Skip to content

Commit 0a01103

Browse files
fix: /graphql/ GraphiQL interface by changing CSP rules
fix error when opening /graphql/ with GraphiQL enabled: > Refused to execute inline script because it violates the following > Content Security Policy directive: "script-src 'self' 'unsafe-eval' > cdn.jsdelivr.net blob:". Either the 'unsafe-inline' keyword, a hash > ('sha256-HHh/PGb5Jp8ck+QB/v7zeWzuHf3vYssM0CBPvYgEHR4='), or a nonce > ('nonce-...') is required to enable inline execution. and being unable to load "data:" inline base64 encoded fonts as well refs KK-1360
1 parent cbc890c commit 0a01103

2 files changed

Lines changed: 18 additions & 8 deletions

File tree

kukkuu/settings.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -292,6 +292,7 @@
292292
CSP.SELF,
293293
"fonts.googleapis.com",
294294
"fonts.gstatic.com",
295+
"data:", # /graphql/ endpoint uses "data:font/woff2"
295296
]
296297

297298
# CSP_IMG_SRC includes sources for images fetched by `SpectacularRedocView`

kukkuu/urls.py

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
from csp.decorators import csp_update
12
from django.conf import settings
23
from django.conf.urls.static import static
34
from django.http import JsonResponse
@@ -11,6 +12,7 @@
1112
from common.utils import get_api_version
1213
from custom_health_checks.views import HealthCheckJSONView
1314
from kukkuu import __version__
15+
from kukkuu.consts import CSP
1416
from kukkuu.views import SentryGraphQLView
1517
from reports.api import ChildViewSet, EventGroupViewSet, EventViewSet, VenueViewSet
1618

@@ -24,17 +26,24 @@
2426
router.register(r"event-group", EventGroupViewSet)
2527
router.register(r"venue", VenueViewSet)
2628

29+
IS_GRAPHIQL_ENABLED = settings.ENABLE_GRAPHIQL or settings.DEBUG
30+
31+
32+
# Add unsafe-inline to enable GraphiQL interface at /graphql/
33+
@csp_update(
34+
SCRIPT_SRC=settings.CSP_SCRIPT_SRC
35+
+ ([CSP.UNSAFE_INLINE] if IS_GRAPHIQL_ENABLED else [])
36+
)
37+
@csrf_exempt
38+
def graphql_view(request, *args, **kwargs):
39+
return SentryGraphQLView.as_view(graphiql=IS_GRAPHIQL_ENABLED)(
40+
request, *args, **kwargs
41+
)
42+
2743

2844
urlpatterns = [
2945
path("admin/", admin.site.urls),
30-
re_path(
31-
r"^graphql/?$",
32-
csrf_exempt(
33-
SentryGraphQLView.as_view(
34-
graphiql=settings.ENABLE_GRAPHIQL or settings.DEBUG
35-
)
36-
),
37-
),
46+
re_path(r"^graphql/?$", graphql_view),
3847
path("reports/", include(router.urls)),
3948
path("reports/schema/", SpectacularAPIView.as_view(), name="schema"),
4049
path(

0 commit comments

Comments
 (0)