Skip to content

Make CSP rules stricter #7630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
akatsoulas wants to merge 1 commit into
base: main
Choose a base branch
from
+13 −11
Open

Make CSP rules stricter #7630

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions kitsune/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1265,14 +1265,12 @@ def setup_logger(name, formatter_str, level=logging.DEBUG):
"DIRECTIVES": {
"default-src": [NONE],
"script-src": [
SELF,

@escattone escattone Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that removing SELF from script-src will break the Django admin console's load of its own JS files. One option to resolve this is to add something like the following middleware that adds SELF but only for the admin URLs:

from csp.constants import SELF
from csp.middleware import CSPMiddleware
...
class AdminCSPMiddleware(CSPMiddleware):
    """
    django-csp middleware that allows same-origin scripts on admin paths.
    """

    def get_policy_parts(self, request, response, report_only=False):
        policy_parts = super().get_policy_parts(request, response, report_only=report_only)
        if not report_only and request.path_info.startswith("/admin/"):
            policy_parts.update = {"script-src": [SELF]}
        return policy_parts

"https://*.mozilla.org",
"https://*.webservices.mozgcp.net",
"https://*.google-analytics.com",
"https://*.googletagmanager.com",
# Third-party scripts injected at runtime without our nonce, so they
# must stay host-allowlisted (don't add 'strict-dynamic').
"https://www.googletagmanager.com",
"https://www.google-analytics.com",
f"https://{MATOMO_MZLA_CDN_HOST}",
"https://pontoon.mozilla.org",
"https://*.jsdelivr.net",
NONCE,
],
"img-src": [
Expand Down Expand Up @@ -1304,7 +1302,6 @@ def setup_logger(name, formatter_str, level=logging.DEBUG):
"style-src": [
SELF,
"https://*.webservices.mozgcp.net",
"https://*.jsdelivr.net",
NONCE,
],
"form-action": [
Expand All @@ -1330,6 +1327,10 @@ def setup_logger(name, formatter_str, level=logging.DEBUG):
if DEBUG:
CONTENT_SECURITY_POLICY["DIRECTIVES"]["style-src"].append(UNSAFE_INLINE)
CONTENT_SECURITY_POLICY["DIRECTIVES"]["script-src"].extend([UNSAFE_INLINE, UNSAFE_EVAL])
# GraphiQL (DEBUG-only) loads from jsDelivr; restrict to /npm/ so arbitrary
# /gh/ repo scripts can't be loaded.
CONTENT_SECURITY_POLICY["DIRECTIVES"]["script-src"].append("https://cdn.jsdelivr.net/npm/")
CONTENT_SECURITY_POLICY["DIRECTIVES"]["style-src"].append("https://cdn.jsdelivr.net/npm/")

# Trusted Contributor Groups
TRUSTED_GROUPS = [
Expand Down
4 changes: 2 additions & 2 deletions kitsune/sumo/jinja2/base.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -377,9 +377,9 @@ <h5 class="mzp-c-footer-heading">{{ _('Mozilla Account') }}</h5>
</footer>
{% if request.LANGUAGE_CODE %}
{% if settings.DEV or settings.TEST %}
<script src="{{ static('jsi18n/{lang}/djangojs.js'|f(lang=request.LANGUAGE_CODE|lower)) }}"></script>
<script src="{{ static('jsi18n/{lang}/djangojs.js'|f(lang=request.LANGUAGE_CODE|lower)) }}" nonce="{{ request.csp_nonce }}"></script>
{% else %}
<script src="{{ static('jsi18n/{lang}/djangojs-min.js'|f(lang=request.LANGUAGE_CODE|lower)) }}"></script>
<script src="{{ static('jsi18n/{lang}/djangojs-min.js'|f(lang=request.LANGUAGE_CODE|lower)) }}" nonce="{{ request.csp_nonce }}"></script>
{% endif %}
{% endif %}

Expand Down
5 changes: 3 additions & 2 deletions kitsune/urls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,9 @@
servestatic,
kwargs={"document_root": settings.ROOT},
),
# GraphiQL
path("graphql", csrf_exempt(GraphQLView.as_view(graphiql=True))),
# GraphiQL IDE loads CDN assets, so enable it only for local dev to keep
# that CDN out of the deployed CSP. The GraphQL endpoint stays available.
path("graphql", csrf_exempt(GraphQLView.as_view(graphiql=settings.DEBUG))),
re_path(
r"^customercare/zendesk/updates/?$",
csrf_exempt(ZendeskWebhookView.as_view()),
Expand Down