From 0916ba709007771a55c281300aa7c5931443dbb1 Mon Sep 17 00:00:00 2001
From: Ilayda Cavusoglu Pars <ilayda.cavusoglupars@canonical.com>
Date: Fri, 11 Oct 2024 11:29:31 +0300
Subject: [PATCH 1/6] feat: add security headers

---
 webapp/handlers.py | 122 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 122 insertions(+)

diff --git a/webapp/handlers.py b/webapp/handlers.py
index 00e9ef063f3..98c254b90a1 100644
--- a/webapp/handlers.py
+++ b/webapp/handlers.py
@@ -30,6 +30,89 @@
 )
 from webapp.shop.flaskparser import UAContractsValidationError
 
+CSP = {
+    "default-src": ["'self'"],
+    "img-src": [
+        "data: blob:",
+        # This is needed to allow images from
+        # https://www.google.*/ads/ga-audiences to load.
+        "*",
+    ],
+    "script-src-elem": [
+        "'self'",
+        "assets.ubuntu.com",
+        "www.google-analytics.com",
+        "www.googletagmanager.com",
+        "dev.visualwebsiteoptimizer.com",
+        "www.youtube.com",
+        "asciinema.org",
+        "player.vimeo.com",
+        "script.crazyegg.com",
+        "w.usabilla.com",
+        "munchkin.marketo.net",
+        "serve.nrich.ai",
+        "ml314.com",
+        "scout-cdn.salesloft.com",
+        "snippet.maze.co",
+        "www.googleadservices.com",
+        "js.zi-scripts.com",
+        "*.g.doubleclick.net",
+        "www.google.com",
+        "www.gstatic.com",
+        "*.googlesyndication.com",
+        "js.stripe.com",
+        "d3js.org",
+        "www.brighttalk.com",
+        "cdnjs.cloudflare.com",
+        # This is necessary for Google Tag Manager to function properly.
+        "'unsafe-inline'",
+    ],
+    "font-src": [
+        "'self'",
+        "assets.ubuntu.com",
+    ],
+    "script-src": [
+        "'self'",
+        "blob:",
+        "'unsafe-eval'",
+        "'unsafe-hashes'",
+        "'unsafe-inline'",
+    ],
+    "connect-src": [
+        "'self'",
+        "*.googlesyndication.com",
+        "www.google.com",
+        "ubuntu.com",
+        "analytics.google.com",
+        "www.googletagmanager.com",
+        "sentry.is.canonical.com",
+        "www.google-analytics.com",
+        "*.crazyegg.com",
+        "scout.salesloft.com",
+        "*.g.doubleclick.net",
+        "js.zi-scripts.com",
+        "*.mktoresp.com",
+        "prompts.maze.co",
+    ],
+    "frame-src": [
+        "'self'",
+        "*.doubleclick.net",
+        "www.youtube.com/",
+        "asciinema.org",
+        "player.vimeo.com",
+        "js.stripe.com",
+        "www.googletagmanager.com",
+        "www.brighttalk.com",
+    ],
+    "style-src": [
+        "'self'",
+        "'unsafe-inline'",
+    ],
+    "media-src": [
+        "'self'",
+        "res.cloudinary.com",
+    ],
+}
 
 def init_handlers(app, sentry):
     @app.after_request
@@ -189,6 +272,45 @@ def context():
     def utility_processor():
         return {"image": image_template}
 
+    
+    @app.after_request
+    def add_headers(response):
+        """
+        Generic rules for headers to add to all requests
+        - Content-Security-Policy: Restrict resources (e.g., JavaScript, CSS,
+        Images) and URLs
+        - Referrer-Policy: Limit referrer data for security while preserving
+        full referrer for same-origin requests
+        - Cross-Origin-Embedder-Policy: allows embedding cross-origin
+        resources
+        - Cross-Origin-Opener-Policy: enable the page to open pop-ups while
+        maintaining same-origin policy
+        - Cross-Origin-Resource-Policy: allowing cross-origin requests to
+        access the resource
+        - X-Permitted-Cross-Domain-Policies: disallows cross-domain access to
+        resources
+        """
+
+        def get_csp_as_str(csp={}):
+            csp_str = ""
+            for key, values in csp.items():
+                csp_value = " ".join(values)
+                csp_str += f"{key} {csp_value}; "
+            return csp_str.strip()
+        
+        response.headers["Content-Security-Policy"] = get_csp_as_str(
+            CSP
+        )
+
+        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+        response.headers["Cross-Origin-Embedder-Policy"] = "unsafe-none"
+        response.headers["Cross-Origin-Opener-Policy"] = (
+            "same-origin-allow-popups"
+        )
+        response.headers["Cross-Origin-Resource-Policy"] = "cross-origin"
+        response.headers["X-Permitted-Cross-Domain-Policies"] = "none"
+        return response
+
     app.add_template_filter(date_has_passed)
 
     app.add_template_filter(sort_by_key_and_ordered_list)

