Fix: add to CSP_FRAME_SRC #2446

angela-tran · 2024-10-09T23:18:41Z

#2445 revealed that in production, the frame-src directive only includes google.com and therefore blocks the transit processor iframe.

This is because in settings.py, the logic was to throw away the originally assigned value of CSP_FRAME_SRC and instead use whatever is in env_frame_src.

benefits/benefits/settings.py

Lines 310 to 315 in 8cce5ad

    
           CSP_FRAME_SRC = ["*.littlepay.com"] 
        
           env_frame_src = _filter_empty(os.environ.get("DJANGO_CSP_FRAME_SRC", "").split(",")) 
        
           if RECAPTCHA_ENABLED: 
        
               env_frame_src.append("https://www.google.com") 
        
           if len(env_frame_src) > 0: 
        
               CSP_FRAME_SRC = env_frame_src

This logic was fine when the originally assigned value was 'none' since the directive only allows 'none' or a space separated list of values, but in a23b51e2, we changed it to be *.littlepay.com since we know we will always need to allow that as an iframe source.

This PR fixes it so we add to CSP_FRAME_SRC instead of re-assigning it.

it made sense to re-assign it when the default value was 'none', but now we will always have at least *.littlepay.com

github-actions · 2024-10-09T23:19:45Z

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
benefits
settings.py					315
Project Total

_{This report was generated by python-coverage-comment-action}

lalver1

This looks good 👍
I saw that before this PR, *.littlepay.com only appeared in script-src in the CSP header but now it also appears in frame-src.

thekaveman

Yep, looks good 👍

Now that we're initializing the frame src with the Littlepay domain, no need to replace.

fix: CSP_FRAME_SRC was getting re-assigned instead of being added to

4905621

it made sense to re-assign it when the default value was 'none', but now we will always have at least *.littlepay.com

angela-tran added the bug Something isn't working label Oct 9, 2024

angela-tran added this to the Admin tool: in-person eligibility verification milestone Oct 9, 2024

angela-tran self-assigned this Oct 9, 2024

angela-tran requested a review from a team as a code owner October 9, 2024 23:18

github-actions bot added deployment-dev [auto] Changes that will trigger a deploy if merged to dev back-end Django views, sessions, middleware, models, migrations etc. labels Oct 9, 2024

angela-tran mentioned this pull request Oct 9, 2024

Setting up SBMTD in-person for October 17th #2433

Closed

13 tasks

lalver1 approved these changes Oct 10, 2024

View reviewed changes

thekaveman approved these changes Oct 10, 2024

View reviewed changes

angela-tran merged commit 158e1b0 into main Oct 10, 2024
18 checks passed

angela-tran deleted the fix/csp-frame-src branch October 10, 2024 17:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix: add to CSP_FRAME_SRC #2446

Fix: add to CSP_FRAME_SRC #2446

angela-tran commented Oct 9, 2024

github-actions bot commented Oct 9, 2024

lalver1 left a comment

thekaveman left a comment

	CSP_FRAME_SRC = ["*.littlepay.com"]
	env_frame_src = _filter_empty(os.environ.get("DJANGO_CSP_FRAME_SRC", "").split(","))
	if RECAPTCHA_ENABLED:
	env_frame_src.append("https://www.google.com")
	if len(env_frame_src) > 0:
	CSP_FRAME_SRC = env_frame_src

Fix: add to CSP_FRAME_SRC #2446

Fix: add to CSP_FRAME_SRC #2446

Conversation

angela-tran commented Oct 9, 2024

github-actions bot commented Oct 9, 2024

Coverage report

lalver1 left a comment

Choose a reason for hiding this comment

thekaveman left a comment

Choose a reason for hiding this comment