Fix: Content Security Policy (CSP) Not Implemented (DataBiosphere/azul-private#6)

[dsotirho-ucsc]

Connected issues: DataBiosphere/azul-private#6

Checklist

Author

• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• On ZenHub, PR is connected to all issues it (partially) resolves
• PR description links to connected issues
• PR title matches¹ that of a connected issue _{or comment in PR explains why they're different}
• PR title references all connected issues
• For each connected issue, there is at least one commit whose title references that issue

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

• Added p tag to titles of partial commits
• This PR is labeled partial _{or completely resolves all connected issues}
• This PR partially resolves each of the connected issues _{or does not have the partial label}

Author (chains)

• This PR is blocked by previous PR in the chain _{or is not chained to another PR}
• The blocking PR is labeled base _{or this PR is not chained to another PR}
• This PR is labeled chained _{or is not chained to another PR}

Author (reindex, API changes)

• Added r tag to commit title _{or the changes introduced by this PR will not require reindexing of any deployment}
• This PR is labeled reindex:dev _{or the changes introduced by it will not require reindexing of dev}
• This PR is labeled reindex:anvildev _{or the changes introduced by it will not require reindexing of anvildev}
• This PR is labeled reindex:anvilprod _{or the changes introduced by it will not require reindexing of anvilprod}
• This PR is labeled reindex:prod _{or the changes introduced by it will not require reindexing of prod}
• This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod _{or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod}
• This PR and its connected issues are labeled API _{or this PR does not modify a REST API}
• Added a (A) tag to commit title for backwards (in)compatible changes _{or this PR does not modify a REST API}
• Updated REST API version number in app.py _{or this PR does not modify a REST API}

Author (upgrading deployments)

• Ran make image_manifests.json and committed the resulting changes _{or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable}
• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading deployments}
• Added u tag to commit title _{or this PR does not require upgrading deployments}
• This PR is labeled upgrade _{or does not require upgrading deployments}
• This PR is labeled deploy:shared _{or does not modify image_manifests.json, and does not require deploying the shared component for any other reason}
• This PR is labeled deploy:gitlab _{or does not require deploying the gitlab component}
• This PR is labeled deploy:runner _{or does not require deploying the runner image}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any connected issues _{or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues connected to this PR}

Author (before every review)

• Rebased PR branch on develop, squashed old fixups
• Ran make requirements_update _{or this PR does not modify requirements*.txt, common.mk, Makefile and Dockerfile}
• Added R tag to commit title _{or this PR does not modify requirements*.txt}
• This PR is labeled reqs _{or does not modify requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not modify functionality that could affect the IT outcome}

Peer reviewer (after approval)

• PR is not a draft
• Ticket is in Review requested column
• PR is awaiting requested review from system administrator
• PR is assigned to only the system administrator

System administrator (after approval)

• Actually approved the PR
• Labeled connected issues as demo or no demo
• Commented on connected issues about demo expectations _{or all connected issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• A comment to this PR details the completed security design review
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Moved ticket to Approved column
• PR is assigned to only the operator

Operator (before pushing merge the commit)

• Checked reindex:… labels and r commit title tag
• Checked that demo expectations are clear _{or all connected issues are labeled no demo}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub
• Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Checked the items in the next section _{or this PR is labeled deploy:gitlab}
• PR is assigned to only the system administrator _{or this PR is not labeled deploy:gitlab}

System administrator

• Background migrations for dev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvildev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• PR is assigned to only the operator

Operator (before pushing merge the commit)

• Ran _select dev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvildev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab dev _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in dev}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in anvildev}
• Started reindex in sandbox _{or this PR is not labeled reindex:dev}
• Started reindex in anvilbox _{or this PR is not labeled reindex:anvildev}
• Checked for failures in sandbox _{or this PR is not labeled reindex:dev}
• Checked for failures in anvilbox _{or this PR is not labeled reindex:anvildev}
• The title of the merge commit starts with the title of this PR
• Added PR # reference to merge commit title
• Collected commit title tags in merge commit title _{but only included p if the PR is also labeled partial}
• Moved connected issues to Merged lower column in ZenHub
• Moved blocked issues to Triage _{or no issues are blocked on the connected issues}
• Pushed merge commit to GitHub

Operator (chain shortening)

• Changed the target branch of the blocked PR to develop _{or this PR is not labeled base}
• Removed the chained label from the blocked PR _{or this PR is not labeled base}
• Removed the blocking relationship from the blocked PR _{or this PR is not labeled base}
• Removed the base label from this PR _{or this PR is not labeled base}

Operator (after pushing the merge commit)

