From bd3560b082a7ca1869b876c14753b747a4b9df62 Mon Sep 17 00:00:00 2001 From: Pat Heard Date: Tue, 21 May 2024 10:56:58 -0400 Subject: [PATCH] fix: add media-src content security policy (#1845) Update the CSP to include `media-src` that allows content to be loaded from any `alpha.canada.ca` domain. --- app/__init__.py | 1 + tests/app/main/views/test_headers.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/app/__init__.py b/app/__init__.py index f81f330ac9..d26b8ca934 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -666,6 +666,7 @@ def useful_headers_after_request(response): f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';" f"font-src 'self' {asset_domain} fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;" f"img-src 'self' blob: {asset_domain} *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501 + "media-src 'self' *.alpha.canada.ca;" "frame-ancestors 'self';" "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;" "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;" diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py index b37e81a269..b59b30d49b 100644 --- a/tests/app/main/views/test_headers.py +++ b/tests/app/main/views/test_headers.py @@ -74,6 +74,7 @@ def test_owasp_useful_headers_set(client, mocker, mock_get_service_and_organisat f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';" f"font-src 'self' static.example.com fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;" f"img-src 'self' blob: static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501 + "media-src 'self' *.alpha.canada.ca;" "frame-ancestors 'self';" "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;" "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;" @@ -138,6 +139,7 @@ def test_headers_non_ascii_characters_are_replaced( f"style-src 'self' fonts.googleapis.com https://tagmanager.google.com https://fonts.googleapis.com 'unsafe-inline';" f"font-src 'self' static.example.com fonts.googleapis.com fonts.gstatic.com *.gstatic.com data:;" f"img-src 'self' blob: static.example.com *.canada.ca *.cdssandbox.xyz *.google-analytics.com *.googletagmanager.com *.notifications.service.gov.uk *.gstatic.com https://siteintercept.qualtrics.com data:;" # noqa: E501 + "media-src 'self' *.alpha.canada.ca;" "frame-ancestors 'self';" "form-action 'self' *.siteintercept.qualtrics.com https://siteintercept.qualtrics.com;" "frame-src 'self' www.googletagmanager.com https://cdssnc.qualtrics.com/;"