Comments (8)
Also, I do think there's some form of overlap here with #36 - maybe there's common ground in addressin both that Issue and this one
from django-csp.
Just wanted to flesh out the AppConfig idea for discussion. The idea would be to allow Django apps themselves to attempt to customize their CSP rules since they know best what limitations exist. The AppConfig seemed like a good place to store these.
This assumes there's already some data structure that can separate CSP configs by URL path that we would update if we find AppConfig CSP rules.
Here is an example. Let's say we have a blog app that has some inline javascript in the templates. That blog app would add a little bit of config to the AppConfig, e.g.
class BlogConfig(AppConfig):
name = "django_blog"
# Override CSP settings for this app.
# The keys in this config match the naming of the decorator keys (no `CSP_` prefix).
CSP_CONFIG = {
"SCRIPT_SRC": ["'unsafe-inline'"],
}
The django-csp app could then scan all app configs and look for a CSP_CONFIG
, and if found, append to the rules. Something like that might look like:
from django.apps import apps
for app, config in apps.app_configs.items():
if hasattr(config, "CSP_CONFIG"):
# Update the CSP rules
The tricky part is matching the app's URL prefix with what is set in the project's URL configuration. This can be done by comparing the config.module.urls
with the project's urlconf_module
from each URL pattern.
Extending the above, a pretty hacky way to match the urlconf_module
and pull out the prefix:
urlconf = importlib.import_module(settings.ROOT_URLCONF)
for app, config in apps.app_configs.items():
if hasattr(config, "CSP_CONFIG"):
for resolver in urlconf.urlpatterns:
if hasattr(resolver, "urlconf_module"):
if resolver.urlconf_module == config.module.urls:
prefix = resolver.pattern._route
At this point, all this data could be used to update the yet-to-be-written path-based CSP rules and 3rd-party Django apps (or django.contrib apps) can ship their own CSP configs.
from django-csp.
I would say this would probably make the configuration too complicated which is why I am not 100% for this myself.
from django-csp.
Thanks for the point @robvdl - I definitely know where you're coming from as I recently faced this with Wagtail, too.
The problem is how would you define this in settings.py
The most obvious (to me) way to define it would be to switch to more of a lookup-dictionary pattern, where the key is a URL path:
# Standard, shared CSP config comes first
# ...
# CSP_IMG_SRC: "'self'"
# ...
# Then the exceptions/additionsl list
CSP_CONFIG_EXCEPTIONS = {
'default': {
"CSP_IMG_SRC": "'self' storage.example.com",
"CSP_SCRIPT_SRC": "'self'",
//... etc
},
'/admin/': {
"CSP_IMG_SRC": "'self' otherstorage.example.com",
"CSP_SCRIPT_SRC": "'self'",
//... etc
},
'/path/to/a/very/specific/page/': {
"CSP_IMG_SRC": "'self' otherstorage.example.com",
"CSP_SCRIPT_SRC": "'self'",
//... etc
},
}
This would be a supplementary setting and would merge in existing settings, so it'd be backwards compatible and only active if you set it.
Note: While the above would work for whole paths (and potentially individual pages), making that work with a wildcard would be trickier (but we could consider that scope creep and not suport that)
Thinking aloud: one problem with having a dynamic rule selection is that we'd have to re-evaluate it on every request, because the rules may differ on the path. I don't think this'll be a big deal computationally, but I haven't looked at whether this would need a big refactor to make happen. If the dictionary-based idea appeals, I can look into it more (or anyone can, really)
What do you think? I've not thought very deeply about this yet, and would welcome bouncing it around a bit.
from django-csp.
That looks cool. To be honest I didn't think this would go anywhere so I had already resorted to subclassing the middleware and doing some of my own magic in there instead. It's not really up to me, but it looks like it could work at least.
from django-csp.
Chatting with @robhudson he made the good point that it would be nice if third-party apps could automatically declare a (default) CSP for the pages they control. As such, a dict of settings isn't as automatically compatible with that - but it does make sense as a place for a site developer to have ultimate control over all CSP rules for given paths.
Worth us thinking about whether this behaviour can fit well into an AppConfig
for per-app defaults
from django-csp.
The problem with AppConfig, how can you control third party apps like Wagtail.
Anyway Wagtail are working on their CSP rules already, it seems they are closing in on not needing unsafe inline script-src and style-src.
from django-csp.
Related Issues (20)
- nonce, request.csp_nonce and {% script %} all fail to render a nonce HOT 8
- Documentation needs to be updated to mention INSTALLED_APPS HOT 4
- Decorators depending on request method types HOT 3
- broken admin filters HOT 3
- Modify CSP based on database? HOT 1
- `CSP_INCLUDE_NONCE_IN` not working? HOT 4
- New release? HOT 11
- State of project HOT 9
- Unrecognized Content Security Policy directive 'worker-src' in Safari Browser HOT 2
- Building the wheel doesn't work HOT 4
- Backwards compatible method of adding 'strict-dynamic' as suffix HOT 1
- Don't include nonces in default-src when CSP_INCLUDE_NONCE_IN is unset / an empty list HOT 3
- Allow direct editing of build policy output HOT 1
- Documentation for context processor HOT 5
- Deprecated Features HOT 5
- interested in adding typing (mypy) support? HOT 4
- Support clearing/unsetting directives via decorator HOT 7
- Move project to pyproject.toml HOT 1
- Create csp.extensions.NoncedStyle extension HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-csp.