Merge branch 'master' into devcontainer

ocadotechnology · Jan 10, 2024 · b5f74c7 · b5f74c7
2 parents a987c57 + ade8718
commit b5f74c7
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 7 deletions.
diff --git a/.github/workflows/contributing.yaml b/.github/workflows/contributing.yaml
@@ -0,0 +1,8 @@
+name: Contributing
+
+on:
+  pull_request:
+
+jobs:
+  validate-existing-contributors:
+    uses: ocadotechnology/codeforlife-workspace/.github/workflows/validate-existing-contributors.yaml@main
diff --git a/deploy/middleware/security.py b/deploy/middleware/security.py
@@ -4,19 +4,19 @@
 class CustomSecurityMiddleware(SecurityMiddleware):
     """
     Extends Django's Security Middleware.
-    See https://docs.djangoproject.com/en/2.2/_modules/django/middleware/security/ for
-    the source code, as well as https://docs.djangoproject.com/en/2.2/ref/middleware/#module-django.middleware.security
+    See https://docs.djangoproject.com/en/3.2/_modules/django/middleware/security/ for
+    the source code, as well as https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security
     for docs on security middleware.
     """
 
     def process_response(self, request, response):
         """
         Extends the original security middleware to ensure the X-XSS-Protection header
-        is set to 0.
+        is set to 1.
         """
         super().process_response(request, response)
 
         if self.xss_filter:
-            response["X-XSS-Protection"] = "0"
+            response["X-XSS-Protection"] = "1"
 
         return response
diff --git a/example_project/portal_test_settings.py b/example_project/portal_test_settings.py
@@ -185,6 +185,7 @@
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+CSRF_USE_SESSIONS = False  # Setting to False to allow CSRF token to work in Cypress
 RECAPTCHA_DOMAIN = "www.recaptcha.net"
 AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend", "portal.backends.StudentLoginBackend"]
 USE_TZ = True

diff --git a/example_project/settings.py b/example_project/settings.py
@@ -148,6 +148,7 @@
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+CSRF_USE_SESSIONS = True
 RECAPTCHA_DOMAIN = "www.recaptcha.net"
 AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend", "portal.backends.StudentLoginBackend"]
 USE_TZ = True

diff --git a/portal/__init__.py b/portal/__init__.py
@@ -1 +1 @@
-__version__ = "6.39.9"
+__version__ = "6.39.10"
diff --git a/portal/tests/test_middleware.py b/portal/tests/test_middleware.py
@@ -118,7 +118,7 @@ def test_security_headers(self):
         assert response.headers["cache-control"] == "private"
         assert response.headers["x-content-type-options"] == "nosniff"
         assert response.headers["x-frame-options"] == "DENY"
-        assert response.headers["x-xss-protection"] == "0"
+        assert response.headers["x-xss-protection"] == "1"
 
 
 class TestSessionTimeoutMiddleware(TestCase):

diff --git a/run_testserver b/run_testserver
@@ -3,4 +3,4 @@ set -e
 cd "${BASH_SOURCE%/*}"
 
 ./example_project/manage.py collectstatic --noinput --clear
-./example_project/manage.py testserver portal/tests/cypress/fixtures/teachersToBeDeleted.json
+./example_project/manage.py testserver portal/tests/cypress/fixtures/teachersToBeDeleted.json --settings="portal_test_settings"