Skip to content

Commit 439df8e

Browse files
ahosgoodahosgood
committed
Update Google CSP domains
1 parent de2b190 commit 439df8e

3 files changed

Lines changed: 24 additions & 19 deletions

File tree

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
1111

1212
### Changed
1313

14+
- Updated Google CSP domains
15+
1416
### Deprecated
1517

1618
### Removed

tests/test_flask_talisman.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -97,11 +97,11 @@ def test_talisman_app_google(self):
9797
rv.headers["Content-Security-Policy"],
9898
)
9999
self.assertIn(
100-
"img-src 'self' img.youtube.com;",
100+
"img-src 'self' img.youtube.com i.ytimg.com www.googletagmanager.com;",
101101
rv.headers["Content-Security-Policy"],
102102
)
103103
self.assertIn(
104-
"script-src 'self' ajax.googleapis.com *.googleanalytics.com *.google-analytics.com www.youtube.com;",
104+
"script-src 'self' ajax.googleapis.com *.googleanalytics.com *.google-analytics.com www.youtube.com *.gstatic.com www.googletagmanager.com;",
105105
rv.headers["Content-Security-Policy"],
106106
)
107107
self.assertIn(
@@ -154,7 +154,7 @@ def test_talisman_app_custom_csp_with_google(self):
154154
rv.headers["Content-Security-Policy"],
155155
)
156156
self.assertIn(
157-
"img-src 'self' img.example.com img.youtube.com;",
157+
"img-src 'self' img.example.com img.youtube.com i.ytimg.com www.googletagmanager.com;",
158158
rv.headers["Content-Security-Policy"],
159159
)
160160

tna_utilities/flask/talisman.py

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -5,25 +5,28 @@
55
from ..security import CspGenerator, common_security_headers
66

77
GOOGLE_CSP_POLICY = {
8-
# "default-src": ["*.gstatic.com"],
9-
# Fonts from fonts.google.com
10-
"font-src": ["*.gstatic.com"],
11-
# <iframe> based embedding for Maps and Youtube
12-
"frame-src": ["www.google.com", "www.youtube.com"],
13-
# YouTube video thumbnails
14-
"img-src": ["img.youtube.com"],
15-
# Assorted Google-hosted Libraries/APIs
8+
"font-src": ["*.gstatic.com"], # Google Fonts from fonts.google.com
9+
"frame-src": [
10+
"www.google.com", # <iframe> based embeds for Google Maps
11+
"www.youtube.com", # <iframe> based embeds for Youtube
12+
],
13+
"img-src": [
14+
"img.youtube.com", # YouTube video thumbnails
15+
"i.ytimg.com", # YouTube video thumbnails
16+
"www.googletagmanager.com", # GTM
17+
],
1618
"script-src": [
17-
"ajax.googleapis.com",
18-
"*.googleanalytics.com",
19-
"*.google-analytics.com",
20-
"www.youtube.com",
19+
"ajax.googleapis.com", # Assorted Google-hosted Libraries/APIs
20+
"*.googleanalytics.com", # GA4
21+
"*.google-analytics.com", # GA4
22+
"www.youtube.com", # YouTube embeds
23+
"*.gstatic.com", # Google Translate
24+
"www.googletagmanager.com", # GTM
2125
],
22-
# Google Fonts stylesheets and YouTube embedded player styles
2326
"style-src": [
24-
"ajax.googleapis.com",
25-
"fonts.googleapis.com",
26-
"*.gstatic.com",
27+
"ajax.googleapis.com", # YouTube embedded player styles
28+
"fonts.googleapis.com", # Google Fonts stylesheets
29+
"*.gstatic.com", # Assorted Google stylesheets
2730
],
2831
}
2932

0 commit comments

Comments
 (0)