• Pushed merge commit to GitLab dev
• Pushed merge commit to GitLab anvildev
• Build passes on GitLab dev
• Reviewed build logs for anomalies on GitLab dev
• Build passes on GitLab anvildev
• Reviewed build logs for anomalies on GitLab anvildev
• Ran _select dev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Deleted PR branch from GitHub
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev

Operator (reindex)

• Deindexed all unreferenced catalogs in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed all unreferenced catalogs in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Deindexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Indexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Indexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Started reindex in dev _{or this PR does not require reindexing dev}
• Started reindex in anvildev _{or this PR does not require reindexing anvildev}
• Checked for, triaged and possibly requeued messages in both fail queues in dev _{or this PR does not require reindexing dev}
• Checked for, triaged and possibly requeued messages in both fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Emptied fail queues in dev _{or this PR does not require reindexing dev}
• Emptied fail queues in anvildev _{or this PR does not require reindexing anvildev}

Operator

• Propagated the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels to the next promotion PRs _{or this PR carries none of these labels}
• Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels, from the description of this PR to that of the next promotion PRs _{or this PR carries none of these labels}
• PR is assigned to no one

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[coveralls]

coverage: 85.603% (-0.01%) from 85.613%
when pulling b9deb4b on issues/dsotirho-ucsc/6-azul-csp-header-2
into 2bfc8ca on develop.

[codecov]

Codecov Report

Attention: Patch coverage is 76.00000% with 18 lines in your changes missing coverage. Please review.

Project coverage is 85.58%. Comparing base (2bfc8ca) to head (b9deb4b).

Files with missing lines	Patch %	Lines
src/azul/chalice.py	75.43%	14 Missing ⚠️
test/integration_test.py	0.00%	4 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #6483      +/-   ##
===========================================
- Coverage    85.59%   85.58%   -0.01%     
===========================================
  Files          155      155              
  Lines        20903    20952      +49     
===========================================
+ Hits         17892    17932      +40     
- Misses        3011     3020       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dsotirho-ucsc]

6483_IT_2024-08-13.txt

Swagger UI & successful authorization with nonce value in CSP header:

[nadove-ucsc]

For consistency

Suggested change

	def content_security_policy(self, nonce: Optional[str] = None) -> str:
	def content_security_policy(self, nonce: str | None = None) -> str:

[nadove-ucsc]

Contributing guide says to prefer concatenation over f-strings when the expressions are of equal length, as they are here:

Suggested change

	nonce = q(f'nonce-{nonce}')
	nonce = q('nonce-' + nonce)

[nadove-ucsc]

Is it possible for the string to contain quote characters that need to be escaped?

Consider creating a dedicated, non-local function for this in src/azul/strings.py. I'm pretty sure there are other places in the codebase where we use this logic.

[nadove-ucsc]

To avoid overriding the reference to the self parameter.

Suggested change

	self = q('self')
	self_ = q('self')

[dsotirho-ucsc]

6483_IT_2024-08-14.txt

[nadove-ucsc]

There is at least one other place this function could be used

[nadove-ucsc]

Also here?

[nadove-ucsc]

There are other places. Search for f'" and f"' (that's a single quote and double quote in either order)

[nadove-ucsc]

azul.bigquery.backtick could make use of this function

[dsotirho-ucsc]

I believe the issue we saw on Friday regarding a circular import error when importing from azul.strings into azul.bigquery was due to a problem with my PyCharm configuration. After a reboot & reset of my Python interpreter path I am no longer able to reproduce the error.

[nadove-ucsc]

Alright, as long as the build's green on GitHub I think we're okay.

[nadove-ucsc]

I don't think this is a good idea. Filtering and joining the strings in the same function was okay when it was a local function that could only be used in one place, but a public function like this shouldn't be so fine-tuned to a single call site. There may be other call sites someday where the filtering isn't necessary or appropriate (it could hide bugs, for example).

[nadove-ucsc]

If I understand correctly, the only word that actually needs to be filtered is the nonce variable. How about this approach instead to eliminate the call to filter altogether?

