From 0d43d4c512e288ad05439138febb7a9fce70d88c Mon Sep 17 00:00:00 2001 From: Jan Brasna <1784648+janbrasna@users.noreply.github.com> Date: Sun, 10 Nov 2024 00:58:05 +0100 Subject: [PATCH] Restrict CSP a bit more (tighten report-only default-src to self) --- bedrock/settings/__init__.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py index 221cb57d87d..ed6a5034fba 100644 --- a/bedrock/settings/__init__.py +++ b/bedrock/settings/__init__.py @@ -28,16 +28,13 @@ ] _csp_img_src = [ "data:", - "mozilla.org", "www.googletagmanager.com", "www.google-analytics.com", "images.ctfassets.net", ] _csp_script_src = [ - # TODO fix things so that we don't need this + # TODO change settings so we don't need unsafes even in dev csp.constants.UNSAFE_INLINE, - # TODO snap.svg.js passes a string to Function() which is - # blocked without unsafe-eval. Find a way to remove that. csp.constants.UNSAFE_EVAL, "www.googletagmanager.com", "www.google-analytics.com", @@ -125,6 +122,7 @@ CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["report-uri"] = csp_ro_report_uri # CSP directive updates we're testing that we hope to move to the enforced policy. + CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["default-src"] = [csp.constants.SELF] CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE] CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["style-src"].remove(csp.constants.UNSAFE_INLINE)