Merge branch 'csp' into 'main'

Introduce CSP and update js dependencies accordingly

See merge request !98

AKPlan/urls.py

+from csp.decorators import csp_replace
 from django.urls import path, include
+
 from . import views
 
 app_name = "plan"
@@ -8,7 +10,7 @@ urlpatterns = [
         '<slug:event_slug>/plan/',
         include([
             path('', views.PlanIndexView.as_view(), name='plan_overview'),
-            path('wall/', views.PlanScreenView.as_view(), name='plan_wall'),
+            path('wall/', csp_replace(FRAME_ANCESTORS="*")(views.PlanScreenView.as_view()), name='plan_wall'),
             path('room/<int:pk>/', views.PlanRoomView.as_view(), name='plan_room'),
             path('track/<int:pk>/', views.PlanTrackView.as_view(), name='plan_track'),
         ])

AKPlanning/settings.py

@@ -63,6 +63,7 @@ MIDDLEWARE = [
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
+    'csp.middleware.CSPMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'simple_history.middleware.HistoryRequestMiddleware',
 ]
@@ -153,13 +154,13 @@ BOOTSTRAP4 = {
         "href": STATIC_URL + "common/css/bootstrap.css",
     },
     "javascript_url": {
-        "url": STATIC_URL + "common/vendor/bootstrap/bootstrap-4.3.1.min.js",
+        "url": STATIC_URL + "common/vendor/bootstrap/bootstrap-4.6.0.min.js",
     },
-    "jquery_slim_url": {
-        "url": STATIC_URL + "common/vendor/jquery/jquery-3.3.1.slim.min.js",
+    "jquery_url": {
+        "url": STATIC_URL + "common/vendor/jquery/jquery-3.5.1.min.js",
     },
-    "popper_url": {
-        "url": STATIC_URL + "common/vendor/popper/popper-1.14.7.min.js",
+    "jquery_slim_url": {
+        "url": STATIC_URL + "common/vendor/jquery/jquery-3.5.1.slim.min.js",
     },
 }
 
@@ -194,4 +195,12 @@ DASHBOARD_RECENT_MAX = 25
 SIMPLE_BACKEND_REDIRECT_URL = "/user/"
 LOGIN_REDIRECT_URL = SIMPLE_BACKEND_REDIRECT_URL
 
+# Content Security Policy
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'")
+CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "fonts.googleapis.com")
+CSP_IMG_SRC = ("'self'", "data:")
+CSP_FRAME_SRC = ("'self'", )
+CSP_FONT_SRC = ("'self'", "data:", "fonts.gstatic.com")
+
 include(optional("settings/*.py"))

requirements.txt

@@ -8,5 +8,6 @@ django-simple-history==3.0.0
 django-registration-redux==2.9
 django-debug-toolbar==3.2.1
 django-bootstrap-datepicker-plus==3.0.5
+django-csp==3.7
 mysqlclient==2.0.3  # for production deployment
 pytz==2021.1

templates/admin/base_site.html

@@ -11,12 +11,9 @@
 {% endblock %}
 
 {% block extrahead %}
-    <!-- Load popper before bootstrap loads -->
-    <script src="{% static "common/vendor/popper/popper-1.14.7.min.js" %}"></script>
-
     <!-- Load bootstrap, jquery and fontawesome-->
     {% bootstrap_css %}
-    {% bootstrap_javascript jquery='full' %}
+    {% bootstrap_javascript jquery=True %}
     {% fontawesome_5_static %}
 
     <style>

templates/base.html

@@ -12,9 +12,6 @@
 
     <title>{% block title %}AK Planning{% endblock %}</title>
 
-    <!-- Load popper before bootstrap loads -->
-    <script src="{% static "common/vendor/popper/popper-1.14.7.min.js" %}"></script>
-
     <!-- Load bootstrap, jquery and fontawesome-->
     {% bootstrap_css %}
     {% bootstrap_javascript jquery='slim' %}