Introduce CSP and update js dependencies accordingly (!98) · Merge requests · KIF / AKPlanning

Introduce a Content Security Policy for AKPlanning. This uses django-csp as new dependency and introduces a configuration for CSP that matches the current usage but makes sure to enforce all possible restrictions for security.

Default for frame-ancestors is 'self' (default-src). This may be changed in additional config files. The AK wall view is explicitly exempted from that and allowed to be shown embedded in every website.

This merge request also updates js dependencies (bootstrap and jquery) due to django-bootstrap4 update (since it expects a bootstrap javascript version that already includes popper) after the issue became apparent during testing for the CSP:

Bump jquery to 3.5.1
Bump bootstrap to 4.6.0
Remove separate popper lib

Adjust paths in settings. This also makes sure that the local jquery version is always used, which was previously not the case for admin views that depended on code.jquery.com. Remove explicit popper loading that was introduced in 2c359090 to mitigate the effects of the update in c0b3478c

Introduce CSP and update js dependencies accordingly

Merge request reports