Fix more issues related to CSP and Vite

TACC · Jul 12, 2023 · db8bc6b · db8bc6b
1 parent 9527992
commit db8bc6b
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/client/vite.config.ts b/client/vite.config.ts
@@ -11,6 +11,24 @@ export default defineConfig({
   plugins: [
     {...eslint({include: 'src/**/*.+(js|jsx|ts|tsx)', fix: false}), enforce: 'pre', },
     react(),
+    {
+      name: "html-inject-nonce-into-script-tag",
+      enforce: "post",
+      transformIndexHtml(html: string) {
+          const regex = /<script(.*?)/gi;
+          const replacement = '<script nonce="{{ CSP_NONCE }}"$1';
+          return html.replace(regex, replacement);
+      },
+    },
+    {
+      name: "html-inject-nonce-into-link-tag",
+      enforce: "post",
+      transformIndexHtml(html: string) {
+          const regex = /<link(.*?)/gi;
+          const replacement = '<link nonce="{{ CSP_NONCE }}"$1';
+          return html.replace(regex, replacement);
+      },
+    },
   ],
 
   resolve: {

diff --git a/server/portal/settings/settings.py b/server/portal/settings/settings.py
@@ -713,12 +713,15 @@
 """
 CSP_CONNECT_SRC = [
     "'self'",
+    "ws:",
+    "wss:",
     "*.google-analytics.com",
     "*.googletagmanager.com"
 ]
 CSP_DEFAULT_SRC = ["'none'"]
 CSP_FONT_SRC = [
     "'self'",
+    "data:",
     "*.bootstrapcdn.com",
     "cdnjs.cloudflare.com",
 	"*.googleapis.com",
@@ -745,6 +748,9 @@
 
 CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src']
 
+# By default report only until all issues are resolved
+CSP_REPORT_ONLY = True
+
 """
 SETTINGS: LOCAL OVERRIDES
 """

diff --git a/server/portal/settings/settings_default.py b/server/portal/settings/settings_default.py
@@ -6,7 +6,7 @@
 # DJANGO SETTINGS COMMON
 ########################
 
-_DEBUG = False
+_DEBUG = True
 
 # Namespace for portal
 _PORTAL_NAMESPACE = 'CEP'