Skip to content

Commit

Permalink
Add frame-ancestors and form action policy. Fix scripts broken by CSP.
Browse files Browse the repository at this point in the history
  • Loading branch information
@nemozak1
nemozak1 committed Nov 6, 2023
1 parent 57e161b commit 6812c95
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 4 deletions.
8 changes: 5 additions & 3 deletions apimanager/apimanager/settings.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,10 +96,12 @@

# Inline styles loaded by jsoneditor.min.js have been allowed by adding their hashes to CSP_STYLE_SRC

CSP_IMG_SRC = ("'self'", 'https://static.openbankproject.com')
CSP_IMG_SRC = ("'self' data:", 'https://static.openbankproject.com')
CSP_STYLE_SRC = ("'self' 'sha256-z2a+NIknPDE7NIEqE1lfrnG39eWOhJXWsXHYGGNb5oU=' 'sha256-Dn0vMZLidJplZ4cSlBMg/F5aa7Vol9dBMHzBF4fGEtk=' 'sha256-sA0hymKbXmMTpnYi15KmDw4u6uRdLXqHyoYIaORFtjU=' 'sha256-jUuiwf3ITuJc/jfynxWHLwTZifHIlhddD8NPmmVBztk=' 'sha256-RqzjtXRBqP4i+ruV3IRuHFq6eGIACITqGbu05VSVXsI='", 'https://cdnjs.cloudflare.com', )
CSP_SCRIPT_SRC = ("'self'", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com', "'unsafe-hashes'")
CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src']
CSP_SCRIPT_SRC = ("'self' 'sha256-4Hr8ttnXaUA4A6o0hGi3NUGNP2Is3Ep0W+rvm+W7BAk=' 'sha256-GgQWQ4Ejk4g9XpAZJ4YxIgZDgp7CdQCmqjMOMh9hD2g=' 'sha256-05NIAwVBHkAzKcXTfkYqTnBPtkpX+AmQvM/raql3qo0='", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com')
CSP_FONT_SRC = ("'self'", 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/')
CSP_FRAME_ANCESTORS = ("'self'")
CSP_FORM_ACTION = ("'self'")

#cache the view page, we set 60s = 1m,
# CACHE_MIDDLEWARE_SECONDS = 60
Expand Down
4 changes: 4 additions & 0 deletions apimanager/customers/static/customers/css/customers.css
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,7 @@ input#id_kyc_status {
width: auto;
margin: -4px 0;
}

.displaynone {
display:none;
}
2 changes: 1 addition & 1 deletion apimanager/customers/templates/customers/create.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ <h1>{% trans "Create Customer" %}</h1>
{{ form.date_of_birth_date }}
</div>
</div>
<div class="col-xs-12 col-sm-4" style="display:none">
<div class="col-xs-12 col-sm-4 displaynone">
{% if form.date_of_birth_time.errors %}<div class="alert alert-danger">{{ form.date_of_birth_time.errors }}</div>{% endif %}
<div class="form-group">
{{ form.date_of_birth_time.label_tag }}
Expand Down

0 comments on commit 6812c95

Please sign in to comment.