Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

Implement a content security policy #4247

Merged
merged 6 commits into from
Dec 22, 2016
Merged

Implement a content security policy #4247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
16ddc84
Implement Content-Security-Policy (CSP)
Dec 21, 2016
bd0c1d7
Update CSP
Dec 22, 2016
bfb624a
Fix IndentationError
Dec 22, 2016
0d56128
Add test_ahtr_csp
Dec 22, 2016
b7a398e
Fix SyntaxError
Dec 22, 2016
1f71e8c
Stylistic clean-ups
chadwhitacre Dec 22, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions gratipay/security/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,17 @@ def add_headers_to_response(response):
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
if 'X-XSS-Protection' not in response.headers:
response.headers['X-XSS-Protection'] = '1; mode=block'

# CSP - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Allow resources from gratipay.com & assets.gratipay.com.
# Allow images from everywhere for now until we can deploy Camo.
# Allow fonts from cloud.typography.com.
if 'content-security-policy' not in response.headers:
response.headers['content-security-policy'] = ("default-src 'self';"
'script-src assets.gratipay.com;'
'style-src assets.gratipay.com;'
'img-src *;'
'font-src cloud.typography.com;'
'upgrade-insecure-requests;'
'block-all-mixed-content;'
'reflected-xss block;')
12 changes: 12 additions & 0 deletions tests/py/test_security.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,18 @@ def test_ahtr_sets_x_xss_protection(self):
headers = self.client.GET('/about/').headers
assert headers['X-XSS-Protection'] == '1; mode=block'

def test_ahtr_sets_content_security_policy(self):
headers = self.client.GET('/about/').headers
policy = ('default-src \'self\';'
'script-src assets.gratipay.com;'
'style-src assets.gratipay.com;'
'img-src *;'
'font-src cloud.typography.com;'
'upgrade-insecure-requests;'
'block-all-mixed-content;'
'reflected-xss block;')
assert headers['content-security-policy'] == policy


# ep - EncryptingPacker

Expand Down