This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/8500 in repository https://gitbox.apache.org/repos/asf/allura.git
commit f3bf6327b83e4258b13b20375a8ea964aed89833 Author: Dave Brondsema <[email protected]> AuthorDate: Tue Feb 21 15:39:05 2023 -0500 better defaults for CSP to avoid warnings when developing --- Allura/allura/lib/app_globals.py | 2 +- Allura/allura/lib/custom_middleware.py | 6 ++++-- Allura/allura/templates/jinja_master/theme_macros.html | 4 +++- Allura/allura/tests/functional/test_neighborhood.py | 16 ++++++++-------- Allura/allura/tests/functional/test_root.py | 2 +- Allura/development.ini | 3 ++- 6 files changed, 19 insertions(+), 14 deletions(-) diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py index 398d6bf3a..d9aa1b9ed 100644 --- a/Allura/allura/lib/app_globals.py +++ b/Allura/allura/lib/app_globals.py @@ -236,7 +236,7 @@ class Globals: self.pypeline_markup = pypeline_markup # Setup analytics - accounts = config.get('ga.account', 'UA-XXXXX-X') + accounts = config.get('ga.account', '') accounts = accounts.split(' ') self.analytics = analytics.GoogleAnalytics(accounts=accounts) diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index 0244c5721..f06f04d27 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -514,10 +514,12 @@ class ContentSecurityPolicyMiddleware: rules.add("object-src 'none'") rules.add("frame-ancestors 'self'") if rules: - rules.add(f'report-uri {report_uri_enforce}') + if report_uri_enforce: + rules.add(f'report-uri {report_uri_enforce}') resp.headers.add('Content-Security-Policy', '; '.join(rules)) if report_rules: - report_rules.add(f'report-uri {report_uri}') + if report_uri: + report_rules.add(f'report-uri {report_uri}') resp.headers.add('Content-Security-Policy-Report-Only', '; '.join(report_rules)) return resp(environ, start_response) diff --git a/Allura/allura/templates/jinja_master/theme_macros.html b/Allura/allura/templates/jinja_master/theme_macros.html index 0b4100ac8..01e2eb97b 100644 --- a/Allura/allura/templates/jinja_master/theme_macros.html +++ b/Allura/allura/templates/jinja_master/theme_macros.html @@ -84,14 +84,16 @@ http://stackoverflow.com/questions/26582731/redefining-imported-jinja-macros {# This should be overridden in your custom theme (e.g., sftheme) to implement custom tracking code. #} var _gaq = _gaq || []; + /*eslint-disable no-unused-vars */ function _add_tracking(prefix, tracking_id) { _gaq.push( [prefix+'._setAccount', tracking_id], [prefix+'._trackPageview'] ); } + /*eslint-enable no-unused-vars */ - {%- for account in accounts %} + {%- for account in accounts if account %} _add_tracking('acct{{ loop.index }}', '{{account}}'); {%- endfor %} {% if project and project.neighborhood.features['google_analytics'] -%} diff --git a/Allura/allura/tests/functional/test_neighborhood.py b/Allura/allura/tests/functional/test_neighborhood.py index b85b29420..d9fd3fc21 100644 --- a/Allura/allura/tests/functional/test_neighborhood.py +++ b/Allura/allura/tests/functional/test_neighborhood.py @@ -297,10 +297,10 @@ class TestNeighborhood(TestController): neighborhood.features['google_analytics'] = True r = self.app.get('/adobe/_admin/overview', extra_environ=dict(username='root')) - assert 'Google Analytics ID' in r + r.mustcontain('Google Analytics ID') r = self.app.get('/adobe/adobe-1/admin/overview', extra_environ=dict(username='root')) - assert 'Google Analytics ID' in r + r.mustcontain('Google Analytics ID') r = self.app.post('/adobe/_admin/update', params=dict(name='Adobe', css='', homepage='# MozQ1', tracking_id='U-123456'), @@ -310,21 +310,21 @@ class TestNeighborhood(TestController): extra_environ=dict(username='root'), status=302) r = self.app.get('/adobe/adobe-1/admin/overview', extra_environ=dict(username='root')) - assert "_add_tracking('nbhd', 'U-123456');" in r, r - assert "_add_tracking('proj', 'U-654321');" in r + r.mustcontain("_add_tracking('nbhd', 'U-123456');") + r.mustcontain("_add_tracking('proj', 'U-654321');") # analytics not allowed neighborhood = M.Neighborhood.query.get(name='Adobe') neighborhood.features['google_analytics'] = False r = self.app.get('/adobe/_admin/overview', extra_environ=dict(username='root')) - assert 'Google Analytics ID' not in r + r.mustcontain(no='Google Analytics ID') r = self.app.get('/adobe/adobe-1/admin/overview', extra_environ=dict(username='root')) - assert 'Google Analytics ID' not in r + r.mustcontain(no='Google Analytics ID') r = self.app.get('/adobe/adobe-1/admin/overview', extra_environ=dict(username='root')) - assert "_add_tracking('nbhd', 'U-123456');" not in r - assert "_add_tracking('proj', 'U-654321');" not in r + r.mustcontain(no="_add_tracking('nbhd', 'U-123456');") + r.mustcontain(no="_add_tracking('proj', 'U-654321');") def test_custom_css(self): test_css = '.test{color:red;}' diff --git a/Allura/allura/tests/functional/test_root.py b/Allura/allura/tests/functional/test_root.py index 48921d48d..224172f49 100644 --- a/Allura/allura/tests/functional/test_root.py +++ b/Allura/allura/tests/functional/test_root.py @@ -239,7 +239,7 @@ class TestRootController(TestController): expected_headers = "report-uri https://example.com/r/d/csp/enforce;"; expected_headers += "frame-src 'self' www.youtube-nocookie.com;" expected_headers += "object-src 'none'" - expected_report_headers = "script-src 'self' ; form-action 'self'; report-uri None" + expected_report_headers = "script-src 'self' ; form-action 'self'" csp_headers = resp.headers.getall('Content-Security-Policy')[0] csp_report_headers = resp.headers.getall('Content-Security-Policy-Report-Only')[0] assert all([h.strip() in csp_headers for h in expected_headers.split(';')]) diff --git a/Allura/development.ini b/Allura/development.ini index 5be545809..d6ac0c80b 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -680,7 +680,8 @@ csp.form_action_urls = 'self' ; to enable enforce mode on script-src ; csp.script_src_enforce = true -csp.script_src = 'self' +csp.script_src = 'self' www.google-analytics.com +csp.script_src.extras = 'unsafe-inline' 'unsafe-eval' ; ; Settings for comment reactions