Subject: [PATCH] review
---
Index: src/azul/chalice.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/src/azul/chalice.py b/src/azul/chalice.py
--- a/src/azul/chalice.py	(revision a36f7c5062b20fb1b79c21140c5bdb2c8db92fdf)
+++ b/src/azul/chalice.py	(date 1723684328983)
@@ -478,14 +478,13 @@
     def content_security_policy(self, nonce: str | None = None) -> str:
         self_ = sq('self')
         none = sq('none')
-        if nonce is not None:
-            nonce = sq('nonce-' + nonce)
+        nonce = [] if nonce is None else [sq('nonce-' + nonce)]
 
         return ';'.join([
             jw('default-src', self_),
             jw('img-src', self_, 'data:'),
-            jw('script-src', self_, nonce),
-            jw('style-src', self_, nonce),
+            jw('script-src', self_, *nonce),
+            jw('style-src', self_, *nonce),
             jw('frame-ancestors', none),
         ])

[dsotirho-ucsc]

6483_IT_2024-08-19.txt

[nadove-ucsc]

Suggested change

	require(end not in string, string)
	reject(end in string, string)

[nadove-ucsc]

Alright, as long as the build's green on GitHub I think we're okay.

[nadove-ucsc]

Nitpick, but I think the English can be streamlined a bit

Suggested change

	Prefix and postfix a string with another. The pre/postfix cannot be a
	substring of the source string.
	Prepend and append an affix to a string. The affix cannot be a
	substring of the base string.

[nadove-ucsc]

(feel free to disregard if you feel "affix" is too obscure a word to be helpful here)

[dsotirho-ucsc]

The nonce violates the RFC

One or more subtests failed
Failed subtests list: 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/oauth2_redirect'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/')


SubTest failure: Traceback (most recent call last):
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 57, in testPartExecutor
    yield
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 538, in subTest
    yield
  File "/Users/daniel/repo/azul2/test/integration_test.py", line 2087, in test_response_security_headers
    self.assertEqual(expected_expressions, expressions)
  File "/Applications/PyCharm.app/Contents/plugins/python-ce/helpers/pycharm/teamcity/diff_tools.py", line 33, in _patched_equals
    old(self, first, second, msg)
AssertionError: Items in the second set but not the first:
"'nonce-NNqlKlzMtRGKiOQq0zehkbnPRgY8zgeR/L2ixVPt***'"

...

The nonce is shorter than expected

One or more subtests failed
Failed subtests list: 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/oauth2_redirect'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/')

SubTest failure: Traceback (most recent call last):
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 57, in testPartExecutor
    yield
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 538, in subTest
    yield
  File "/Users/daniel/repo/azul2/test/integration_test.py", line 2087, in test_response_security_headers
    self.assertEqual(expected_expressions, expressions)
  File "/Applications/PyCharm.app/Contents/plugins/python-ce/helpers/pycharm/teamcity/diff_tools.py", line 33, in _patched_equals
    old(self, first, second, msg)
AssertionError: Items in the second set but not the first:
"'nonce-Ckl4WM1lVI'"

...

The nonce is longer than expected

One or more subtests failed
Failed subtests list: 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/oauth2_redirect'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/')


SubTest failure: Traceback (most recent call last):
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 57, in testPartExecutor
    yield
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 538, in subTest
    yield
  File "/Users/daniel/repo/azul2/test/integration_test.py", line 2087, in test_response_security_headers
    self.assertEqual(expected_expressions, expressions)
  File "/Applications/PyCharm.app/Contents/plugins/python-ce/helpers/pycharm/teamcity/diff_tools.py", line 33, in _patched_equals
    old(self, first, second, msg)
AssertionError: Items in the second set but not the first:
"'nonce-13cDScvjdss1rjKUOLtCnGX9RXH4FPTJVcwRg58EM09dixg+diGPpg'"

...

CSP contains more than one script-src or style-src directive

One or more subtests failed
Failed subtests list: 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/static/swagger-ui_css'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/openapi'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/oauth2_redirect'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/health/basic'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/static/swagger-ui_css'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/openapi'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/health/basic')

SubTest failure: Traceback (most recent call last):
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 57, in testPartExecutor
    yield
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 538, in subTest
    yield
  File "/Users/daniel/repo/azul2/test/integration_test.py", line 2076, in test_response_security_headers
    self.assertNotIn(name, directives)
AssertionError: 'script-src' unexpectedly found in {'frame-ancestors', 'default-src', 'style-src', 'img-src', 'script-src'}

...

CSP contains more than one valid nonce of the expected length in the script-src or style-src directive

One or more subtests failed
Failed subtests list: 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/oauth2_redirect'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/')

SubTest failure: Traceback (most recent call last):
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 57, in testPartExecutor
    yield
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 538, in subTest
    yield
  File "/Users/daniel/repo/azul2/test/integration_test.py", line 2082, in test_response_security_headers
    self.assertNotIn(name, nonces)
AssertionError: 'script-src' unexpectedly found in {'script-src': 'cX+p+yl4adPbVeNFgWAUCDorky8VgIDDJK9QNWxJBU0'}

...

CSP contains a valid nonce of the expected length and one that violates the RFC

One or more subtests failed
Failed subtests list: 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/oauth2_redirect'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/')

SubTest failure: Traceback (most recent call last):
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 57, in testPartExecutor
    yield
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 538, in subTest
    yield
  File "/Users/daniel/repo/azul2/test/integration_test.py", line 2087, in test_response_security_headers
    self.assertEqual(expected_expressions, expressions)
  File "/Applications/PyCharm.app/Contents/plugins/python-ce/helpers/pycharm/teamcity/diff_tools.py", line 33, in _patched_equals
    old(self, first, second, msg)
AssertionError: Items in the second set but not the first:
"'nonce-q4zAsAC7PtvMTyWUcuLaZ6NYU4rl1CDdlI5Z2Zq1***'"

...

CSP contains a valid nonce of the expected length and a valid one of an unexpected length

One or more subtests failed
Failed subtests list: 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/'), 
(endpoint=furl('https://service_daniel_dev_singlecell_gi_ucsc_edu'), path='/oauth2_redirect'), 
(endpoint=furl('https://indexer_daniel_dev_singlecell_gi_ucsc_edu'), path='/')

SubTest failure: Traceback (most recent call last):
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 57, in testPartExecutor
    yield
  File "/Users/daniel/.pyenv/versions/3.11.10/lib/python3.11/unittest/case.py", line 538, in subTest
    yield
  File "/Users/daniel/repo/azul2/test/integration_test.py", line 2087, in test_response_security_headers
    self.assertEqual(expected_expressions, expressions)
  File "/Applications/PyCharm.app/Contents/plugins/python-ce/helpers/pycharm/teamcity/diff_tools.py", line 33, in _patched_equals
    old(self, first, second, msg)
AssertionError: Items in the second set but not the first:
"'nonce-OCwXjZnPYmHWP8lDbt5t'"

...

[dsotirho-ucsc]

6483_IT_2024-11-05.txt

[hannes-ucsc]

Regarding #6483 (comment)

If you just provide the tracebacks, it is a little difficult for me to see what the actual value was that failed the assertion. I'd have to infer which may be error-prone.

Please refactor the code that parses and validates the CSP in the IT into a method and write doctests for that method. We'll decide afterwards if we want to keep those doctests or not.

[hannes-ucsc]

"nonce" is too unspecific. "value" is usually redundant. If a method returns something, that something is a value. "Value" would only be useful if there also was, say, a "key" to distinguish from.

Suggested change

	def nonce_value(cls) -> str:
	def csp_nonce(cls) -> str:

[hannes-ucsc]

We usually use assert_json for asserting JSON structures in doctests.

[hannes-ucsc]

This is a regression to the point where we duplicated the the expected headers in assertions. The ONLY unpredictable part is the nonce so the previous approach of updating the expected headers with that nonce value is much less brittle, as long as the parsing of the CSP and the validation of the nonce's syntax doesn't let invalid or duplicate nonces through.

[dsotirho-ucsc]

Note that with the refactoring of the parsing & validation of the CSP into a separate method, I had to remove the CSP from the expected headers due to no longer having the nonce value available to generate the expected CSP in the test.

[hannes-ucsc]

Note that with the refactoring of the parsing & validation of the CSP into a separate method, I had to remove the CSP from the expected headers due to no longer having the nonce value available to generate the expected CSP in the test.

I don't understand. Just have the parsing/validation method return the expected header entry and inject the return value into the expected header dictionary. Please raise in PL if this is not clear.

[dsotirho-ucsc]

6483_IT_2024-11-05.txt

[hannes-ucsc]

Suggested change

	# Not all expected directives are specified
	>>> cls.validate_csp("default-src 'self'", has_nonce=False)
	Not all expected directives are specified
	>>> cls.validate_csp("default-src 'self'", has_nonce=False)

and so on

[hannes-ucsc]

Note that with the refactoring of the parsing & validation of the CSP into a separate method, I had to remove the CSP from the expected headers due to no longer having the nonce value available to generate the expected CSP in the test.

I don't understand. Just have the parsing/validation method return the expected header entry and inject the return value into the expected header dictionary. Please raise in PL if this is not clear.

[hannes-ucsc]

Remove this case. It is not one of the test cases I specified. Remove all other cases that become redundant by asserting the expected headers (with the expected CSP injected) in the IT, as I requested in previous review.

[dsotirho-ucsc]

6483_IT_2024-11-07.txt

[hannes-ucsc]

As I said in my previous review, have validate_csp return the expected CSP. The post-condition of that method is that the CSP is valid and it is therefore safe to inject it into the expectation.

[dsotirho-ucsc]

6483_IT_2024-11-13.txt