adding csp

2025-12-06 06:17:17 +00:00 · 2021-04-29 23:07:57 +01:00
parent c8ffb55bbe
commit 5eecbf1075
3 changed files with 26 additions and 2 deletions
--- a/cbreader/settings/base.py
+++ b/cbreader/settings/base.py
@@ -50,6 +50,7 @@ MIDDLEWARE = [
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    'csp.middleware.CSPMiddleware',
 ]

 ROOT_URLCONF = "cbreader.urls"
@@ -144,4 +145,7 @@ BOOTSTRAP4 = {
        "integrity": "sha384-Piv4xVNRyMGpqkS2by6br4gNJ7DXjqk09RmUpJ8jgGtD7zP9yug3goQfGII0yAns",
        "crossorigin": "anonymous",
    },
-}
+}
+CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'", 'cdn.jsdelivr.net', 'cdn.datatables.net', 'i.creativecommons.org',
+                   'code.jquery.com', 'licensebuttons.net', 'www.w3.org')
+CSP_IMG_SRC = ("'self'", 'i.creativecommons.org', 'licensebuttons.net')
--- a/poetry.lock
+++ b/poetry.lock
@@ -119,6 +119,21 @@ python-versions = ">=3.6"
 beautifulsoup4 = ">=4.8.0"
 Django = ">=2.2"

+[[package]]
+name = "django-csp"
+version = "3.7"
+description = "Django Content Security Policy support."
+category = "main"
+optional = false
+python-versions = "*"
+
+[package.dependencies]
+Django = ">=1.8"
+
+[package.extras]
+jinja2 = ["jinja2 (>=2.9.6)"]
+tests = ["pytest (<4.0)", "pytest-django", "pytest-flakes (==1.0.1)", "pytest-pep8 (==1.0.6)", "pep8 (==1.4.6)", "mock (==1.0.1)", "six (==1.12.0)", "jinja2 (>=2.9.6)"]
+
 [[package]]
 name = "django-extensions"
 version = "3.1.3"
@@ -455,7 +470,7 @@ dev = ["pytest (>=4.6.2)", "black (>=19.3b0)"]
 [metadata]
 lock-version = "1.1"
 python-versions = "^3.8"
-content-hash = "c099b73f4400e26ba585774697d71eb475d22e365ad1ce9e6699086b30f403ad"
+content-hash = "71642aa577156d70c6033dbc260a2ab03d247a17d9b0b0500a9c9a0e0228fd68"

 [metadata.files]
 asgiref = [
@@ -553,6 +568,10 @@ django-bootstrap4 = [
    {file = "django-bootstrap4-3.0.0.tar.gz", hash = "sha256:bffc96f65386fbd49cae1474393e01d4b414c12fcab0fff50545e6142e7ba19b"},
    {file = "django_bootstrap4-3.0.0-py3-none-any.whl", hash = "sha256:76a52fb22a8d3dbb2f7609b21908ce863e941a4462be079bf1d12025e551af37"},
 ]
+django-csp = [
+    {file = "django_csp-3.7-py2.py3-none-any.whl", hash = "sha256:01443a07723f9a479d498bd7bb63571aaa771e690f64bde515db6cdb76e8041a"},
+    {file = "django_csp-3.7.tar.gz", hash = "sha256:01eda02ad3f10261c74131cdc0b5a6a62b7c7ad4fd017fbefb7a14776e0a9727"},
+]
 django-extensions = [
    {file = "django-extensions-3.1.3.tar.gz", hash = "sha256:5f0fea7bf131ca303090352577a9e7f8bfbf5489bd9d9c8aea9401db28db34a0"},
    {file = "django_extensions-3.1.3-py3-none-any.whl", hash = "sha256:50de8977794a66a91575dd40f87d5053608f679561731845edbd325ceeb387e3"},
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -26,6 +26,7 @@ Pillow = "^8.2.0"
 django-imagekit = "^4.0.2"
 PyMuPDF = "^1.18.12"
 django-bootstrap4 = "^3.0.0"
+django-csp = "^3.7"

 [tool.poetry.dev-dependencies]
 mypy = "^0.812"