|
6 | 6 |
|
7 | 7 | import environ |
8 | 8 | import sentry_sdk |
| 9 | +from csp.constants import SELF, UNSAFE_EVAL, UNSAFE_INLINE |
9 | 10 | from django.core.exceptions import ImproperlyConfigured |
10 | 11 | from django.utils.translation import gettext_lazy as _ |
11 | 12 | from helusers.defaults import SOCIAL_AUTH_PIPELINE # noqa: F401 |
12 | 13 | from jose import ExpiredSignatureError |
13 | 14 | from sentry_sdk.integrations.django import DjangoIntegration |
14 | 15 | from sentry_sdk.types import Event, Hint |
15 | 16 |
|
16 | | -from kukkuu.consts import CSP |
17 | 17 | from kukkuu.exceptions import AuthenticationExpiredError |
18 | 18 | from kukkuu.tests.utils.jwt_utils import is_valid_256_bit_key |
19 | 19 |
|
@@ -327,42 +327,36 @@ def sentry_before_send(event: Event, hint: Hint): |
327 | 327 | CORS_ALLOWED_ORIGIN_REGEXES = env("CORS_ALLOWED_ORIGIN_REGEXES") |
328 | 328 | CORS_ALLOW_ALL_ORIGINS = env("CORS_ALLOW_ALL_ORIGINS") |
329 | 329 |
|
330 | | -# Configure the default CSP rule for different source types |
331 | | -CSP_DEFAULT_SRC = ["'self'"] |
332 | 330 |
|
333 | | -# CSP_STYLE_SRC includes 'unsafe-inline' for inline styles added by `django-helusers` |
334 | | -# and `SpectacularRedocView`. |
335 | | -CSP_STYLE_SRC = [ |
336 | | - CSP.SELF, |
337 | | - CSP.UNSAFE_INLINE, |
338 | | - "cdn.jsdelivr.net", |
339 | | - "fonts.googleapis.com", |
340 | | -] |
341 | | - |
342 | | -# CSP_SCRIPT_SRC includes 'unsafe-eval' for inline scripts added by |
343 | | -# `SpectacularRedocView` |
344 | | -CSP_SCRIPT_SRC = [ |
345 | | - CSP.SELF, |
346 | | - CSP.UNSAFE_EVAL, |
347 | | - "cdn.jsdelivr.net", |
348 | | - "blob:", |
349 | | -] |
350 | | - |
351 | | -# CSP_FONT_SRC includes Google fonts fetched by `SpectacularRedocView` |
352 | | -CSP_FONT_SRC = [ |
353 | | - CSP.SELF, |
354 | | - "fonts.googleapis.com", |
355 | | - "fonts.gstatic.com", |
356 | | - "data:", # /graphql/ endpoint uses "data:font/woff2" |
357 | | -] |
358 | | - |
359 | | -# CSP_IMG_SRC includes sources for images fetched by `SpectacularRedocView` |
360 | | -CSP_IMG_SRC = [ |
361 | | - CSP.SELF, |
362 | | - "cdn.redoc.ly", |
363 | | - "blob:", |
364 | | - "data:", |
365 | | -] |
| 331 | +CONTENT_SECURITY_POLICY = { |
| 332 | + "DIRECTIVES": { |
| 333 | + "default-src": [SELF], |
| 334 | + "style-src": [ |
| 335 | + SELF, |
| 336 | + UNSAFE_INLINE, |
| 337 | + "cdn.jsdelivr.net", |
| 338 | + "fonts.googleapis.com", |
| 339 | + ], |
| 340 | + "script-src": [ |
| 341 | + SELF, |
| 342 | + UNSAFE_EVAL, |
| 343 | + "cdn.jsdelivr.net", |
| 344 | + "blob:", |
| 345 | + ], |
| 346 | + "font-src": [ |
| 347 | + SELF, |
| 348 | + "fonts.googleapis.com", |
| 349 | + "fonts.gstatic.com", |
| 350 | + "data:", # /graphql/ endpoint uses "data:font/woff2" |
| 351 | + ], |
| 352 | + "img-src": [ |
| 353 | + SELF, |
| 354 | + "cdn.redoc.ly", |
| 355 | + "blob:", |
| 356 | + "data:", |
| 357 | + ], |
| 358 | + } |
| 359 | +} |
366 | 360 |
|
367 | 361 | AUTH_USER_MODEL = "users.User" |
368 | 362 |
|
|
0 commit comments