Skip to content

Commit

Permalink
fix: add media-src content security policy (#1845)
Browse files Browse the repository at this point in the history
Update the CSP to include `media-src` that allows content to be
loaded from any `alpha.canada.ca` domain.
  • Loading branch information
patheard authored May 21, 2024
1 parent 60e5dd5 commit bd3560b
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 0 deletions.
1 change: 1 addition & 0 deletions app/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -666,6 +666,7 @@ def useful_headers_after_request(response):
f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
f"font-src 'self' {asset_domain} fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;"
f"img-src 'self' blob: {asset_domain} *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"media-src 'self' *.alpha.canada.ca;"
"frame-ancestors 'self';"
"form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
"frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
Expand Down
2 changes: 2 additions & 0 deletions tests/app/main/views/test_headers.py
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat
f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
f"font-src 'self' static.example.com fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;"
f"img-src 'self' blob: static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"media-src 'self' *.alpha.canada.ca;"
"frame-ancestors 'self';"
"form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
"frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
Expand Down Expand Up @@ -138,6 +139,7 @@ def test_headers_non_ascii_characters_are_replaced(
f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';"
f"font-src 'self' static.example.com fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;"
f"img-src 'self' blob: static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501
"media-src 'self' *.alpha.canada.ca;"
"frame-ancestors 'self';"
"form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;"
"frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"
Expand Down

0 comments on commit bd3560b

Please sign in to comment.