Remove 'self' and https://addons.mozilla.org from script-src

2016-09-09 15:01:25 +01:00 · 2016-09-09 15:01:25 +01:00 · 3c3c6470f7
--- a/settings.py
+++ b/settings.py
@ -119,7 +119,7 @@ CSP_REPORT_URI = '/csp-report'
 HTTP_GA_SRC = 'http://www.google-analytics.com'
 CSP_FRAME_SRC += ('https://www.sandbox.paypal.com',)
 CSP_IMG_SRC += (HTTP_GA_SRC,)
-CSP_SCRIPT_SRC += (HTTP_GA_SRC,)
+CSP_SCRIPT_SRC += (HTTP_GA_SRC, "'self'")

 # If you have settings you want to overload, put them in a local_settings.py.
 try:
--- a/src/olympia/amo/tests/test_csp_headers.py
+++ b/src/olympia/amo/tests/test_csp_headers.py
@ -100,9 +100,13 @@ class TestCSPHeaders(TestCase):
        assert "'self'" in base_settings.CSP_FRAME_SRC
        assert "'self'" in base_settings.CSP_FORM_ACTION
        assert "'self'" in base_settings.CSP_IMG_SRC
-        assert "'self'" in base_settings.CSP_SCRIPT_SRC
        assert "'self'" in base_settings.CSP_STYLE_SRC

+    def test_not_self_in_script_src(self):
+        """script-src should not need 'self' or a.m.o for services.a.m.o"""
+        assert "'self'" not in base_settings.CSP_SCRIPT_SRC
+        assert "https://addons.mozilla.org" not in base_settings.CSP_SCRIPT_SRC
+
    def test_analytics_in_common_settings(self):
        """Check for anaytics hosts in img-src and script-src"""
        analytics_host = base_settings.ANALYTICS_HOST
--- a/src/olympia/conf/dev/settings.py
+++ b/src/olympia/conf/dev/settings.py
@ -19,8 +19,6 @@ CSP_CHILD_SRC += ('https://www.sandbox.paypal.com',)
 CSP_FRAME_SRC = CSP_CHILD_SRC
 CSP_IMG_SRC += (CDN_HOST,)
 CSP_SCRIPT_SRC += (
-    # Fix for discovery pane when using services subdomain.
-    'https://addons-dev.allizom.org',
    CDN_HOST,
 )
 CSP_STYLE_SRC += (CDN_HOST,)
--- a/src/olympia/conf/stage/settings.py
+++ b/src/olympia/conf/stage/settings.py
@ -18,8 +18,6 @@ CSP_CHILD_SRC += ('https://www.sandbox.paypal.com',)
 CSP_FRAME_SRC = CSP_CHILD_SRC
 CSP_IMG_SRC += (CDN_HOST,)
 CSP_SCRIPT_SRC += (
-    # Fix for discovery pane when using services subdomain.
-    'https://addons.allizom.org',
    CDN_HOST,
 )
 CSP_STYLE_SRC += (CDN_HOST,)
--- a/src/olympia/lib/settings_base.py
+++ b/src/olympia/lib/settings_base.py
@ -1298,12 +1298,7 @@ CSP_MEDIA_SRC = (
 )
 CSP_OBJECT_SRC = ("'none'",)

-# https://addons.mozilla.org is needed for about:addons because
-# the discovery pane's origin is https://services.addons.mozilla.org
-# and as a result 'self' doesn't match requests to addons.mozilla.org.
 CSP_SCRIPT_SRC = (
-    "'self'",
-    'https://addons.mozilla.org',
    'https://www.paypalobjects.com',
    'https://www.google.com/recaptcha/',
    'https://www.gstatic.com/recaptcha/',