Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Content-Security-Policy-Report-Only header #3024

Merged
merged 6 commits into from
Mar 7, 2016
Merged

Add Content-Security-Policy-Report-Only header #3024

merged 6 commits into from
Mar 7, 2016

Conversation

finitud
Copy link
Contributor

@finitud finitud commented Feb 25, 2016

nickstenning
nickstenning reviewed Feb 26, 2016
View reviewed changes
h/tweens.py

def content_security_policy_tween(request):
resp = handler(request)
resp.headers["Content-Security-Policy-Report-Only"] = policy.format(request=request)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest adding a csp.report_only setting that can be set with a header -- CSP_REPORT_ONLY, say, and then toggling the name of the header (Content-Security-Policy vs Content-Security-Policy-Report-Only) on the basis of that setting.

@nickstenning
Copy link
Contributor

Looks good. Let's start with something like:

            "font-src": ["'self'", "fonts.gstatic.com"],
            "report-uri": [config.registry.settings.get("csp.report_uri")],
            "script-src": ["'self'"],
            "style-src": ["'self'", "fonts.googleapis.com"],

and see what we get. @robertknight sound about right?

@codecov-io
Copy link

Current coverage is 69.79%

Merging #3024 into master will increase coverage by +0.14% as of f285976

@@            master   #3024   diff @@
======================================
  Files          114     114       
  Stmts         4383    4396    +13
  Branches       503     504     +1
  Methods          0       0       
======================================
+ Hit           3053    3068    +15
  Partial         84      84       
+ Missed        1246    1244     -2

Review entire Coverage Diff as of f285976

Powered by Codecov. Updated on successful CI builds.

nickstenning
nickstenning reviewed Mar 1, 2016
View reviewed changes
h/config.py
@@ -24,6 +24,7 @@ def settings_from_environment():
_setup_client(settings)
_setup_statsd(settings)
_setup_websocket(settings)
_setup_csp(settings)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The config module has changed substantially in #3035 so this will need rebasing. Looks like the options you've added will map straightforwardly, though.

@finitud finitud force-pushed the aw/csp branch 2 times, most recently from ae3e56c to 8dc39fd Compare March 3, 2016 16:48
nickstenning
nickstenning reviewed Mar 4, 2016
View reviewed changes
h/test/tweens_test.py
from h import tweens


class DummyRegistry():
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pyramid.testing.DummyRequest should already have a registry, so you probably don't need this.

chdorner
chdorner reviewed Mar 4, 2016
View reviewed changes
h/test/tweens_test.py

response = tween(request)

assert 'report-uri localhost' in response.headers['Content-Security-Policy']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be good to have a test for the value of the header as well. Just to mitigate future bugs in the code that generates the value string of this header. As far as I understand the user experience could completely break when CSP is enabled and the header value is not what we expect it to be.
The easiest would be to set some specific CSP policy in the test and compare it to the value string we expect it to generate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've made this one more strict ('==' instead of 'in') and added one more that tests for a more complex header.

@nickstenning
Copy link
Contributor

LGTM.

nickstenning added a commit that referenced this pull request Mar 7, 2016
@nickstenning
Merge pull request #3024 from hypothesis/aw/csp
fb1470d 
Add Content-Security-Policy-Report-Only header
@nickstenning nickstenning merged commit fb1470d into master Mar 7, 2016
@nickstenning nickstenning deleted the aw/csp branch March 7, 2016 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@finitud @nickstenning @codecov-io @chdorner