {
     const callback = `/services/templates/${templateId}/get-data`;
 
@@ -84,7 +84,7 @@
   };
 </script>
 
-<style>
+<style type="text/css" nonce="{{ request_nonce }}">
   select {
     box-sizing: "border-box";
     width: 50%;

diff --git a/app/templates/views/service-settings/letter-preview.html b/app/templates/views/service-settings/letter-preview.html
@@ -5,7 +5,7 @@
 
     <title>Letter preview</title>
 
-    <style type="text/css">
+    <style type="text/css" nonce="{{ request_nonce }}">
     body {
       background-color: #dee0e2;
       margin: 0;

diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
@@ -68,12 +68,11 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat
         f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
         "connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
         "object-src 'self';"
-        "style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
+        f"style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'nonce-{nonce}' 'unsafe-inline';"
         "font-src 'self' static.example.com *.googleapis.com *.gstatic.com data:;"
-        "img-src "
-        "'self' static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;"  # noqa: E501
+        "img-src 'self' static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;"  # noqa: E501
         "frame-ancestors 'self';"
-        "form-action 'self';"
+        "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
         "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
     )
 
@@ -132,11 +131,10 @@ def test_headers_non_ascii_characters_are_replaced(
         f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
         "connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
         "object-src 'self';"
-        "style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
+        f"style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'nonce-{nonce}' 'unsafe-inline';"
         "font-src 'self' static.example.com *.googleapis.com *.gstatic.com data:;"
-        "img-src "
-        "'self' static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;"  # noqa: E501
+        "img-src 'self' static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;"  # noqa: E501
         "frame-ancestors 'self';"
-        "form-action 'self';"
+        "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
         "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
     )