Add Permissions-Policy and Content-Security-Policy headers (#226)

Co-authored-by: Thibaud Colas <thibaudcolas@gmail.com>
wagtail · Nov 15, 2023 · d501f32 · d501f32
1 parent 38fd75d
commit d501f32
Show file tree

Hide file tree

Showing 4 changed files with 86 additions and 3 deletions.
diff --git a/apps/guide/settings/base.py b/apps/guide/settings/base.py
@@ -67,6 +67,7 @@
 
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
+    "django_permissions_policy.PermissionsPolicyMiddleware",
     # Whitenoise middleware is used to server static files (CSS, JS, etc.).
     # According to the official documentation it should be listed underneath
     # SecurityMiddleware.
@@ -183,6 +184,54 @@
 ]
 
 
+# Security
+
+# Configure the `Permissions-Policy` header
+# https://github.com/adamchainz/django-permissions-policy
+PERMISSIONS_POLICY = {
+    "accelerometer": [],
+    "ambient-light-sensor": [],
+    "autoplay": [],
+    "camera": [],
+    "display-capture": [],
+    "document-domain": [],
+    "encrypted-media": [],
+    "fullscreen": [],
+    "geolocation": [],
+    "gyroscope": [],
+    "interest-cohort": [],
+    "magnetometer": [],
+    "microphone": [],
+    "midi": [],
+    "payment": [],
+    "usb": [],
+}
+
+# Content Security policy settings
+# http://django-csp.readthedocs.io/en/latest/configuration.html
+if "CSP_DEFAULT_SRC" in env:
+    MIDDLEWARE.append("csp.middleware.CSPMiddleware")
+
+    # The “special” source values of
+    # 'self', 'unsafe-inline', 'unsafe-eval', and 'none' must be quoted!
+    # e.g.: CSP_DEFAULT_SRC = "'self'" Without quotes they will not work as intended.
+
+    CSP_DEFAULT_SRC = env.get("CSP_DEFAULT_SRC").split(",")
+    if "CSP_SCRIPT_SRC" in env:
+        CSP_SCRIPT_SRC = env.get("CSP_SCRIPT_SRC").split(",")
+    if "CSP_STYLE_SRC" in env:
+        CSP_STYLE_SRC = env.get("CSP_STYLE_SRC").split(",")
+    if "CSP_IMG_SRC" in env:
+        CSP_IMG_SRC = env.get("CSP_IMG_SRC").split(",")
+    if "CSP_CONNECT_SRC" in env:
+        CSP_CONNECT_SRC = env.get("CSP_CONNECT_SRC").split(",")
+    if "CSP_FONT_SRC" in env:
+        CSP_FONT_SRC = env.get("CSP_FONT_SRC").split(",")
+    if "CSP_BASE_URI" in env:
+        CSP_BASE_URI = env.get("CSP_BASE_URI").split(",")
+    if "CSP_OBJECT_SRC" in env:
+        CSP_OBJECT_SRC = env.get("CSP_OBJECT_SRC").split(",")
+
 # Internationalization
 # https://docs.djangoproject.com/en/4.0/topics/i18n/
 

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -20,6 +20,8 @@ django-storages = ">=1.14,<1.15"
 whitenoise = ">=6.6,<6.7"
 psycopg2 = "2.9.9"
 wagtail-localize = "1.7rc1"
+django-permissions-policy = "^4.13.0"
+django-csp = "^3.7"
 
 [tool.poetry.group.dev.dependencies]
 ruff = "^0.1.4"

diff --git a/setup.cfg b/setup.cfg
@@ -9,4 +9,4 @@ omit =
    *migrations*
 
 [coverage:report]
-show_missing = True
+show_missing = True