WT-536: improve our CSP unsafe-inline config by making it tighter and more specific #16994
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -109,12 +109,12 @@ | |||||
| "www.googletagmanager.com", | ||||||
| "www.youtube.com", | ||||||
| csp.constants.UNSAFE_EVAL, | ||||||
| # Don't allow csp.constants.UNSAFE_INLINE wholesale in the default CSP. Be more targetted with it | ||||||
|
There was a problem hiding this comment. Corrected spelling of 'targetted' to 'targeted'.
Suggested change
|
||||||
| } | ||||||
|
|
||||||
| _csp_style_src = { | ||||||
| csp.constants.SELF, | ||||||
| CSP_ASSETS_HOST, | ||||||
| "cdn.transcend.io", # Transcend Consent Management | ||||||
| "transcend-cdn.com", # Transcend Consent Management | ||||||
|
Comment on lines
117
to
119
Collaborator
There was a problem hiding this comment. So, it was added for transcend. I still believe that has to be some misconfiguration, but… I don't see it added anywhere later for transcend — only for wagtail admin. (yay! but…)
Collaborator
There was a problem hiding this comment. … but after reading the description again and looking around the lines yes transcend's already covered there: bedrock/bedrock/settings/__init__.py Lines 122 to 124 in 0c299c8 right 🤦♂️ — so airgap shouldn't break. And it's well before the RO deepcopy so it'll also silence any RO noise. So what this PR does is, where UNSAFE_INLINE was removed only from RO before, then recently refactored out even from there, this actually finally enforces it (but will most likely be relaxed back via env where airgap's enabled, but only based on that) — so the sentry reports should be watched esp. in deployments that don't enable airgap yet — |
||||||
| } | ||||||
|
Comment on lines
115
to
120
There was a problem hiding this comment. The removal of |
||||||
|
|
@@ -208,8 +208,14 @@ def _override_csp( | |||||
| # /cms-admin/images/ loads just-uploaded images as blobs. | ||||||
| CMS_ADMIN_IMAGES_CSP = _override_csp(CONTENT_SECURITY_POLICY, append={"img-src": {"blob:"}}) | ||||||
| CMS_ADMIN_IMAGES_CSP_RO = csp_ro_report_uri and _override_csp(CONTENT_SECURITY_POLICY_REPORT_ONLY, append={"img-src": {"blob:"}}) | ||||||
|
|
||||||
|
|
||||||
| # The CMS admin frames itself for page previews and needs script-src: allow-inline | ||||||
|
stevejalim marked this conversation as resolved.
Outdated
|
||||||
| CMS_ADMIN_CSP = _override_csp( | ||||||
| CONTENT_SECURITY_POLICY, | ||||||
| replace={"frame-ancestors": {csp.constants.SELF}}, | ||||||
| append={"script-src": {csp.constants.UNSAFE_INLINE}}, | ||||||
| ) | ||||||
| CMS_ADMIN_CSP_RO = csp_ro_report_uri and _override_csp(CONTENT_SECURITY_POLICY_REPORT_ONLY, replace={"frame-ancestors": {csp.constants.SELF}}) | ||||||
|
Comment on lines
210
to
219
Collaborator
There was a problem hiding this comment. You probably want to either have RO matching the prod, or… start with the rules in RO-only for now, and let it sit for a bit and see whether it would trigger anything before blocking things? |
||||||
|
|
||||||
| CSP_PATH_OVERRIDES = { | ||||||
|
|
||||||
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[unrelated] Wondering whether to be adding UNSAFE_EVAL only
if DEV? (Is there a risk of missing any legit use when this would always be allowed in dev, incl. demos, but never in prod/stage?)