diff options
author | Jelle van der Waa <jelle@vdwaa.nl> | 2019-01-29 16:42:54 +0100 |
---|---|---|
committer | Jelle van der Waa <jelle@archlinux.org> | 2019-02-18 16:42:51 +0100 |
commit | 3525458926dfa47e6c7bcedb4304cc243e78d47a (patch) | |
tree | 413b8c898c71fd6a07c797193768eaaf0071e80a | |
parent | 6b22bedd82ae69a54f15c2f5f64f9f3945e5fb43 (diff) |
Implement CSP for archweb
Add django-csp as dependency to be able to set CSP inside django's
settings and allow setting a CSP_NONCE for inline <script>'s in
templates. Since archweb heavily uses this pattern it's the best
compromise.
-rw-r--r-- | requirements.txt | 1 | ||||
-rw-r--r-- | settings.py | 8 | ||||
-rw-r--r-- | templates/devel/clock.html | 2 | ||||
-rw-r--r-- | templates/devel/index.html | 2 | ||||
-rw-r--r-- | templates/devel/packages.html | 2 | ||||
-rw-r--r-- | templates/devel/profile.html | 2 | ||||
-rw-r--r-- | templates/mirrors/mirror_details.html | 2 | ||||
-rw-r--r-- | templates/mirrors/mirrors.html | 2 | ||||
-rw-r--r-- | templates/mirrors/status.html | 2 | ||||
-rw-r--r-- | templates/mirrors/url_details.html | 2 | ||||
-rw-r--r-- | templates/news/add.html | 2 | ||||
-rw-r--r-- | templates/packages/details.html | 2 | ||||
-rw-r--r-- | templates/packages/differences.html | 2 | ||||
-rw-r--r-- | templates/packages/groups.html | 2 | ||||
-rw-r--r-- | templates/packages/packages_list.html | 2 | ||||
-rw-r--r-- | templates/packages/signoffs.html | 2 | ||||
-rw-r--r-- | templates/packages/stale_relations.html | 2 | ||||
-rw-r--r-- | templates/public/keys.html | 2 | ||||
-rw-r--r-- | templates/registration/login.html | 2 | ||||
-rw-r--r-- | templates/releng/release_list.html | 2 | ||||
-rw-r--r-- | templates/todolists/list.html | 2 | ||||
-rw-r--r-- | templates/todolists/view.html | 2 | ||||
-rw-r--r-- | templates/visualize/index.html | 2 |
23 files changed, 30 insertions, 21 deletions
diff --git a/requirements.txt b/requirements.txt index 515471ba..56f4bd0a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,3 +10,4 @@ pytz>=2017.3 parse==1.11.1 django-jinja==2.4.1 sqlparse==0.2.4 +django-csp==3.5 diff --git a/settings.py b/settings.py index 10114f11..17377c25 100644 --- a/settings.py +++ b/settings.py @@ -53,6 +53,7 @@ MIDDLEWARE = ( 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.middleware.http.ConditionalGetMiddleware', + 'csp.middleware.CSPMiddleware', ) # Base of the URL hierarchy @@ -92,6 +93,12 @@ SECURE_CONTENT_TYPE_NOSNIFF = True # X-XSS-Protection, enables cross-site scripting filter in most browsers SECURE_BROWSER_XSS_FILTER = True +# CSP Settings +CSP_DEFAULT_SRC = ("'self'",) +CSP_SCRIPT_SRC = ("'self'",) +CSP_INCLUDE_NONCE_IN = ['script-src'] +CSP_IMG_SRC = ("'self'", 'data:',) + # Use new test runner TEST_RUNNER = 'django.test.runner.DiscoverRunner' @@ -194,6 +201,7 @@ TEMPLATES = [ 'django.contrib.auth.context_processors.auth', 'django.template.context_processors.debug', 'django.contrib.messages.context_processors.messages', + 'csp.context_processors.nonce', ], } } diff --git a/templates/devel/clock.html b/templates/devel/clock.html index 2c5bfacf..88cc93e7 100644 --- a/templates/devel/clock.html +++ b/templates/devel/clock.html @@ -61,7 +61,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#clocks-table:has(tbody tr)").tablesorter({ widgets: ['zebra'], diff --git a/templates/devel/index.html b/templates/devel/index.html index dfe1d1fa..4f788d6d 100644 --- a/templates/devel/index.html +++ b/templates/devel/index.html @@ -167,7 +167,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#stats-message").html('Loading developer stats…'); $("#stats-area").load('stats/', function(response, status, xhr) { diff --git a/templates/devel/packages.html