Merge pull request #2321 from GSA/notify-admin-2315

dynamic scan warnings
GSA · Feb 10, 2025 · a4963b8 · a4963b8
2 parents 22f729d + 208891a
commit a4963b8
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 4 deletions.
diff --git a/app/templates/base.html b/app/templates/base.html
@@ -14,10 +14,8 @@
     <script nonce="{{ csp_nonce() }}">document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script>
     {% block bodyStart %}
       {% block extra_javascripts_before_body %}
-      <!-- Google Tag Manager (noscript) -->
       <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WX5NGWF"
       height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
-      <!-- End Google Tag Manager (noscript) -->
       {% endblock %}
     {% endblock %}
 
@@ -145,10 +143,8 @@ <h2 class="usa-modal__heading" id="sessionTimerHeading">
     {% block bodyEnd %}
       {% block extra_javascripts %}
       {% endblock %}
-      <!--[if gt IE 8]><!-->
       <script type="text/javascript" src="{{ asset_url('javascripts/all.js') }}"></script>
       <script type="text/javascript" src="{{ asset_url('js/uswds.min.js') }}"></script>
-      <!--<![endif]-->
     {% endblock %}
   </body>
 </html>
diff --git a/application.py b/application.py
@@ -1,7 +1,10 @@
 from flask import Flask
+from werkzeug.serving import WSGIRequestHandler
 
 from app import create_app
 
+WSGIRequestHandler.version_string = lambda self: "SecureServer"
+
 application = Flask("app")
 
 create_app(application)
diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py
@@ -75,6 +75,24 @@ def rewrite_response_headers(status, headers, exc_info=None):
             if SPAN_ID_HEADER.lower() not in lower_existing_header_names:
                 headers.append((SPAN_ID_HEADER, str(req.span_id)))
 
+            # Some dynamic scan findings
+            headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
+            headers.append(("Cross-Origin-Embedder-Policy", "require-corp"))
+            headers.append(("Cross-Origin-Resource-Policy", "same-origin"))
+            headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
+
+            # svg content type should not contain charset
+            found_svg = False
+            for _, v in headers:
+                if "svg+xml" in v:
+                    found_svg = True
+            if found_svg:
+                new_headers = [
+                    (k, v) for k, v in headers if k.lower() != "content-type"
+                ]
+                new_headers.append(("Content-Type", "image/svg+xml"))
+                return start_response(status, new_headers, exc_info)
+
             return start_response(status, headers, exc_info)
 
         return self._app(environ, rewrite_response_headers)

diff --git a/zap.conf b/zap.conf
@@ -53,6 +53,7 @@
 10096	WARN	(Timestamp Disclosure - Passive/release)
 10097	WARN	(Hash Disclosure - Passive/beta)
 10098	WARN	(Cross-Domain Misconfiguration - Passive/release)
+10099	IGNORE	(Source Code Disclosure - Java)
 10104	WARN	(User Agent Fuzzer - Active/beta)
 10105	WARN	(Weak Authentication Method - Passive/release)
 10106	IGNORE	(HTTP Only Site - Active/beta)