Skip to content

Make CSP rules stricter#7630

Open
akatsoulas wants to merge 1 commit into
mozilla:mainfrom
akatsoulas:update-csp
Open

Make CSP rules stricter#7630
akatsoulas wants to merge 1 commit into
mozilla:mainfrom
akatsoulas:update-csp

Conversation

@akatsoulas

@akatsoulas akatsoulas commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

@akatsoulas akatsoulas requested a review from escattone June 18, 2026 10:39
@akatsoulas akatsoulas mentioned this pull request Jun 18, 2026
Open
escattone
escattone requested changes Jun 18, 2026
View reviewed changes
Comment thread kitsune/settings.py
"DIRECTIVES": {
"default-src": [NONE],
"script-src": [
SELF,

@escattone escattone Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that removing SELF from script-src will break the Django admin console's load of its own JS files. One option to resolve this is to add something like the following middleware that adds SELF but only for the admin URLs:

from csp.constants import SELF
from csp.middleware import CSPMiddleware
...
class AdminCSPMiddleware(CSPMiddleware):
    """
    django-csp middleware that allows same-origin scripts on admin paths.
    """

    def get_policy_parts(self, request, response, report_only=False):
        policy_parts = super().get_policy_parts(request, response, report_only=report_only)
        if not report_only and request.path_info.startswith("/admin/"):
            policy_parts.update = {"script-src": [SELF]}
        return policy_parts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@escattone escattone escattone requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akatsoulas @escattone