Resolve PR review gaps across comments, security, feeds, and UX

apps/core/tests/test_security.py

@@ -64,3 +64,38 @@ def test_article_comment_form_contains_csrf_token(client, home_page):
     html = resp.content.decode()
     assert resp.status_code == 200
     assert "csrfmiddlewaretoken" in html
+
+
+@pytest.mark.django_db
+def test_consent_rejects_open_redirect(client, home_page):
+    resp = client.post(
+        "/consent/",
+        {"reject_all": "1"},
+        HTTP_REFERER="https://evil.example.com/phish",
+    )
+    assert resp.status_code == 302
+    assert resp["Location"] == "/"
+
+
+@pytest.mark.django_db
+def test_article_json_ld_script_has_csp_nonce(client, home_page):
+    index = ArticleIndexPage(title="Articles", slug="articles")
+    home_page.add_child(instance=index)
+    author = AuthorFactory()
+    article = ArticlePage(
+        title="Nonce Article",
+        slug="nonce-article",
+        author=author,
+        summary="summary",
+        body=[("rich_text", "<p>Body</p>")],
+    )
+    index.add_child(instance=article)
+    article.save_revision().publish()
+
+    resp = client.get("/articles/nonce-article/")
+    csp = resp["Content-Security-Policy"]
+    match = re.search(r"nonce-([^' ;]+)", csp)
+    assert match
+    nonce = match.group(1)
+    html = resp.content.decode()
+    assert f'type="application/ld+json" nonce="{nonce}"' in html