b/templates/devel/packages.html index c75f81eb..762fc6f0 100644 --- a/templates/devel/packages.html +++ b/templates/devel/packages.html @@ -78,7 +78,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({widgets: ['zebra']}); }); diff --git a/templates/devel/profile.html b/templates/devel/profile.html index acdc22a9..50bb33dd 100644 --- a/templates/devel/profile.html +++ b/templates/devel/profile.html @@ -29,7 +29,7 @@ {% block script_block %} {% load cdn %}{% jquery %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> modify_attributes({ '#id_email': {type: 'email'}, '#id_alias': {autocorrect: 'off', autocapitalize: 'off'}, diff --git a/templates/mirrors/mirror_details.html b/templates/mirrors/mirror_details.html index 0c0d5559..05a4b0da 100644 --- a/templates/mirrors/mirror_details.html +++ b/templates/mirrors/mirror_details.html @@ -115,7 +115,7 @@ <script type="text/javascript" src="{% static "d3-3.0.6.min.js" %}"></script> <script type="text/javascript" src="{% static "archweb.js" %}"></script> <script type="text/javascript" src="{% static "mirror_status.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#available_urls:has(tbody tr)").tablesorter( {widgets: ['zebra'], sortList: [[1,0], [2,0]], diff --git a/templates/mirrors/mirrors.html b/templates/mirrors/mirrors.html index 7da11268..55eb0f8c 100644 --- a/templates/mirrors/mirrors.html +++ b/templates/mirrors/mirrors.html @@ -47,7 +47,7 @@ </div> {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({widgets: ['zebra'], sortList: [[2,0], [0,0]]}); }); diff --git a/templates/mirrors/status.html b/templates/mirrors/status.html index 39d68460..fb318480 100644 --- a/templates/mirrors/status.html +++ b/templates/mirrors/status.html @@ -77,7 +77,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { var headers = { 4: { sorter: 'duration' }, 5: { sorter: 'mostlydigit' }, 6: { sorter: 'mostlydigit' }, 7: { sorter: 'mostlydigit' }, diff --git a/templates/mirrors/url_details.html b/templates/mirrors/url_details.html index 2454eda4..6e64b08c 100644 --- a/templates/mirrors/url_details.html +++ b/templates/mirrors/url_details.html @@ -64,7 +64,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#check_logs:has(tbody tr)").tablesorter( {widgets: ['zebra'], sortList: [[0,1]], diff --git a/templates/news/add.html b/templates/news/add.html index 51094659..f171b503 100644 --- a/templates/news/add.html +++ b/templates/news/add.html @@ -35,7 +35,7 @@ </div> {% load cdn %}{% jquery %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(enablePreview); </script> {% endblock %} diff --git a/templates/packages/details.html b/templates/packages/details.html index 2851abd6..768ce43f 100644 --- a/templates/packages/details.html +++ b/templates/packages/details.html @@ -11,7 +11,7 @@ {% block script_block %} {% load cdn %}{% jquery %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce="{{ CSP_NONCE }}"> $(document).ready(function() { ajaxifyFiles(); collapseDependsList("#pkgdepslist"); diff --git a/templates/packages/differences.html b/templates/packages/differences.html index 30750798..c650c6e8 100644 --- a/templates/packages/differences.html +++ b/templates/packages/differences.html @@ -42,7 +42,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $('#table_multilib_differences').tablesorter({widgets: ['zebra'], sortList: [[5, 0]]}); }); diff --git a/templates/packages/groups.html b/templates/packages/groups.html index c135791f..9f9fef35 100644 --- a/templates/packages/groups.html +++ b/templates/packages/groups.html @@ -34,7 +34,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({widgets: ['zebra'], sortList: [[1,0], [0,0]]}); }); diff --git a/templates/packages/packages_list.html