This commit is contained in:
Stuart Colville 2016-09-09 15:01:25 +01:00
Родитель 75577164dd
Коммит 3c3c6470f7
5 изменённых файлов: 6 добавлений и 11 удалений

Просмотреть файл

@ -119,7 +119,7 @@ CSP_REPORT_URI = '/csp-report'
HTTP_GA_SRC = 'http://www.google-analytics.com'
CSP_FRAME_SRC += ('https://www.sandbox.paypal.com',)
CSP_IMG_SRC += (HTTP_GA_SRC,)
CSP_SCRIPT_SRC += (HTTP_GA_SRC,)
CSP_SCRIPT_SRC += (HTTP_GA_SRC, "'self'")
# If you have settings you want to overload, put them in a local_settings.py.
try:

Просмотреть файл

@ -100,9 +100,13 @@ class TestCSPHeaders(TestCase):
assert "'self'" in base_settings.CSP_FRAME_SRC
assert "'self'" in base_settings.CSP_FORM_ACTION
assert "'self'" in base_settings.CSP_IMG_SRC
assert "'self'" in base_settings.CSP_SCRIPT_SRC
assert "'self'" in base_settings.CSP_STYLE_SRC
def test_not_self_in_script_src(self):
"""script-src should not need 'self' or a.m.o for services.a.m.o"""
assert "'self'" not in base_settings.CSP_SCRIPT_SRC
assert "https://addons.mozilla.org" not in base_settings.CSP_SCRIPT_SRC
def test_analytics_in_common_settings(self):
"""Check for anaytics hosts in img-src and script-src"""
analytics_host = base_settings.ANALYTICS_HOST

Просмотреть файл

@ -19,8 +19,6 @@ CSP_CHILD_SRC += ('https://www.sandbox.paypal.com',)
CSP_FRAME_SRC = CSP_CHILD_SRC
CSP_IMG_SRC += (CDN_HOST,)
CSP_SCRIPT_SRC += (
# Fix for discovery pane when using services subdomain.
'https://addons-dev.allizom.org',
CDN_HOST,
)
CSP_STYLE_SRC += (CDN_HOST,)

Просмотреть файл

@ -18,8 +18,6 @@ CSP_CHILD_SRC += ('https://www.sandbox.paypal.com',)
CSP_FRAME_SRC = CSP_CHILD_SRC
CSP_IMG_SRC += (CDN_HOST,)
CSP_SCRIPT_SRC += (
# Fix for discovery pane when using services subdomain.
'https://addons.allizom.org',
CDN_HOST,
)
CSP_STYLE_SRC += (CDN_HOST,)

Просмотреть файл

@ -1298,12 +1298,7 @@ CSP_MEDIA_SRC = (
)
CSP_OBJECT_SRC = ("'none'",)
# https://addons.mozilla.org is needed for about:addons because
# the discovery pane's origin is https://services.addons.mozilla.org
# and as a result 'self' doesn't match requests to addons.mozilla.org.
CSP_SCRIPT_SRC = (
"'self'",
'https://addons.mozilla.org',
'https://www.paypalobjects.com',
'https://www.google.com/recaptcha/',
'https://www.gstatic.com/recaptcha/',