fixup! fixup! fixup! [#8479] modified exisinting logic on settings and added support for script-src
diff --git a/Allura/allura/tests/functional/test_root.py b/Allura/allura/tests/functional/test_root.py
index 9eb9d4e..dc5dace 100644
--- a/Allura/allura/tests/functional/test_root.py
+++ b/Allura/allura/tests/functional/test_root.py
@@ -217,9 +217,14 @@
@mock.patch.dict(tg.config, {'csp.report_uri_enforce': 'https://example.com/r/d/csp/enforce', 'csp.frame_sources_enforce': True})
def test_headers_frame_sources_enforce(self):
resp = self.app.get('/p/wiki/Home/')
- assert "report-uri https://example.com/r/d/csp/enforce; frame-src 'self' www.youtube-nocookie.com;" \
- in resp.headers.getall('Content-Security-Policy')[0]
-
+ expected_headers = "report-uri https://example.com/r/d/csp/enforce;"
+ expected_headers += "frame-src 'self' www.youtube-nocookie.com;"
+ expected_headers += "object-src 'none'"
+ expected_report_headers = "script-src 'self' ; form-action 'self'; report-uri None"
+ csp_headers = resp.headers.getall('Content-Security-Policy')[0]
+ csp_report_headers = resp.headers.getall('Content-Security-Policy-Report-Only')[0]
+ assert all([h.strip() in csp_headers for h in expected_headers.split(';')])
+ assert all([h.strip() in csp_report_headers for h in expected_report_headers.split(';')])
class TestRootWithSSLPattern(TestController):
def setup_method(self, method):
diff --git a/Allura/development.ini b/Allura/development.ini
index 72d5c61..1712406 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -679,7 +679,7 @@
csp.form_action_urls = 'self'
; to enable enforce mode on script-src
-; csp.script_scr_enforce = true
+; csp.script_src_enforce = true
csp.script_src = 'self'