Flask-admin isn't Content Security Policy-friendly

[toolness]

My current project uses Content Security Policy; one of the default behaviors for CSP is to prevent the execution of inline scripts, which improves resilience in the face of XSS attacks and the like.

However, it seems that there a handful of inline <script> tags in flask-admin views, like the following one which appears on my model list view:

<script language="javascript">
        (function($) {
            $('[data-role=tooltip]').tooltip({
                html: true,
                placement: 'bottom'
            });

        })(jQuery);
    </script>

Similar to pallets-eco/flask-debugtoolbar#88, some of these can be worked around by a hash-source CSP directive, but it'd be really awesome if flask-admin was compatible with the most helpful CSP defaults out-of-the-box!

[mrjoes]

Pull requests are always welcome!

[jxltom]

Why this is closed?

[petrus-jvrensburg]

@jxltom let me re-open it. Are you working on a fix? A pull-request would be great!

[jxltom]

Probably it will be better to keep this open since it is not solved and then someone may fix this. 😄

I can't gurantee the PR but I will try to do that since CSP is important for securities.

[nk9]

A lot of the code which needs to be modified is in bootstrap2 and 3. What is the flask_admin policy on modifying vendor code?

[nk9]

I can't guarantee I'll fix this, but I have done some amount of work on it so I can use it on my site. I am working toward a PR, we'll see. But it would be very helpful to get an answer about modifying upstream code which flask-admin has forked in its repo. @petrus-jvrensburg @mrjoes is there a policy on this? If it's not possible to change those, then there's little point in submitting a PR.

[petrus-jvrensburg]

Nope. Modifying the vendor code in this repo isn't a good idea. It would make it too difficult to update dependencies later.

I would suggest to either fork the project to maintain your own versions of the modified vendor code, or to implement some alternative template mode that doesn't rely on the problematic vendor code at all.

[nk9]

Yeah, I've had to make my own fork. While I understand the reasons, that's unfortunate—it means Flask-Admin will be waiting for Bootstrap 5 to support CSPs. Still, there's non-vendor code to change, so this issue should remain open.

[dfeinzeig]

anyone already have hashes handy to work around this?

[errorfourten]

anyone already have hashes handy to work around this?

For "return modelActions.execute('delete');", you can use 'sha256-ftmTNsdfRKq6ZNyHL+p7dI9xRqueDTpseN1IaUUgQW4='

For "return faHelpers.safeConfirm('Are you sure you want to delete this record?');", you can use 'sha256-gikCNhEl+fhjSb8779qEr3zNPPm8nyTyg8MPyBYs+Tw='

These are the only scripts I have found that needed hashing. Just leaving them here in case any future person needs them!

[samuelhwilliams]

Thanks for reporting this issue. As there are a few issues open on the topic of CSP, I'm go to close this one in favour of #2344, so that we can keep conversation in one place.