Remove 'self' and https://addons.mozilla.org from script-src
This commit is contained in:
Stuart Colville
Родитель
75577164dd
Коммит
3c3c6470f7
|
|
@ -119,7 +119,7 @@ CSP_REPORT_URI = '/csp-report'
|
||||||
HTTP_GA_SRC = 'http://www.google-analytics.com'
|
HTTP_GA_SRC = 'http://www.google-analytics.com'
|
||||||
CSP_FRAME_SRC += ('https://www.sandbox.paypal.com',)
|
CSP_FRAME_SRC += ('https://www.sandbox.paypal.com',)
|
||||||
CSP_IMG_SRC += (HTTP_GA_SRC,)
|
CSP_IMG_SRC += (HTTP_GA_SRC,)
|
||||||
CSP_SCRIPT_SRC += (HTTP_GA_SRC,)
|
CSP_SCRIPT_SRC += (HTTP_GA_SRC, "'self'")
|
||||||
|
|
||||||
# If you have settings you want to overload, put them in a local_settings.py.
|
# If you have settings you want to overload, put them in a local_settings.py.
|
||||||
try:
|
try:
|
||||||
|
|
|
||||||
|
|
@ -100,9 +100,13 @@ class TestCSPHeaders(TestCase):
|
||||||
assert "'self'" in base_settings.CSP_FRAME_SRC
|
assert "'self'" in base_settings.CSP_FRAME_SRC
|
||||||
assert "'self'" in base_settings.CSP_FORM_ACTION
|
assert "'self'" in base_settings.CSP_FORM_ACTION
|
||||||
assert "'self'" in base_settings.CSP_IMG_SRC
|
assert "'self'" in base_settings.CSP_IMG_SRC
|
||||||
assert "'self'" in base_settings.CSP_SCRIPT_SRC
|
|
||||||
assert "'self'" in base_settings.CSP_STYLE_SRC
|
assert "'self'" in base_settings.CSP_STYLE_SRC
|
||||||
|
|
||||||
|
def test_not_self_in_script_src(self):
|
||||||
|
"""script-src should not need 'self' or a.m.o for services.a.m.o"""
|
||||||
|
assert "'self'" not in base_settings.CSP_SCRIPT_SRC
|
||||||
|
assert "https://addons.mozilla.org" not in base_settings.CSP_SCRIPT_SRC
|
||||||
|
|
||||||
def test_analytics_in_common_settings(self):
|
def test_analytics_in_common_settings(self):
|
||||||
"""Check for anaytics hosts in img-src and script-src"""
|
"""Check for anaytics hosts in img-src and script-src"""
|
||||||
analytics_host = base_settings.ANALYTICS_HOST
|
analytics_host = base_settings.ANALYTICS_HOST
|
||||||
|
|
|
||||||
|
|
@ -19,8 +19,6 @@ CSP_CHILD_SRC += ('https://www.sandbox.paypal.com',)
|
||||||
CSP_FRAME_SRC = CSP_CHILD_SRC
|
CSP_FRAME_SRC = CSP_CHILD_SRC
|
||||||
CSP_IMG_SRC += (CDN_HOST,)
|
CSP_IMG_SRC += (CDN_HOST,)
|
||||||
CSP_SCRIPT_SRC += (
|
CSP_SCRIPT_SRC += (
|
||||||
# Fix for discovery pane when using services subdomain.
|
|
||||||
'https://addons-dev.allizom.org',
|
|
||||||
CDN_HOST,
|
CDN_HOST,
|
||||||
)
|
)
|
||||||
CSP_STYLE_SRC += (CDN_HOST,)
|
CSP_STYLE_SRC += (CDN_HOST,)
|
||||||
|
|
|
||||||
|
|
@ -18,8 +18,6 @@ CSP_CHILD_SRC += ('https://www.sandbox.paypal.com',)
|
||||||
CSP_FRAME_SRC = CSP_CHILD_SRC
|
CSP_FRAME_SRC = CSP_CHILD_SRC
|
||||||
CSP_IMG_SRC += (CDN_HOST,)
|
CSP_IMG_SRC += (CDN_HOST,)
|
||||||
CSP_SCRIPT_SRC += (
|
CSP_SCRIPT_SRC += (
|
||||||
# Fix for discovery pane when using services subdomain.
|
|
||||||
'https://addons.allizom.org',
|
|
||||||
CDN_HOST,
|
CDN_HOST,
|
||||||
)
|
)
|
||||||
CSP_STYLE_SRC += (CDN_HOST,)
|
CSP_STYLE_SRC += (CDN_HOST,)
|
||||||
|
|
|
||||||
|
|
@ -1298,12 +1298,7 @@ CSP_MEDIA_SRC = (
|
||||||
)
|
)
|
||||||
CSP_OBJECT_SRC = ("'none'",)
|
CSP_OBJECT_SRC = ("'none'",)
|
||||||
|
|
||||||
# https://addons.mozilla.org is needed for about:addons because
|
|
||||||
# the discovery pane's origin is https://services.addons.mozilla.org
|
|
||||||
# and as a result 'self' doesn't match requests to addons.mozilla.org.
|
|
||||||
CSP_SCRIPT_SRC = (
|
CSP_SCRIPT_SRC = (
|
||||||
"'self'",
|
|
||||||
'https://addons.mozilla.org',
|
|
||||||
'https://www.paypalobjects.com',
|
'https://www.paypalobjects.com',
|
||||||
'https://www.google.com/recaptcha/',
|
'https://www.google.com/recaptcha/',
|
||||||
'https://www.gstatic.com/recaptcha/',
|
'https://www.gstatic.com/recaptcha/',
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче