From 3179613fd8eae6972223965efa3ba26b283510d0 Mon Sep 17 00:00:00 2001 From: Anthony Date: Wed, 18 Sep 2024 10:37:51 -0700 Subject: [PATCH] Drop unnecessary CSP directives for gold view (#11605) * Drop unnecessary CSP directives for gold view This does not seem needed, as there is no inline script src in `subscription_detail.html`. It seems like maybe we wrote this for `subscription_form.html`, which was old. This conditional was breaking the view for me locally, as we don't have any CSP directives for `script-src` locally, we only have these in production. Because of this, there are no other `script-src` exceptions. * Revert test functionality --- readthedocs/gold/tests/test_views.py | 22 ++++++++++++---------- readthedocs/gold/views.py | 12 ------------ 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/readthedocs/gold/tests/test_views.py b/readthedocs/gold/tests/test_views.py index 05d6dd1733e..77c34250851 100644 --- a/readthedocs/gold/tests/test_views.py +++ b/readthedocs/gold/tests/test_views.py @@ -1,7 +1,7 @@ import re from django.contrib.auth.models import User -from django.test import TestCase, override_settings +from django.test import TestCase from django.urls import reverse from django_dynamic_fixture import get @@ -11,17 +11,19 @@ def setUp(self): self.user = get(User) def test_csp_headers(self): + """ + Test CSP headers aren't altered. + + This view originally altered the CSP directives based on whether we were + using the new dashboard. We weren't using inline scripts in this view + however, so this was reverted. The tests remain for now, but aren't + super useful and will break when we change `script-src` in base settings. + """ self.client.force_login(self.user) csp_header = "Content-Security-Policy" script_src_regex = re.compile(r".*\s+script-src [^;]*'unsafe-inline'") url = reverse("gold_detail") - with override_settings(RTD_EXT_THEME_ENABLED=False): - resp = self.client.get(url) - self.assertEqual(resp.status_code, 200) - self.assertIsNone(script_src_regex.match(resp[csp_header])) - - with override_settings(RTD_EXT_THEME_ENABLED=True): - resp = self.client.get(url) - self.assertEqual(resp.status_code, 200) - self.assertTrue(script_src_regex.match(resp[csp_header])) + resp = self.client.get(url) + self.assertEqual(resp.status_code, 200) + self.assertIsNone(script_src_regex.match(resp[csp_header])) diff --git a/readthedocs/gold/views.py b/readthedocs/gold/views.py index e3adf61dc85..f1fbde87252 100644 --- a/readthedocs/gold/views.py +++ b/readthedocs/gold/views.py @@ -39,18 +39,6 @@ class GoldSubscription( form_class = GoldSubscriptionForm template_name = "gold/subscription_detail.html" - def dispatch(self, request, *args, **kwargs): - response = super().dispatch(request, *args, **kwargs) - # Allow inline scripts for the gold view. - # We are using inline javascript to initialize Stripe Checkout. - # Allowing inline scripts defeats the purpose of using CSP, - # but we are limiting it to this view. - # TODO: use the `@csp_update` decorator once we are running - # ext-theme by default. - if settings.RTD_EXT_THEME_ENABLED: - response._csp_update = {"script-src": "'unsafe-inline'"} - return response - def get(self, *args, **kwargs): subscribed = self.request.GET.get("subscribed", None) if subscribed == "true":