Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

Commit

Permalink
Merge pull request #4250 from gratipay/fix-csp
Browse files Browse the repository at this point in the history 
Fix CSP
  • Loading branch information
@EdOverflow
EdOverflow authored Dec 22, 2016
2 parents 5d4bb32 + 75ce62f commit cce940b
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 7 deletions.
6 changes: 3 additions & 3 deletions gratipay/security/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,10 @@ def add_headers_to_response(response):
# Allow fonts from cloud.typography.com.
if 'content-security-policy' not in response.headers:
response.headers['content-security-policy'] = ("default-src 'self';"
'script-src assets.gratipay.com;'
'style-src assets.gratipay.com;'
"script-src assets.gratipay.com 'unsafe-inline';"
'style-src assets.gratipay.com cloud.typography.com;'
'img-src *;'
'font-src cloud.typography.com;'
'font-src assets.gratipay.com cloud.typography.com;'
'upgrade-insecure-requests;'
'block-all-mixed-content;'
'reflected-xss block;')
8 changes: 4 additions & 4 deletions tests/py/test_security.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,11 @@ def test_ahtr_sets_x_xss_protection(self):

def test_ahtr_sets_content_security_policy(self):
headers = self.client.GET('/about/').headers
policy = ('default-src \'self\';'
'script-src assets.gratipay.com;'
'style-src assets.gratipay.com;'
policy = ("default-src 'self';"
"script-src assets.gratipay.com 'unsafe-inline';"
'style-src assets.gratipay.com cloud.typography.com;'
'img-src *;'
'font-src cloud.typography.com;'
'font-src assets.gratipay.com cloud.typography.com;'
'upgrade-insecure-requests;'
'block-all-mixed-content;'
'reflected-xss block;')
Expand Down

0 comments on commit cce940b

Please sign in to comment.