Skip to content

Commit 8809a8d

Browse files
committed
feat: migrate to django-csp 4.0
Use constants from django-csp-library directly. Refs: PT-1961
1 parent 59c5e71 commit 8809a8d

4 files changed

Lines changed: 25 additions & 46 deletions

File tree

notification_importers/admin.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
import importlib
22
import logging
33

4+
from csp.constants import UNSAFE_INLINE
45
from csp.decorators import csp_update
56
from django.conf import settings
67
from django.contrib import admin, messages
@@ -11,8 +12,6 @@
1112
from django_ilmoitin.admin import NotificationTemplateAdmin
1213
from django_ilmoitin.models import NotificationTemplate
1314

14-
from palvelutarjotin.consts import CSP
15-
1615
from .notification_importer import (
1716
AbstractNotificationImporter,
1817
NotificationImporterException,
@@ -113,7 +112,10 @@ def _send_error_message(self, request, message):
113112
# Acecpt CSP_UNSAFE_INLINE for the changeform view to allow
114113
# the preview template to work correctly.
115114
@csp_update(
116-
SCRIPT_SRC=settings.CSP_SCRIPT_SRC + [CSP.UNSAFE_INLINE],
115+
{
116+
"script-src": settings.CONTENT_SECURITY_POLICY["DIRECTIVES"]["script-src"]
117+
+ [UNSAFE_INLINE],
118+
}
117119
)
118120
def changeform_view(self, request, object_id=None, form_url="", extra_context=None):
119121
return super().changeform_view(

palvelutarjotin/consts.py

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -25,16 +25,3 @@
2525
INVALID_TOKEN_ERROR = "INVALID_TOKEN_ERROR"
2626
INVALID_STUDY_GROUP_UNIT_INFO_ERROR = "INVALID_STUDY_GROUP_UNIT_INFO_ERROR"
2727
QUEUEING_NOT_ALLOWED_ERROR = "QUEUEING_NOT_ALLOWED_ERROR"
28-
29-
30-
class CSP:
31-
"""The “special” source values of 'self', 'unsafe-inline', 'unsafe-eval', 'none'
32-
and hash-source ('sha256-...') must be quoted! e.g.: CSP_DEFAULT_SRC = ("'self'",).
33-
Without quotes they will not work as intended.
34-
Ref. https://django-csp.readthedocs.io/en/stable/configuration.html.
35-
"""
36-
37-
SELF = "'self'"
38-
NONE = "'none'"
39-
UNSAFE_INLINE = "'unsafe-inline'"
40-
UNSAFE_EVAL = "'unsafe-eval'"

palvelutarjotin/settings.py

Lines changed: 15 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,12 @@
55

66
import environ
77
import sentry_sdk
8+
from csp.constants import SELF, UNSAFE_INLINE
89
from django.core.exceptions import ImproperlyConfigured
910
from django.utils.translation import gettext_lazy as _
1011
from sentry_sdk.integrations.django import DjangoIntegration
1112

1213
from palvelutarjotin import __version__
13-
from palvelutarjotin.consts import CSP
1414

1515
checkout_dir = environ.Path(__file__) - 2
1616
assert os.path.exists(checkout_dir("manage.py"))
@@ -269,32 +269,20 @@
269269
CORS_ALLOW_ALL_ORIGINS = env.bool("CORS_ALLOW_ALL_ORIGINS")
270270

271271
# Configure the default CSP rule for different source types
272-
CSP_DEFAULT_SRC = [CSP.SELF]
273-
274-
# CSP_STYLE_SRC includes 'unsafe-inline' for inline styles added by `django-helusers`.
275-
CSP_STYLE_SRC = [
276-
CSP.SELF,
277-
CSP.UNSAFE_INLINE,
278-
"cdn.jsdelivr.net",
279-
"blob:",
280-
]
281-
282-
CSP_SCRIPT_SRC = [
283-
CSP.SELF,
284-
"cdn.jsdelivr.net", # /graphql/ endpoint
285-
"blob:",
286-
]
287-
288-
CSP_FONT_SRC = [
289-
CSP.SELF,
290-
"data:", # /graphql/ endpoint uses "data:font/woff2"
291-
]
292-
293-
CSP_IMG_SRC = [
294-
CSP.SELF,
295-
"blob:",
296-
"data:",
297-
]
272+
CONTENT_SECURITY_POLICY = {
273+
"DIRECTIVES": {
274+
"default-src": [SELF],
275+
"font-src": [SELF, "data:"], # /graphql/ endpoint uses "data:font/woff2"
276+
"img-src": [SELF, "blob:", "data:"],
277+
"script-src": [SELF, "cdn.jsdelivr.net", "blob:"], # /graphql/ endpoint
278+
"style-src": [
279+
SELF,
280+
UNSAFE_INLINE,
281+
"cdn.jsdelivr.net",
282+
"blob:",
283+
], # 'unsafe-inline' needed for `django-helusers`.
284+
}
285+
}
298286

299287
AUTHENTICATION_BACKENDS = [
300288
"axes.backends.AxesBackend",

palvelutarjotin/urls.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
from csp.constants import UNSAFE_INLINE
12
from csp.decorators import csp_update
23
from django.conf import settings
34
from django.conf.urls.static import static
@@ -15,7 +16,6 @@
1516
from common.utils import get_api_version
1617
from custom_health_checks.views import HealthCheckJSONView
1718
from palvelutarjotin import __version__
18-
from palvelutarjotin.consts import CSP
1919
from palvelutarjotin.views import SentryGraphQLView
2020

2121
admin.site.index_title = " ".join([gettext("Kultus API"), get_api_version()])
@@ -25,8 +25,10 @@
2525

2626
# Add unsafe-inline to enable GraphiQL interface at /graphql/
2727
@csp_update(
28-
SCRIPT_SRC=settings.CSP_SCRIPT_SRC
29-
+ ([CSP.UNSAFE_INLINE] if IS_GRAPHIQL_ENABLED else [])
28+
{
29+
"script-src": settings.CONTENT_SECURITY_POLICY["DIRECTIVES"]["script-src"]
30+
+ ([UNSAFE_INLINE] if IS_GRAPHIQL_ENABLED else []),
31+
}
3032
)
3133
@csrf_exempt
3234
def graphql_view(request, *args, **kwargs):

0 commit comments

Comments
 (0)