Optimized CSP rules

2025-08-29 15:06:26 +02:00 · 2025-06-03 14:32:15 +02:00
parent cc9b634bb8
commit ebd74db3c4
27 changed files with 57 additions and 39 deletions
--- a/tests/integration/test_csp_configuration_consistency.py
+++ b/tests/integration/test_csp_configuration_consistency.py
@@ -10,6 +10,7 @@ class TestCspConfigurationConsistency(unittest.TestCase):
        'frame-ancestors',
        'frame-src',
        'script-src',
+        'script-src-elem',
        'style-src',
        'font-src',
        'worker-src',
--- a/tests/unit/test_csp_filters.py
+++ b/tests/unit/test_csp_filters.py
@@ -24,7 +24,7 @@ class TestCspFilters(unittest.TestCase):
                },
                'csp': {
                    'whitelist': {
-                        'script-src': ['https://cdn.example.com'],
+                        'script-src-elem': ['https://cdn.example.com'],
                        'connect-src': 'https://api.example.com',
                    },
                    'flags': {
@@ -53,7 +53,7 @@ class TestCspFilters(unittest.TestCase):
        }

    def test_get_csp_whitelist_list(self):
-        result = self.filter.get_csp_whitelist(self.apps, 'app1', 'script-src')
+        result = self.filter.get_csp_whitelist(self.apps, 'app1', 'script-src-elem')
        self.assertEqual(result, ['https://cdn.example.com'])

    def test_get_csp_whitelist_string(self):
@@ -84,7 +84,11 @@ class TestCspFilters(unittest.TestCase):
        self.assertIn("default-src 'self';", header)
        # script-src directive should include unsafe-eval, Matomo domain and CDN (hash may follow)
        self.assertIn(
-            "script-src 'self' 'unsafe-eval' https://matomo.example.org https://cdn.example.com",
+            "script-src-elem 'self' https://matomo.example.org https://cdn.example.com",
+            header
+        )
+        self.assertIn(
+            "script-src 'self' 'unsafe-eval'",
            header
        )
        # connect-src directive unchanged (no inline hash)