Stylistic clean-ups

gratipay · Dec 22, 2016 · 1f71e8c · 1f71e8c
1 parent b7a398e
commit 1f71e8c
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 18 deletions.
diff --git a/gratipay/security/__init__.py b/gratipay/security/__init__.py
@@ -42,14 +42,15 @@ def add_headers_to_response(response):
         response.headers['X-XSS-Protection'] = '1; mode=block'
 
     # CSP - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-    # Allow resources from gratipay.com & all gratipay subdomains.
+    # Allow resources from gratipay.com & assets.gratipay.com.
+    # Allow images from everywhere for now until we can deploy Camo.
     # Allow fonts from cloud.typography.com.
     if 'content-security-policy' not in response.headers:
-        response.headers['content-security-policy'] = ( 'default-src \'self\';' 
-                                                        'script-src assets.gratipay.com;'
-                                                        'style-src assets.gratipay.com;'
-                                                        'img-src *;'
-                                                        'font-src cloud.typography.com;' 
-                                                        'upgrade-insecure-requests;'
-                                                        'block-all-mixed-content;'
-                                                        'reflected-xss block;')
+        response.headers['content-security-policy'] = ("default-src 'self';"
+                                                       'script-src assets.gratipay.com;'
+                                                       'style-src assets.gratipay.com;'
+                                                       'img-src *;'
+                                                       'font-src cloud.typography.com;'
+                                                       'upgrade-insecure-requests;'
+                                                       'block-all-mixed-content;'
+                                                       'reflected-xss block;')
diff --git a/tests/py/test_security.py b/tests/py/test_security.py
@@ -53,16 +53,16 @@ def test_ahtr_sets_x_xss_protection(self):
         headers = self.client.GET('/about/').headers
         assert headers['X-XSS-Protection'] == '1; mode=block'
 
-    def test_ahtr__csp(self):
+    def test_ahtr_sets_content_security_policy(self):
         headers = self.client.GET('/about/').headers
-        policy = ('default-src \'self\';' 
-                    'script-src assets.gratipay.com;'
-                    'style-src assets.gratipay.com;'
-                    'img-src *;'
-                    'font-src cloud.typography.com;' 
-                    'upgrade-insecure-requests;'
-                    'block-all-mixed-content;'
-                    'reflected-xss block;')
+        policy = ('default-src \'self\';'
+                  'script-src assets.gratipay.com;'
+                  'style-src assets.gratipay.com;'
+                  'img-src *;'
+                  'font-src cloud.typography.com;'
+                  'upgrade-insecure-requests;'
+                  'block-all-mixed-content;'
+                  'reflected-xss block;')
         assert headers['content-security-policy'] == policy