add initial content-security-policy

* use django-csp * add csp for dev to find issues
liqd · Apr 25, 2023 · 3d90957 · 3d90957
1 parent a9bd17c
commit 3d90957
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 8 deletions.
diff --git a/digitalstrategie/settings/base.py b/digitalstrategie/settings/base.py
@@ -69,6 +69,7 @@
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'django.middleware.locale.LocaleMiddleware',
+    'csp.middleware.CSPMiddleware',
     'wagtail.contrib.redirects.middleware.RedirectMiddleware',
 )
 

diff --git a/digitalstrategie/settings/dev.py b/digitalstrategie/settings/dev.py
@@ -32,14 +32,43 @@
 
 if os.getenv("DATABASE") == "postgresql":
     DATABASES = {
-    'default': {
-        'ENGINE': 'django.db.backends.postgresql',
-        'NAME': 'django',
-        'USER': 'django',
-        'PASSWORD': '',
-        'HOST': '',
-        'PORT': '5557',
-        'OPTIONS': {
+        'default': {
+            'ENGINE': 'django.db.backends.postgresql',
+            'NAME': 'django',
+            'USER': 'django',
+            'PASSWORD': '',
+            'HOST': '',
+            'PORT': '5557',
+            'OPTIONS': {
             },
         }
     }
+
+# CSP for development (not very strict)
+CSP_DEFAULT_SRC = ["'self'"]
+# unsafe-eval only for testing
+CSP_SCRIPT_SRC = ["'unsafe-eval'"]
+CSP_SCRIPT_SRC_ATTR = ["'none'"]
+# wagtail (and webpack during dev) requires unsafe-inline
+CSP_SCRIPT_SRC_ELEM = ["'self'", "berlin.de",
+                       "www.berlin.de", "'unsafe-inline'"]
+CSP_IMG_SRC = ["'self'", "berlin.de", "www.berlin.de", "www.gravatar.com"]
+CSP_OBJECT_SRC = ["'none'"]
+CSP_MEDIA_SRC = ["'self'"]
+CSP_FRAME_SRC = ["'self'", "youtube.com",
+                 "www.youtube.com", "vimeo.com", "www.vimeo.com"]
+CSP_FONT_SRC = ["'self'", "berlin.de", "www.berlin.de"]
+CSP_CONNECT_SRC = ["'self'", "releases.wagtail.io"]
+CSP_STYLE_SRC = ["'none'"]
+# wagtail userbar requires unsafe-inline for wagtail <= 4.1
+CSP_STYLE_SRC_ATTR = ["'self'", "'unsafe-inline'"]
+# wagtail admin vendor.js requires unsafe-inline
+CSP_STYLE_SRC_ELEM = ["'self'", "berlin.de",
+                      "www.berlin.de", "'unsafe-inline'"]
+CSP_BASE_URI = ["'self'"]
+CSP_CHILD_SRC = ["'none'"]
+CSP_FRAME_ANCESTORS = ["'self'"]
+CSP_FORM_ACTION = ["'self'"]
+CSP_MANIFEST_SRC = ["'self'"]
+CSP_WORKER_SRC = ["'none'"]
+# CSP_UPGRADE_INSECURE_REQUESTS = True
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -1,6 +1,7 @@
 brotli==1.0.9
 Django==3.2.18
 django-cloudflare-push==0.2.2
+django-csp==3.7
 django-multiselectfield==0.1.12
 django-widget-tweaks==1.4.12
 sentry-sdk==1.19.1