From 893641212067e78319606a0fc9502c982d92bf1c Mon Sep 17 00:00:00 2001
From: William Moore <w.moore@dundee.ac.uk>
Date: Mon, 15 Jan 2024 14:39:29 +0000
Subject: [PATCH] Add some initial CSP settings to test

---
 omeroweb/settings.py | 22 +++++++++++++++++++++-
 setup.py             |  1 +
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/omeroweb/settings.py b/omeroweb/settings.py
index 47a87caf1e..b96be8ca88 100755
--- a/omeroweb/settings.py
+++ b/omeroweb/settings.py
@@ -372,7 +372,9 @@ def check_session_engine(s):
             '{"index": 5, '
             '"class": "django.contrib.messages.middleware.MessageMiddleware"},'
             '{"index": 6, '
-            '"class": "django.middleware.clickjacking.XFrameOptionsMiddleware"}'
+            '"class": "django.middleware.clickjacking.XFrameOptionsMiddleware"},'
+            '{"index": 7, '
+            '"class": "csp.middleware.CSPMiddleware"}'
             "]"
         ),
         json.loads,
@@ -1169,6 +1171,24 @@ def check_session_engine(s):
             "Remember to terminate lines with; when necessary."
         ),
     ],
+
+    # Content-Security-Protocol settings: https://django-csp.readthedocs.io/en/latest/configuration.html
+    # default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'
+    "omero.web.csp_default_src": [
+        "CSP_DEFAULT_SRC", '["\'self\'"]', json.loads, "Set the CSP default-src directive",
+    ],
+    "omero.web.csp_script_src": [
+        "CSP_SCRIPT_SRC", '["\'self\'"]', json.loads, "Set the CSP script-src directive",
+    ],
+    "omero.web.csp_img_src": [
+        "CSP_IMG_SRC", '["\'self\'"]', json.loads, "Set the CSP img-src directive",
+    ],
+    "omero.web.csp_style_src": [
+        "CSP_STYLE_SRC", '["\'self\'"]', json.loads, "Set the CSP style-src directive",
+    ],
+    "omero.web.csp_base_uri": [
+        "CSP_BASE_URI", '["\'self\'"]', json.loads, "Set the CSP base-uri directive",
+    ],
 }
 
 DEPRECATED_SETTINGS_MAPPINGS = {
diff --git a/setup.py b/setup.py
index 65f1d02a76..916d6061e1 100755
--- a/setup.py
+++ b/setup.py
@@ -57,6 +57,7 @@ def read(fname):
         "Django>=4.2.3,<4.3",
         "django-pipeline==2.1.0",
         "django-cors-headers==3.7.0",
+        "django-csp",
         "whitenoise>=5.3.0",
         "gunicorn>=19.3",
         "omero-marshal>=0.7.0",