Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

task WI-46: Setup CMS using django-csp #672

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

chandra-tacc
Copy link

@chandra-tacc chandra-tacc commented Jul 14, 2023

Overview

To become fully secure site, adding detailed Content Security Policy is needed.
This uses django-csp to enable csp.

Related

Changes

This PR adds CSP headers for

  • font src
  • script src
  • style src
  • connect src
    Also, ensure the current script tags use nonce.
    The setup right now is in "report only" mode to allow for opt-in and fully functional app.

Testing

  1. Validated the site using UI and reducing console warnings.

UI

No UI change.

Notes:

At this point, due to possibly breaking the app due to CSP, this PR is in draft mode. Other mitigations are deployed via TACC/Camino#32

@wesleyboar wesleyboar added the paused Started but not actively in progress label Jul 14, 2023
@wesleyboar wesleyboar added the priority ━ Medium priority label Nov 13, 2023
@wesleyboar
Copy link
Member

Seems important, but I have not heard a request to revisit this, so I'm marking this "medium" priority.

Copy link
Member

@wesleyboar wesleyboar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do <link> elements actually use nonce?

  • W3.org states "Nonce sources require a new nonce attribute to be added to both script and style elements."
  • The MDN nonce page does not mention <link>. Only <script> and <style>.

I've created a merge conflict resolution for review — #745 — but it has a bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
paused Started but not actively in progress priority ━ Medium priority
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants