From 6812c95077f2c914a2d3307396a0e834da65e6f5 Mon Sep 17 00:00:00 2001
From: nemo <nemozak1@gmail.com>
Date: Mon, 6 Nov 2023 16:02:08 +0100
Subject: [PATCH] Add frame-ancestors and form action policy. Fix scripts
 broken by CSP.

---
 apimanager/apimanager/settings.py                       | 8 +++++---
 apimanager/customers/static/customers/css/customers.css | 4 ++++
 apimanager/customers/templates/customers/create.html    | 2 +-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/apimanager/apimanager/settings.py b/apimanager/apimanager/settings.py
index 445de42c..16e6c064 100644
--- a/apimanager/apimanager/settings.py
+++ b/apimanager/apimanager/settings.py
@@ -96,10 +96,12 @@
 
 # Inline styles loaded by jsoneditor.min.js have been allowed by adding their hashes to CSP_STYLE_SRC
 
-CSP_IMG_SRC = ("'self'", 'https://static.openbankproject.com')
+CSP_IMG_SRC = ("'self' data:", 'https://static.openbankproject.com')
 CSP_STYLE_SRC = ("'self' 'sha256-z2a+NIknPDE7NIEqE1lfrnG39eWOhJXWsXHYGGNb5oU=' 'sha256-Dn0vMZLidJplZ4cSlBMg/F5aa7Vol9dBMHzBF4fGEtk=' 'sha256-sA0hymKbXmMTpnYi15KmDw4u6uRdLXqHyoYIaORFtjU=' 'sha256-jUuiwf3ITuJc/jfynxWHLwTZifHIlhddD8NPmmVBztk=' 'sha256-RqzjtXRBqP4i+ruV3IRuHFq6eGIACITqGbu05VSVXsI='", 'https://cdnjs.cloudflare.com', )
-CSP_SCRIPT_SRC = ("'self'", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com', "'unsafe-hashes'")
-CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src'] 
+CSP_SCRIPT_SRC = ("'self' 'sha256-4Hr8ttnXaUA4A6o0hGi3NUGNP2Is3Ep0W+rvm+W7BAk=' 'sha256-GgQWQ4Ejk4g9XpAZJ4YxIgZDgp7CdQCmqjMOMh9hD2g=' 'sha256-05NIAwVBHkAzKcXTfkYqTnBPtkpX+AmQvM/raql3qo0='", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com')
+CSP_FONT_SRC = ("'self'", 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/') 
+CSP_FRAME_ANCESTORS = ("'self'")
+CSP_FORM_ACTION = ("'self'")
 
 #cache the view page, we set 60s = 1m,
 # CACHE_MIDDLEWARE_SECONDS = 60
diff --git a/apimanager/customers/static/customers/css/customers.css b/apimanager/customers/static/customers/css/customers.css
index 94ec9782..d061db41 100644
--- a/apimanager/customers/static/customers/css/customers.css
+++ b/apimanager/customers/static/customers/css/customers.css
@@ -6,3 +6,7 @@ input#id_kyc_status {
     width: auto;
     margin: -4px 0;
 }
+
+.displaynone {
+    display:none;
+}
\ No newline at end of file
diff --git a/apimanager/customers/templates/customers/create.html b/apimanager/customers/templates/customers/create.html
index 9a8d9c20..d2ebf05d 100644
--- a/apimanager/customers/templates/customers/create.html
+++ b/apimanager/customers/templates/customers/create.html
@@ -96,7 +96,7 @@ <h1>{% trans "Create Customer" %}</h1>
                     {{ form.date_of_birth_date }}
                 </div>
             </div>
-            <div class="col-xs-12 col-sm-4" style="display:none">
+            <div class="col-xs-12 col-sm-4 displaynone">
                 {% if form.date_of_birth_time.errors %}<div class="alert alert-danger">{{ form.date_of_birth_time.errors }}</div>{% endif %}
                 <div class="form-group">
                     {{ form.date_of_birth_time.label_tag }}