Support Content-Security-Policy without "script-src unsafe-inline"

[graingert]

Django 1.10 lands support for running the admin with a Content-Security-Policy without "script-src unsafe-inline" applied. This allows the django admin to be completely immune from XSS attacks.

Django CMS should follow suit and remove all inline JavaScript. Replacing large blocks of JS with <script src={% static 'path/to/old_inlines/eg.js' %}></script> and <script>var foo = {{bar}}></script> with:

# path/to/fooUsage.js
window.foo = $('#django-cms-foo').data('foo');

<script id='django-cms-foo' src={% static 'path/to/fooUsuage.js' %} data-foo={{ bar }}></script>

[vxsx]

Thanks for the report, we'll take care of it.
It would also require changes in some of the essential addons though, e.g. djangocms-text-ckeditor etc.

[yakky]

I think that this should undergo a deprecation period. Django 1.10 just removed its own inline javascript to allow enabling "Content-Security-Policy", it does not enforce it.
I think that django CMS 3.4 can adopt the same behavior, and then let addons adapt to it by providing a "suggested timeframe"

[rspeed]

I gave this a look and it's a bit harder than I expected. Replacing CMS.config with a block of JSON was fairly straightforward, but plugins are another story altogether. Gonna put it aside for now and take another look when I have some time.

Another issue is that Django-CMS uses jQuery's PEP.js library, which builds a dynamic script element and inserts it into the DOM, violating style-src 'self'. So there's at least one upstream blocker.

[graingert]

That's very unfortunate

…

On 17 Sep 2017 02:30, "Rob Speed" ***@***.***> wrote: I gave this a bit of a look and it's looking a bit harder than I expected. Replacing CMS.config with a block of JSON was fairly straightforward, but plugins are another story altogether. Gonna put it aside for now and take another look when I have some time. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5381 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAZQTOrfIdOgO1XjMrkKCmZWeVbxfQpAks5sjHYkgaJpZM4Iw2t4> .

[rspeed]

Some good news: I got the plugins/placeholders sorted out. I've got it running on my personal site right now (with style-src 'self' 'unsafe-inline' in the CSP) and haven't encountered any issues.

[graingert]

@rspeed oh great stuff, any chance of some PRs?

[rspeed]

Yup, already working on one. I found a few more inline scripts that needed to be fixed. Finishing that up now.

[marksweb]

@vxsx @yakky what's the status of CSP support?

Following a PEN test I've got a client who wants us to implement a CSP & I've done what I can, but can't complete the task without support from the CMS.

I've not looked at the commits involved in #6072 yet, but it's full of conflicts given it's age now so not sure how viable those changes are now.

[GrazingScientist]

I give this a push, because I find it highly relevant that I do not have to set unsafe-inline in my code, because it more or less makes the CSP useless.