From 1febb6be8a9ec7d965ddbac02b946f43c15e6350 Mon Sep 17 00:00:00 2001
From: Ilayda Cavusoglu Pars <ilayda.cavusoglupars@canonical.com>
Date: Fri, 11 Oct 2024 11:36:18 +0300
Subject: [PATCH 2/6] feat: add security headers

---
 webapp/handlers.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/webapp/handlers.py b/webapp/handlers.py
index 98c254b90a1..bad241672f5 100644
--- a/webapp/handlers.py
+++ b/webapp/handlers.py
@@ -114,6 +114,7 @@
     ],
 }
 
+
 def init_handlers(app, sentry):
     @app.after_request
     def cache_headers(response):
@@ -272,7 +273,6 @@ def context():
     def utility_processor():
         return {"image": image_template}
 
-    
     @app.after_request
     def add_headers(response):
         """
@@ -297,10 +297,8 @@ def get_csp_as_str(csp={}):
                 csp_value = " ".join(values)
                 csp_str += f"{key} {csp_value}; "
             return csp_str.strip()
-        
-        response.headers["Content-Security-Policy"] = get_csp_as_str(
-            CSP
-        )
+
+        response.headers["Content-Security-Policy"] = get_csp_as_str(CSP)
 
         response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
         response.headers["Cross-Origin-Embedder-Policy"] = "unsafe-none"

From dce91569e82b9f4474eb633b8e4b1cede7d13a46 Mon Sep 17 00:00:00 2001
From: Ilayda Cavusoglu Pars <ilayda.cavusoglupars@canonical.com>
Date: Fri, 11 Oct 2024 12:12:20 +0300
Subject: [PATCH 3/6] feat: add missing csp headers

---
 webapp/handlers.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/webapp/handlers.py b/webapp/handlers.py
index bad241672f5..dc5d564988c 100644
--- a/webapp/handlers.py
+++ b/webapp/handlers.py
@@ -64,6 +64,8 @@
         "d3js.org",
         "www.brighttalk.com",
         "cdnjs.cloudflare.com",
+        "static.ads-twitter.com",
+        "*.cdn.digitaloceanspaces.com",
         # This is necessary for Google Tag Manager to function properly.
         "'unsafe-inline'",
     ],

From cdba4b6a3b6b50e1395d89dda0be49e09abf713d Mon Sep 17 00:00:00 2001
From: Ilayda Cavusoglu Pars <ilayda.cavusoglupars@canonical.com>
Date: Fri, 11 Oct 2024 13:23:20 +0300
Subject: [PATCH 4/6] feat: add missing csp headers

---
 webapp/handlers.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/webapp/handlers.py b/webapp/handlers.py
index dc5d564988c..8a9b93ff849 100644
--- a/webapp/handlers.py
+++ b/webapp/handlers.py
@@ -95,6 +95,7 @@
         "js.zi-scripts.com",
         "*.mktoresp.com",
         "prompts.maze.co",
+        "*.google-analytics.com",
     ],
     "frame-src": [
         "'self'",

From 1f653ed2d3f07a8d0fc56d620f7435878868f2c5 Mon Sep 17 00:00:00 2001
From: Ilayda Cavusoglu Pars <ilayda.cavusoglupars@canonical.com>
Date: Fri, 11 Oct 2024 14:06:56 +0300
Subject: [PATCH 5/6] feat: add missing csp headers

---
 webapp/handlers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webapp/handlers.py b/webapp/handlers.py
index 8a9b93ff849..dbfe75fc616 100644
--- a/webapp/handlers.py
+++ b/webapp/handlers.py
@@ -291,7 +291,7 @@ def add_headers(response):
         - Cross-Origin-Resource-Policy: allowing cross-origin requests to
         access the resource
         - X-Permitted-Cross-Domain-Policies: disallows cross-domain access to
-        resources
+        resources.
         """
 
         def get_csp_as_str(csp={}):

From ba36647343aac4ef49023bc2f274aa48a437b1c9 Mon Sep 17 00:00:00 2001
From: Ilayda Cavusoglu Pars <ilayda.cavusoglupars@canonical.com>
Date: Tue, 15 Oct 2024 14:34:29 +0300
Subject: [PATCH 6/6] feat: add missing csp

---
 webapp/handlers.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/webapp/handlers.py b/webapp/handlers.py
index dbfe75fc616..3b3f1479285 100644
--- a/webapp/handlers.py
+++ b/webapp/handlers.py
@@ -66,6 +66,9 @@
         "cdnjs.cloudflare.com",
         "static.ads-twitter.com",
         "*.cdn.digitaloceanspaces.com",
+        "www.redditstatic.com",
+        "snap.licdn.com",
+        "connect.facebook.net",
         # This is necessary for Google Tag Manager to function properly.
         "'unsafe-inline'",
     ],
@@ -105,6 +108,7 @@
         "player.vimeo.com",
         "js.stripe.com",
         "www.googletagmanager.com",
+        "www.google.com",
         "www.brighttalk.com",
     ],
     "style-src": [