Merge pull request #431 from freedomofpress/add_csp

Add CSP for securedrop.org
freedomofpress · Apr 19, 2018 · 7d12099 · 7d12099
2 parents 7fe9d7b + 714f37f
commit 7d12099
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 0 deletions.
diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -14,6 +14,7 @@ defusedxml==0.5.0
 django-allauth-2fa==0.4.4
 django-allauth==0.34.0
 django-anymail[mailgun]==1.4
+django-csp==3.4
 django-debug-toolbar==1.9.1
 django-modelcluster==3.1
 django-otp==0.4.1.1

diff --git a/requirements.in b/requirements.in
@@ -24,5 +24,6 @@ wagtail-metadata
 unittest-xml-reporting
 django-allauth==0.34.0
 django-allauth-2fa
+django-csp
 zxcvbn-python
 safety
diff --git a/requirements.txt b/requirements.txt
@@ -13,6 +13,7 @@ defusedxml==0.5.0         # via python3-openid
 django-allauth-2fa==0.4.4
 django-allauth==0.34.0
 django-anymail[mailgun]==1.4
+django-csp==3.4
 django-modelcluster==3.1
 django-otp==0.4.1.1       # via django-allauth-2fa
 django-recaptcha==1.3.1

diff --git a/securedrop/settings/base.py b/securedrop/settings/base.py
@@ -109,6 +109,9 @@
     # flow is reset if another page is loaded between login and successfully
     # entering two-factor credentials.
     'allauth_2fa.middleware.AllauthTwoFactorMiddleware',
+
+    # Middleware for content security policy
+    'csp.middleware.CSPMiddleware',
 ]
 
 ROOT_URLCONF = 'securedrop.urls'
@@ -346,3 +349,33 @@
         },
     },
 }
+
+# Content Security Policy
+# script:
+# unsafe-eval for client/common/js/common.js:645 and /client/tor/js/torEntry.js:89
+# All for inline scripts in wagtail (admin) login page line 44 and 92
+# style:
+# #1 through #8needed for inline style for svg in sliding-nav:
+# #9 and #10 hashes needed for inline style for modernizr on admin page
+# #11 needed for wagtail admin
+
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_SCRIPT_SRC = (
+    "'self'",
+    "'unsafe-eval'",
+)
+CSP_STYLE_SRC = (
+    "'self'",
+    "'sha256-kRJHclfjr7e5UYWHxtr0Bzdv2BiUtaSbDQe69HgEqXM='",
+    "'sha256-cMOfJ1K7bmWDFQ9IoI+B6fO37u9xMiBgP1rpm79IayM='",
+    "'sha256-Pf5JUUfhnnTVCCmSWFJ3qi/1j67vD2TeYvr7T6LxfqY='",
+    "'sha256-aJumNcjgS5IN0N559UWLFNCtnIIo3CqO862elt0w1A0='",
+    "'sha256-Rg1ua3eExI+in3cF/PWaHTHMjpiLQz/jTlIXr2kBY38='",
+    "'sha256-Zbh/ZO0Ff1YEynn0zSl56u5itxZmwkCVF3PgnnOm8u4='",
+    "'sha256-4ieA95gpQdpg9JDmuID1CQF8dJ/U0JnDqE4GQecAIdg='",
+    "'sha256-LAw02AamnUpPKuSLFUcg9Kh2SLuqSmaXiiV45Y21f84='",
+)
+CSP_IMG_SRC = ("'self'",)
+CSP_FRAME_SRC = ("'self'",)
+CSP_CONNECT_SRC = ("'self'",)
+CSP_EXCLUDE_URL_PREFIXES = ("/admin", )