b/templates/packages/packages_list.html index 3dcc03dc..72311235 100644 --- a/templates/packages/packages_list.html +++ b/templates/packages/packages_list.html @@ -45,7 +45,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({widgets: ['zebra'], sortList: [[2,0]]}); }); diff --git a/templates/packages/signoffs.html b/templates/packages/signoffs.html index 9f6437c2..e2214845 100644 --- a/templates/packages/signoffs.html +++ b/templates/packages/signoffs.html @@ -82,7 +82,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $('.results').tablesorter({widgets: ['zebra'], sortList: [[0,0]], headers: { 5: { sorter: 'epochdate' }, 7: { sorter: false }, 8: {sorter: false } } }); diff --git a/templates/packages/stale_relations.html b/templates/packages/stale_relations.html index 218ddb3e..8aec424d 100644 --- a/templates/packages/stale_relations.html +++ b/templates/packages/stale_relations.html @@ -114,7 +114,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $('#inactive-user:not(:has(tbody tr.empty))').tablesorter({widgets: ['zebra'], headers: { 0: { sorter: false }, 2: { sorter: false } }, sortList: [[1,0]]}); $('#missing-pkgbase:not(:has(tbody tr.empty))').tablesorter({widgets: ['zebra'], headers: { 0: { sorter: false } }, sortList: [[1,0]]}); diff --git a/templates/public/keys.html b/templates/public/keys.html index 37d5b232..978abaab 100644 --- a/templates/public/keys.html +++ b/templates/public/keys.html @@ -139,7 +139,7 @@ <script type="text/javascript" src="{% static "d3-3.0.6.min.js" %}"></script> <script type="text/javascript" src="{% static "archweb.js" %}"></script> <script type="text/javascript" src="{% static "visualize.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#key-status").tablesorter({ sortLocaleCompare: true, diff --git a/templates/registration/login.html b/templates/registration/login.html index b5894319..f9acbe99 100644 --- a/templates/registration/login.html +++ b/templates/registration/login.html @@ -20,7 +20,7 @@ {% block script_block %} {% load cdn %}{% jquery %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> modify_attributes({ '#id_username': {autocorrect: 'off', autocapitalize: 'off'} }); diff --git a/templates/releng/release_list.html b/templates/releng/release_list.html index bca30042..44d94f14 100644 --- a/templates/releng/release_list.html +++ b/templates/releng/release_list.html @@ -57,7 +57,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({ widgets: ['zebra'], diff --git a/templates/todolists/list.html b/templates/todolists/list.html index 04676812..042ff602 100644 --- a/templates/todolists/list.html +++ b/templates/todolists/list.html @@ -56,7 +56,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { // I'm not sure why it didn't autodetect digit, but it has to be explicit // http://stackoverflow.com/questions/302749/jquery-tablesorter-problem diff --git a/templates/todolists/view.html b/templates/todolists/view.html index 8360533b..b5d69459 100644 --- a/templates/todolists/view.html +++ b/templates/todolists/view.html @@ -112,7 +112,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({ widgets: ['zebra'], diff --git a/templates/visualize/index.html b/templates/visualize/index.html index 446bdebe..5b992ea4 100644 --- a/templates/visualize/index.html +++ b/templates/visualize/index.html @@ -30,7 +30,7 @@ <script type="text/javascript" src="{% static "d3-3.0.6.min.js" %}"></script> <script type="text/javascript" src="{% static "archweb.js" %}"></script> <script type="text/javascript" src="{% static "visualize.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { var orderings = { "repo": { url: "{% url 'visualize-byrepo' %}", color_attr: "repo" }, |