From 4db78dacfef1a1c26ef99b616338b61cd543c1ea Mon Sep 17 00:00:00 2001 From: Chad Whitacre Date: Thu, 22 Dec 2016 10:58:58 -0500 Subject: [PATCH 1/5] Start branch fix-csp From 5143b6d2cf1fe7ceccff47c2dc84c6d2f2e84ece Mon Sep 17 00:00:00 2001 From: Chad Whitacre Date: Thu, 22 Dec 2016 11:01:10 -0500 Subject: [PATCH 2/5] Pick off remaining style blip --- tests/py/test_security.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/py/test_security.py b/tests/py/test_security.py index dd682adccb..aba3ff73bb 100644 --- a/tests/py/test_security.py +++ b/tests/py/test_security.py @@ -55,7 +55,7 @@ def test_ahtr_sets_x_xss_protection(self): def test_ahtr_sets_content_security_policy(self): headers = self.client.GET('/about/').headers - policy = ('default-src \'self\';' + policy = ("default-src 'self';" 'script-src assets.gratipay.com;' 'style-src assets.gratipay.com;' 'img-src *;' From 961ce59546d0e6211afedc2af950b1e9bfd0eecd Mon Sep 17 00:00:00 2001 From: Chad Whitacre Date: Thu, 22 Dec 2016 11:04:22 -0500 Subject: [PATCH 3/5] Fix font & font css --- gratipay/security/__init__.py | 6 +++--- tests/py/test_security.py | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/gratipay/security/__init__.py b/gratipay/security/__init__.py index 71c351e7d4..72216224f8 100644 --- a/gratipay/security/__init__.py +++ b/gratipay/security/__init__.py @@ -47,10 +47,10 @@ def add_headers_to_response(response): # Allow fonts from cloud.typography.com. if 'content-security-policy' not in response.headers: response.headers['content-security-policy'] = ("default-src 'self';" - 'script-src assets.gratipay.com;' - 'style-src assets.gratipay.com;' + "script-src assets.gratipay.com;" + 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' - 'font-src cloud.typography.com;' + 'font-src assets.gratipay.com cloud.typography.com;' 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;') diff --git a/tests/py/test_security.py b/tests/py/test_security.py index aba3ff73bb..26e7cd8642 100644 --- a/tests/py/test_security.py +++ b/tests/py/test_security.py @@ -57,9 +57,9 @@ def test_ahtr_sets_content_security_policy(self): headers = self.client.GET('/about/').headers policy = ("default-src 'self';" 'script-src assets.gratipay.com;' - 'style-src assets.gratipay.com;' + 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' - 'font-src cloud.typography.com;' + 'font-src assets.gratipay.com cloud.typography.com;' 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;') From 821eae2c816f7bc996414c0b5a13c91ca4eed0e0 Mon Sep 17 00:00:00 2001 From: EdOverflow Date: Thu, 22 Dec 2016 17:19:48 +0100 Subject: [PATCH 4/5] Add script-src 'unsafe-inline' --- gratipay/security/__init__.py | 1 + tests/py/test_security.py | 1 + 2 files changed, 2 insertions(+) diff --git a/gratipay/security/__init__.py b/gratipay/security/__init__.py index 72216224f8..077d58fb24 100644 --- a/gratipay/security/__init__.py +++ b/gratipay/security/__init__.py @@ -51,6 +51,7 @@ def add_headers_to_response(response): 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' 'font-src assets.gratipay.com cloud.typography.com;' + "script-src 'unsafe-inline'" 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;') diff --git a/tests/py/test_security.py b/tests/py/test_security.py index 26e7cd8642..46b72534c0 100644 --- a/tests/py/test_security.py +++ b/tests/py/test_security.py @@ -60,6 +60,7 @@ def test_ahtr_sets_content_security_policy(self): 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' 'font-src assets.gratipay.com cloud.typography.com;' + "script-src 'unsafe-inline'" 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;') From 75ce62fbd4ac9526e0654c14b7b06d186e465511 Mon Sep 17 00:00:00 2001 From: Chad Whitacre Date: Thu, 22 Dec 2016 11:43:34 -0500 Subject: [PATCH 5/5] Fold script-srcs together --- gratipay/security/__init__.py | 3 +-- tests/py/test_security.py | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/gratipay/security/__init__.py b/gratipay/security/__init__.py index 077d58fb24..99957486c5 100644 --- a/gratipay/security/__init__.py +++ b/gratipay/security/__init__.py @@ -47,11 +47,10 @@ def add_headers_to_response(response): # Allow fonts from cloud.typography.com. if 'content-security-policy' not in response.headers: response.headers['content-security-policy'] = ("default-src 'self';" - "script-src assets.gratipay.com;" + "script-src assets.gratipay.com 'unsafe-inline';" 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' 'font-src assets.gratipay.com cloud.typography.com;' - "script-src 'unsafe-inline'" 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;') diff --git a/tests/py/test_security.py b/tests/py/test_security.py index 46b72534c0..c355250f39 100644 --- a/tests/py/test_security.py +++ b/tests/py/test_security.py @@ -56,11 +56,10 @@ def test_ahtr_sets_x_xss_protection(self): def test_ahtr_sets_content_security_policy(self): headers = self.client.GET('/about/').headers policy = ("default-src 'self';" - 'script-src assets.gratipay.com;' + "script-src assets.gratipay.com 'unsafe-inline';" 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' 'font-src assets.gratipay.com cloud.typography.com;' - "script-src 'unsafe-inline'" 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;')