Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Content Security Policy #211

Merged
merged 7 commits into from
Nov 19, 2021
Merged

Implement Content Security Policy #211

merged 7 commits into from
Nov 19, 2021

Conversation

thekaveman
Copy link
Member

Closes #203.

Testing this PR

The Content Security Policy blocks assets from loading unless configured correctly. After git checkout the branch, load the app in your browser and run through the flow - you should see no errors in loading scripts, styles, fonts, etc. and all images, styles, etc. should be applied and visible.

To break the Policy and see what happens, comment out everything after the CSP_DEFAULT_SRC directive in settings.py. Then load the app locally and check the browser console:

image

@thekaveman
chore: add django-csp to requirements
9560ac9
@thekaveman
feat: install django-csp middleware
95fbf03
@thekaveman
feat(content-security-policy): basic config
cc2a6c3 
default to only allowing content from self, blocks all frame loading
@thekaveman
feat(content-security-policy): fonts
9c26a54 
allow loading from CA State Template, Google Fonts
@thekaveman
feat(content-security-policy): styles
a0a30b4 
* allow <style> tags to load from our app, CA State Template, Google Fonts
* allow 'unsafe-inline' for jQuery dynamic styles/elements
@thekaveman
feat(content-security-policy): scripts
c57d9ca 
allow <script> tags from our app, CA State Template, Amplitude, jQuery, Littlepay
@thekaveman
feat(content-security-policy): connections
8d4ac78 
allow javascript to connect to Amplitude
@thekaveman thekaveman added this to the November 2021 milestone Nov 19, 2021
@github-actions github-actions bot added the deployment-dev [auto] Changes that will trigger a deploy if merged to dev label Nov 19, 2021
@thekaveman thekaveman mentioned this pull request Nov 19, 2021
Closed
@thekaveman thekaveman merged commit 1266155 into dev Nov 19, 2021
@thekaveman thekaveman deleted the feat/content-security-policy branch November 19, 2021 19:54
@thekaveman thekaveman mentioned this pull request Nov 20, 2021
Merged
@thekaveman thekaveman added the security Changes to improve or maintain the availability and resilience of the app label Apr 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@machikoyasuda machikoyasuda machikoyasuda approved these changes

@angela-tran angela-tran Awaiting requested review from angela-tran

Assignees
No one assigned
Labels
deployment-dev [auto] Changes that will trigger a deploy if merged to dev security Changes to improve or maintain the availability and resilience of the app
Projects
None yet
Milestone
November 2021
Development

Successfully merging this pull request may close these issues.

Send Content-Security-Policy header
2 participants
@thekaveman @machikoyasuda