diff --git a/settings.py b/settings.py index 5a56a6b2e5..d19a85f392 100644 --- a/settings.py +++ b/settings.py @@ -119,7 +119,7 @@ CSP_REPORT_URI = '/csp-report' HTTP_GA_SRC = 'http://www.google-analytics.com' CSP_FRAME_SRC += ('https://www.sandbox.paypal.com',) CSP_IMG_SRC += (HTTP_GA_SRC,) -CSP_SCRIPT_SRC += (HTTP_GA_SRC,) +CSP_SCRIPT_SRC += (HTTP_GA_SRC, "'self'") # If you have settings you want to overload, put them in a local_settings.py. try: diff --git a/src/olympia/amo/tests/test_csp_headers.py b/src/olympia/amo/tests/test_csp_headers.py index 63d409cdd9..ff326bfcc1 100644 --- a/src/olympia/amo/tests/test_csp_headers.py +++ b/src/olympia/amo/tests/test_csp_headers.py @@ -100,9 +100,13 @@ class TestCSPHeaders(TestCase): assert "'self'" in base_settings.CSP_FRAME_SRC assert "'self'" in base_settings.CSP_FORM_ACTION assert "'self'" in base_settings.CSP_IMG_SRC - assert "'self'" in base_settings.CSP_SCRIPT_SRC assert "'self'" in base_settings.CSP_STYLE_SRC + def test_not_self_in_script_src(self): + """script-src should not need 'self' or a.m.o for services.a.m.o""" + assert "'self'" not in base_settings.CSP_SCRIPT_SRC + assert "https://addons.mozilla.org" not in base_settings.CSP_SCRIPT_SRC + def test_analytics_in_common_settings(self): """Check for anaytics hosts in img-src and script-src""" analytics_host = base_settings.ANALYTICS_HOST diff --git a/src/olympia/conf/dev/settings.py b/src/olympia/conf/dev/settings.py index d864d46b60..bc27d99287 100644 --- a/src/olympia/conf/dev/settings.py +++ b/src/olympia/conf/dev/settings.py @@ -19,8 +19,6 @@ CSP_CHILD_SRC += ('https://www.sandbox.paypal.com',) CSP_FRAME_SRC = CSP_CHILD_SRC CSP_IMG_SRC += (CDN_HOST,) CSP_SCRIPT_SRC += ( - # Fix for discovery pane when using services subdomain. - 'https://addons-dev.allizom.org', CDN_HOST, ) CSP_STYLE_SRC += (CDN_HOST,) diff --git a/src/olympia/conf/stage/settings.py b/src/olympia/conf/stage/settings.py index 0359c2f9a2..2f834a6133 100644 --- a/src/olympia/conf/stage/settings.py +++ b/src/olympia/conf/stage/settings.py @@ -18,8 +18,6 @@ CSP_CHILD_SRC += ('https://www.sandbox.paypal.com',) CSP_FRAME_SRC = CSP_CHILD_SRC CSP_IMG_SRC += (CDN_HOST,) CSP_SCRIPT_SRC += ( - # Fix for discovery pane when using services subdomain. - 'https://addons.allizom.org', CDN_HOST, ) CSP_STYLE_SRC += (CDN_HOST,) diff --git a/src/olympia/lib/settings_base.py b/src/olympia/lib/settings_base.py index ddbb7a6710..f8b782be91 100644 --- a/src/olympia/lib/settings_base.py +++ b/src/olympia/lib/settings_base.py @@ -1298,12 +1298,7 @@ CSP_MEDIA_SRC = ( ) CSP_OBJECT_SRC = ("'none'",) -# https://addons.mozilla.org is needed for about:addons because -# the discovery pane's origin is https://services.addons.mozilla.org -# and as a result 'self' doesn't match requests to addons.mozilla.org. CSP_SCRIPT_SRC = ( - "'self'", - 'https://addons.mozilla.org', 'https://www.paypalobjects.com', 'https://www.google.com/recaptcha/', 'https://www.gstatic.com/recaptcha/',