Comments (9)
I think the plan makes sense to me. Using django-csp
should be absolutely fine. I think it makes sense to use report-only in the beginning, but will also need an URL where it can report to using the report-to
directive. Then one can check the json violation reported. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only#violation_report_syntax is a good reference for the violation reporting syntaxes.
With the different levels, I think it's easy when we think of just 'self'
and 'unsafe-inline'
and similar ones, but gets trickier when we consider nonce and external URLs that might be needed as well. If we are just going to configure the CSP directives and not have pre-defined strictness like "strict", "unsafe", etc. then I think just using environment variables and django-csp is good enough. I won't know how to recommend same CSP for all wagtail sites. We can rather recommend what not to do, as in avoid unsafe-inline
, unsafe-eval
, etc.
from bakerydemo.
For reference, this is what Torchbox projects do as a baseline, with django-csp
:
# Content Security policy settings
# http://django-csp.readthedocs.io/en/latest/configuration.html
if "CSP_DEFAULT_SRC" in env:
MIDDLEWARE.append("csp.middleware.CSPMiddleware")
# The “special” source values of 'self', 'unsafe-inline', 'unsafe-eval', and 'none' must be quoted!
# e.g.: CSP_DEFAULT_SRC = "'self'" Without quotes they will not work as intended.
CSP_DEFAULT_SRC = env.get("CSP_DEFAULT_SRC").split(",")
if "CSP_SCRIPT_SRC" in env:
CSP_SCRIPT_SRC = env.get("CSP_SCRIPT_SRC").split(",")
if "CSP_STYLE_SRC" in env:
CSP_STYLE_SRC = env.get("CSP_STYLE_SRC").split(",")
if "CSP_IMG_SRC" in env:
CSP_IMG_SRC = env.get("CSP_IMG_SRC").split(",")
if "CSP_CONNECT_SRC" in env:
CSP_CONNECT_SRC = env.get("CSP_CONNECT_SRC").split(",")
if "CSP_FONT_SRC" in env:
CSP_FONT_SRC = env.get("CSP_FONT_SRC").split(",")
if "CSP_BASE_URI" in env:
CSP_BASE_URI = env.get("CSP_BASE_URI").split(",")
if "CSP_OBJECT_SRC" in env:
CSP_OBJECT_SRC = env.get("CSP_OBJECT_SRC").split(",")
And the more opinionated variant we’re hoping to have soon:
CSP_DEFAULT_SRC = ["'self'", "'unsafe-inline'"]
CSP_IMG_SRC = ["'self'", "data:"]
CSP_UPGRADE_INSECURE_REQUESTS = True
CSP_SANDBOX = True
# Allow retrieving images from the custom S3 domain if it exists
if "AWS_S3_CUSTOM_DOMAIN" in env:
CSP_IMG_SRC.append(env["AWS_S3_CUSTOM_DOMAIN"])
from bakerydemo.
The main reason Wagtail isn't CSP compatible stems from the use of injected script
tags in the admin. If we can remove those, things get much simpler.
There are a few other remote resources Wagtail depends on, such as the version check in releases.wagtail.org
and gravatar, but those are fairly static and easy to document. Other than the basics of self
, there shouldn't be much more that Wagtail itself needs to function.
The above "opinionated" option will work with Wagtail today, and technically enforces CSP. The problem is that it's not very strong in its use of unsafe-inline
, as it allows any script
tags in the HTML, which can open up XSS issues. That's the main directive we want to remove. The first example doesn't configure django-csp
at all, only allowing it to be configured through the environment.
I think for a wagtail dev site, we should just enforce CSP, and see where it breaks. Adding django-csp
to bakerydemo
and to our nightly environments would let us easily achieve this.
from bakerydemo.
Done in #232.
from bakerydemo.
I know this is a closed issue but wanted to ask how an enforced CSP will affect browser tools such as screen readers for accessibility. Depending on the policy chosen you might find a large number of false positives being reported (and of course blocked if Report-Only is removed). Adding this here as a note for the experimentation process when trying 'different degrees of CSP strictness' unless of course someone already know the answer to this.
from bakerydemo.
@danielabrahamsgosh it’s completely fine to comment even if already closed! Could you expand upon your question? As far as I know screen readers shouldn’t be affected by CSPs at all. Browser extensions which inject content onto sites would break, but that is generally the intention – and those extensions which do want to bypass the CSP have APIs to do so.
from bakerydemo.
Thanks @thibaudcolas - I understand about screen readers specifically. My question is more general about how a CSP can affect accessibility tools across the spectrum (as this is something I would not want to block). I could think of a multitude of systems for example an extension that changes colours on a site to make it easier to read. What I am not sure about is what is considered 'standard' in the industry. I am certainly not an accessibility specialist and will need to research the CSP APIs you mention.
It was simply a worry I had retrospectively after implementing a CSP but I haven't had the time to research it fully yet. We are still on the report-only phase of implementation and I have seen some possible reports from 'the wild' I cannot account for. If the participants in this conversation don't deem it a risk that would be good enough for me. Many thanks!
from bakerydemo.
@danielabrahamsgosh as far as I’m aware, though it’s possible for accessibility-related browser extensions to be affected if implemented poorly, they have dedicated browser APIs which aren’t affected by the CSP. For example APIs to insert scripts or CSS onto the page without having to follow the CSP. It’s something extension developers can take into account but as far as I know they do (otherwise lots of extensions would be broken on lots of websites).
from bakerydemo.
@danielabrahamsgosh accessibility tools such as NVDA or VoiceOver sit outside the browser so they would not impacted with any CSP changes.
Browser plug-ins like ChromeVox or Wave accessibility checkers can also sit outside the scope/remit of CSP.
CSP is about code provided from the sites server, and third party scripts.
from bakerydemo.
Related Issues (20)
- Problem with iframe dimensions in paragraph blocks in Streamfields.
- Replace flake8 and isort with ruff HOT 1
- Create separate `dev` branch for Wagtail development purposes HOT 2
- modelcluster. ValueError : invalid literal for int() with base 10: 'THU' on locations pages in the admin preview HOT 1
- Inaccurate copyright message in footer HOT 1
- Documents in demo site HOT 1
- Replace ModelAdmin usage with snippets
- MultipleChooserPanel example
- Issues with loading initial data (SearchPromotion)
- Create (or change) a model to use UUID/non-integer for its primary key HOT 2
- Help text of featured sections in homepage repeats the same as in Promo title
- Guys, it uses so old packages. and gives error. I recommend don't use this demo. HOT 1
- Images in all of Wagtail’s supported formats
- Enable `USE_THOUSANDS_SEPARATOR` by default & have some larger test ids HOT 3
- Update Node/NPM libraries (Node 20)
- AttributeError: module 'dotenv' has no attribute 'read_dotenv'. Did you mean: 'load_dotenv'? HOT 3
- exec /code/docker-entrypoint.sh: no such file or directory HOT 1
- migration failed HOT 1
- Fresh install of the bakerydemo using pyenv generates 'KeyError at / <wagtail.images.models.Filter object at 0x10953ef40>' HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bakerydemo.