From 207e30745e8bae13fdbde6c0a2552b936d06a566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20H=C3=A4ttasch?=
 <benjamin.haettasch@fachschaft.informatik.tu-darmstadt.de>
Date: Sat, 8 May 2021 16:39:09 +0200
Subject: [PATCH] Introduce a Content Security Policy (using django-csp as new
 dependency)

Add django-csp to dependencies
Load middleware
Add config that matches current usage but with most possible restriction
---
 AKPlanning/settings.py | 10 ++++++++++
 requirements.txt       |  1 +
 2 files changed, 11 insertions(+)

diff --git a/AKPlanning/settings.py b/AKPlanning/settings.py
index 1a53cb2b..835a0281 100644
--- a/AKPlanning/settings.py
+++ b/AKPlanning/settings.py
@@ -63,6 +63,7 @@ MIDDLEWARE = [
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
+    'csp.middleware.CSPMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'simple_history.middleware.HistoryRequestMiddleware',
 ]
@@ -194,4 +195,13 @@ DASHBOARD_RECENT_MAX = 25
 SIMPLE_BACKEND_REDIRECT_URL = "/user/"
 LOGIN_REDIRECT_URL = SIMPLE_BACKEND_REDIRECT_URL
 
+# Content Security Policy
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'")
+CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "fonts.googleapis.com")
+CSP_IMG_SRC = ("*", "data:")
+CSP_MEDIA_SRC = ("*", )
+CSP_FRAME_SRC = ("'self'", )
+CSP_FONT_SRC = ("'self'", "data:", "fonts.gstatic.com")
+
 include(optional("settings/*.py"))
diff --git a/requirements.txt b/requirements.txt
index 176ecddc..2d21e5a5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,5 +8,6 @@ django-simple-history==3.0.0
 django-registration-redux==2.9
 django-debug-toolbar==3.2.1
 django-bootstrap-datepicker-plus==3.0.5
+django-csp==3.7
 mysqlclient==2.0.3  # for production deployment
 pytz==2021.1
-- 
GitLab