You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@allura.apache.org by gc...@apache.org on 2022/11/28 23:33:05 UTC

[allura] branch gc/8479 updated: fixup! fixup! fixup! [#8479] modified exisinting logic on settings and added support for script-src

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch gc/8479
in repository https://gitbox.apache.org/repos/asf/allura.git


The following commit(s) were added to refs/heads/gc/8479 by this push:
     new 8f5fc137e fixup! fixup! fixup! [#8479] modified exisinting logic on settings and added support for script-src
8f5fc137e is described below

commit 8f5fc137e2a8c693e09c247cb129b3d75f89b32a
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Mon Nov 28 17:32:50 2022 -0600

    fixup! fixup! fixup! [#8479] modified exisinting logic on settings and added support for script-src
---
 Allura/allura/tests/functional/test_root.py | 11 ++++++++---
 Allura/development.ini                      |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/Allura/allura/tests/functional/test_root.py b/Allura/allura/tests/functional/test_root.py
index 9eb9d4eab..dc5dace07 100644
--- a/Allura/allura/tests/functional/test_root.py
+++ b/Allura/allura/tests/functional/test_root.py
@@ -217,9 +217,14 @@ class TestRootController(TestController):
     @mock.patch.dict(tg.config, {'csp.report_uri_enforce': 'https://example.com/r/d/csp/enforce', 'csp.frame_sources_enforce': True})
     def test_headers_frame_sources_enforce(self):
         resp = self.app.get('/p/wiki/Home/')
-        assert "report-uri https://example.com/r/d/csp/enforce; frame-src 'self' www.youtube-nocookie.com;" \
-               in resp.headers.getall('Content-Security-Policy')[0]
-
+        expected_headers = "report-uri https://example.com/r/d/csp/enforce;"
+        expected_headers += "frame-src 'self' www.youtube-nocookie.com;"
+        expected_headers += "object-src 'none'"
+        expected_report_headers = "script-src 'self' ;  form-action 'self'; report-uri None"
+        csp_headers = resp.headers.getall('Content-Security-Policy')[0]
+        csp_report_headers = resp.headers.getall('Content-Security-Policy-Report-Only')[0]
+        assert all([h.strip() in csp_headers for h in expected_headers.split(';')])
+        assert all([h.strip() in csp_report_headers for h in expected_report_headers.split(';')])
 
 class TestRootWithSSLPattern(TestController):
     def setup_method(self, method):
diff --git a/Allura/development.ini b/Allura/development.ini
index 72d5c6121..171240692 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -679,7 +679,7 @@ csp.frame_sources = 'self' www.youtube-nocookie.com
 csp.form_action_urls = 'self'
 
 ; to enable enforce mode on script-src
-; csp.script_scr_enforce = true
+; csp.script_src_enforce = true
 
 csp.script_src = 'self'