From d06c713ca01b16818e97b8924b1a1c8030fef6d3 Mon Sep 17 00:00:00 2001 From: Jimmy Royer Date: Thu, 16 Nov 2023 17:04:06 -0500 Subject: [PATCH] Added bam.nr-data.net to connect-src exception for NewRelic (#1726) * Added bam.nr-data.net to connect-src exception for NewRelic * Updating tests with recent changes to CSP header of connect-src directive --- app/__init__.py | 2 +- tests/app/main/views/test_headers.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/__init__.py b/app/__init__.py index 03ac22016d..abc11c34bd 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -657,7 +657,7 @@ def useful_headers_after_request(response): f"default-src 'self' {asset_domain} 'unsafe-inline';" f"script-src 'self' {asset_domain} *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;" f"script-src-elem 'self' https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;" - "connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;" + "connect-src 'self' *.google-analytics.com *.googletagmanager.com https://bam.nr-data.net *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;" "object-src 'self';" f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';" f"font-src 'self' {asset_domain} fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;" diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py index e5b52bd855..5cbe9d0f81 100644 --- a/tests/app/main/views/test_headers.py +++ b/tests/app/main/views/test_headers.py @@ -69,7 +69,7 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat "default-src 'self' static.example.com 'unsafe-inline';" f"script-src 'self' static.example.com *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;" f"script-src-elem 'self' https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;" - "connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;" + "connect-src 'self' *.google-analytics.com *.googletagmanager.com https://bam.nr-data.net *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;" "object-src 'self';" f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';" "font-src 'self' static.example.com fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;" @@ -133,7 +133,7 @@ def test_headers_non_ascii_characters_are_replaced( "default-src 'self' static.example.com 'unsafe-inline';" f"script-src 'self' static.example.com *.google-analytics.com *.googletagmanager.com https://tagmanager.google.com https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;" f"script-src-elem 'self' https://js-agent.newrelic.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com 'nonce-{nonce}' 'unsafe-eval' data:;" - "connect-src 'self' *.google-analytics.com *.googletagmanager.com *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;" + "connect-src 'self' *.google-analytics.com *.googletagmanager.com https://bam.nr-data.net *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;" "object-src 'self';" f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';" "font-src 'self' static.example.com fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;"