Add some initial CSP settings to test

omeroweb/settings.py

@@ -372,7 +372,9 @@ def check_session_engine(s):
             '{"index": 5, '
             '"class": "django.contrib.messages.middleware.MessageMiddleware"},'
             '{"index": 6, '
-            '"class": "django.middleware.clickjacking.XFrameOptionsMiddleware"}'
+            '"class": "django.middleware.clickjacking.XFrameOptionsMiddleware"},'
+            '{"index": 7, '
+            '"class": "csp.middleware.CSPMiddleware"}'
             "]"
         ),
         json.loads,
@@ -1169,6 +1171,24 @@ def check_session_engine(s):
             "Remember to terminate lines with; when necessary."
         ),
     ],
+
+    # Content-Security-Protocol settings: https://django-csp.readthedocs.io/en/latest/configuration.html
+    # default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'
+    "omero.web.csp_default_src": [
+        "CSP_DEFAULT_SRC", '["\'self\'"]', json.loads, "Set the CSP default-src directive",
+    ],
+    "omero.web.csp_script_src": [
+        "CSP_SCRIPT_SRC", '["\'self\'"]', json.loads, "Set the CSP script-src directive",
+    ],
+    "omero.web.csp_img_src": [
+        "CSP_IMG_SRC", '["\'self\'"]', json.loads, "Set the CSP img-src directive",
+    ],
+    "omero.web.csp_style_src": [
+        "CSP_STYLE_SRC", '["\'self\'"]', json.loads, "Set the CSP style-src directive",
+    ],
+    "omero.web.csp_base_uri": [
+        "CSP_BASE_URI", '["\'self\'"]', json.loads, "Set the CSP base-uri directive",
+    ],
 }
 
 DEPRECATED_SETTINGS_MAPPINGS = {

setup.py

@@ -57,6 +57,7 @@ def read(fname):
         "Django>=4.2.3,<4.3",
         "django-pipeline==2.1.0",
         "django-cors-headers==3.7.0",
+        "django-csp",
         "whitenoise>=5.3.0",
         "gunicorn>=19.3",
         "omero-marshal>=0.7.0",