Feature/add csp (#719)

* Develop (#709) (#710) * Fix: Remove ai from project (#707) * remove document deletion from delete_nlp_logs task * inconsistency number and debug errors fixed * add user_email to remove_authorizations_project * Feature/health check blocklist (#708) * remove document deletion from delete_nlp_logs task * add a blocklist for not saving logs depending on the authorization user * inconsistency number and debug errors fixed * change the REPOSITORY_BLOCK_USER_LOGS values from users to repository authorizations * change readme * pass on sonarcloud * change admins settings * transform uuid into string * convert uuid into string at test_blocked_user * add regex remotion of special characters from username when creating from keycloak * add django_csp and settings * configure csp * fix settings * black * fix csp settings * fix csp settings
weni-ai · May 26, 2022 · 9d28aeb · 9d28aeb
1 parent 8994a6d
commit 9d28aeb
Showing 1 changed file with 15 additions and 6 deletions.
diff --git a/bothub/settings.py b/bothub/settings.py
@@ -103,6 +103,8 @@
     CSP_SCRIPT_SRC_ELEM=(tuple, "CSP_SCRIPT_SRC_ELEM"),
     CSP_FRAME_SRC=(tuple, "CSP_FRAME_SRC"),
     CSP_CONNECT_SRC=(tuple, "CSP_CONNECT_SRC"),
+    CSP_WORKER_SRC=(tuple, "CSP_WORKER_SRC"),
+    CSP_IMG_SRC=(tuple, "CSP_IMG_SRC"),
 )
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
@@ -312,19 +314,26 @@
 
 # CSP headers
 
-CSP_DEFAULT_SRC = env.tuple("CSP_DEFAULT_SRC", default=("'self'",))
-CSP_FRAME_ANCESTORS = env.tuple("CSP_FRAME_ANCESTORS", default=("'self'", "*.weni.ai"))
+DEFAULT_CSP_SETTINGS = ("'self'",)
+DEFAULT_CSP_WENI_SETTINGS = DEFAULT_CSP_SETTINGS + ("*.weni.ai",)
+
+CSP_DEFAULT_SRC = env.tuple("CSP_DEFAULT_SRC", default=DEFAULT_CSP_SETTINGS)
+CSP_FRAME_ANCESTORS = env.tuple(
+    "CSP_FRAME_ANCESTORS", default=DEFAULT_CSP_WENI_SETTINGS
+)
 CSP_FONT_SRC = env.tuple("CSP_FONT_SRC", default=CSP_DEFAULT_SRC)
 CSP_STYLE_SRC = env.tuple(
-    "CSP_STYLE_SRC", default=("'self'", "'unsafe-inline'", "'unsafe-eval'")
+    "CSP_STYLE_SRC", default=DEFAULT_CSP_SETTINGS + ("'unsafe-inline'", "'unsafe-eval'")
 )
 CSP_STYLE_SRC_ELEM = env.tuple("CSP_STYLE_SRC_ELEM", default=CSP_STYLE_SRC)
-CSP_SCRIPT_SRC = env.tuple(
-    "CSP_SCRIPT_SRC", default=("'self'", "'unsafe-inline'", "'unsafe-eval'")
-)
+CSP_SCRIPT_SRC = env.tuple("CSP_SCRIPT_SRC", default=CSP_STYLE_SRC)
 CSP_SCRIPT_SRC_ELEM = env.tuple("CSP_SCRIPT_SRC_ELEM", default=CSP_SCRIPT_SRC)
 CSP_FRAME_SRC = env.tuple("CSP_FRAME_SRC", default=CSP_DEFAULT_SRC)
 CSP_CONNECT_SRC = env.tuple("CSP_CONNECT_SRC", default=CSP_DEFAULT_SRC)
+CSP_WORKER_SRC = env.tuple(
+    "CSP_WORKER_SRC", default=DEFAULT_CSP_WENI_SETTINGS + ("blob:", "data:")
+)
+CSP_IMG_SRC = env.tuple("CSP_IMG_SRC", default=CSP_WORKER_SRC)
 
 
 # Logging