Skip to content

Commit

Permalink
Owasp/csp wildcard directive (#1706)
Browse files Browse the repository at this point in the history 
* Nonce log injection set to debug instead of warning

* Add frame-ancestors and form-action CSP headers

* Fix tests

* Fix variable substitution and tests

- Remove youtube from the frame-src header

* Undo accidental commit

* More test fixes

* Remove another accidentally checked in file >_>

---------

Co-authored-by: Jimmy Royer <[email protected]>
  • Loading branch information
@whabanks @jimleroyer
whabanks and jimleroyer authored Nov 7, 2023
1 parent dbf27cd commit c8dc1b3
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 9 deletions.
14 changes: 7 additions & 7 deletions app/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -620,7 +620,7 @@ def load_request_nonce():
elif _request_ctx_stack.top is not None:
token = secrets.token_urlsafe()
_request_ctx_stack.top.nonce = token
current_app.logger.warning(f"Set request nonce to {token}")
current_app.logger.debug(f"Set request nonce to {token}")


def save_service_or_org_after_request(response):
Expand Down Expand Up @@ -650,17 +650,17 @@ def useful_headers_after_request(response):
"Content-Security-Policy",
(
"report-uri https://csp-report-to.security.cdssandbox.xyz/report;"
"default-src 'self' {asset_domain} 'unsafe-inline';"
f"default-src 'self' {asset_domain} 'unsafe-inline';"
f"script-src 'self' {asset_domain} *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
f"script-src-elem 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;"
"connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
"object-src 'self';"
"style-src 'self' *.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
"font-src 'self' {asset_domain} *.googleapis.com *.gstatic.com data:;"
"img-src 'self' {asset_domain} *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"frame-src 'self' www.googletagmanager.com www.youtube.com https://cdssnc.qualtrics.com/;".format(
asset_domain=asset_domain
)
f"font-src 'self' {asset_domain} *.googleapis.com *.gstatic.com data:;"
f"img-src 'self' {asset_domain} *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"frame-ancestors 'self';"
"form-action 'self';"
"frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
),
)
if "Cache-Control" in response.headers:
Expand Down
8 changes: 6 additions & 2 deletions tests/app/main/views/test_headers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,9 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat
"font-src 'self' static.example.com *.googleapis.com *.gstatic.com data:;"
"img-src "
"'self' static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"frame-src 'self' www.googletagmanager.com www.youtube.com https://cdssnc.qualtrics.com/;"
"frame-ancestors 'self';"
"form-action 'self';"
"frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
)


Expand Down Expand Up @@ -134,5 +136,7 @@ def test_headers_non_ascii_characters_are_replaced(
"font-src 'self' static.example.com *.googleapis.com *.gstatic.com data:;"
"img-src "
"'self' static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"frame-src 'self' www.googletagmanager.com www.youtube.com https://cdssnc.qualtrics.com/;"
"frame-ancestors 'self';"
"form-action 'self';"
"frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
)

0 comments on commit c8dc1b3

Please sign in to comment.