|
5 | 5 |
|
6 | 6 | import environ |
7 | 7 | import sentry_sdk |
| 8 | +from csp.constants import SELF as CSP_SELF |
| 9 | +from csp.constants import UNSAFE_INLINE as CSP_UNSAFE_INLINE |
8 | 10 | from django.core.exceptions import ImproperlyConfigured |
9 | 11 | from django.utils.translation import gettext_lazy as _ |
10 | 12 | from sentry_sdk.integrations.django import DjangoIntegration |
11 | 13 |
|
12 | 14 | from palvelutarjotin import __version__ |
13 | | -from palvelutarjotin.consts import CSP |
14 | 15 |
|
15 | 16 | checkout_dir = environ.Path(__file__) - 2 |
16 | 17 | assert os.path.exists(checkout_dir("manage.py")) |
|
268 | 269 | CORS_ALLOWED_ORIGIN_REGEXES = env.list("CORS_ALLOWED_ORIGIN_REGEXES") |
269 | 270 | CORS_ALLOW_ALL_ORIGINS = env.bool("CORS_ALLOW_ALL_ORIGINS") |
270 | 271 |
|
271 | | -# Configure the default CSP rule for different source types |
272 | | -CSP_DEFAULT_SRC = [CSP.SELF] |
273 | | - |
274 | | -# CSP_STYLE_SRC includes 'unsafe-inline' for inline styles added by `django-helusers`. |
275 | | -CSP_STYLE_SRC = [ |
276 | | - CSP.SELF, |
277 | | - CSP.UNSAFE_INLINE, |
278 | | - "cdn.jsdelivr.net", |
279 | | - "blob:", |
280 | | -] |
281 | | - |
282 | | -CSP_SCRIPT_SRC = [ |
283 | | - CSP.SELF, |
284 | | - "cdn.jsdelivr.net", # /graphql/ endpoint |
285 | | - "blob:", |
286 | | -] |
287 | | - |
288 | | -CSP_FONT_SRC = [ |
289 | | - CSP.SELF, |
290 | | - "data:", # /graphql/ endpoint uses "data:font/woff2" |
291 | | -] |
292 | | - |
293 | | -CSP_IMG_SRC = [ |
294 | | - CSP.SELF, |
295 | | - "blob:", |
296 | | - "data:", |
297 | | -] |
| 272 | +# Configure default CSP rules for different source types |
| 273 | +CSP_BLOB = "blob:" |
| 274 | +CSP_DATA = "data:" |
| 275 | +CSP_CDN = "cdn.jsdelivr.net" |
| 276 | + |
| 277 | +CONTENT_SECURITY_POLICY = { |
| 278 | + "DIRECTIVES": { |
| 279 | + "default-src": [CSP_SELF], |
| 280 | + "font-src": [CSP_SELF, CSP_DATA], # /graphql/ endpoint uses "data:font/woff2" |
| 281 | + "img-src": [CSP_SELF, CSP_BLOB, CSP_DATA], |
| 282 | + "script-src": [CSP_SELF, CSP_CDN, CSP_BLOB], # /graphql/ endpoint |
| 283 | + "style-src": [ |
| 284 | + CSP_SELF, |
| 285 | + CSP_UNSAFE_INLINE, |
| 286 | + CSP_CDN, |
| 287 | + CSP_BLOB, |
| 288 | + ], # 'unsafe-inline' needed for `django-helusers`. |
| 289 | + } |
| 290 | +} |
298 | 291 |
|
299 | 292 | AUTHENTICATION_BACKENDS = [ |
300 | 293 | "axes.backends.AxesBackend", |
|
0 commit comments