summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJelle van der Waa <jelle@vdwaa.nl>2019-01-29 16:42:54 +0100
committerJelle van der Waa <jelle@archlinux.org>2019-02-18 16:42:51 +0100
commit3525458926dfa47e6c7bcedb4304cc243e78d47a (patch)
tree413b8c898c71fd6a07c797193768eaaf0071e80a
parent6b22bedd82ae69a54f15c2f5f64f9f3945e5fb43 (diff)
downloadarchweb-3525458926dfa47e6c7bcedb4304cc243e78d47a.tar.gz
archweb-3525458926dfa47e6c7bcedb4304cc243e78d47a.zip
Implement CSP for archweb
Add django-csp as dependency to be able to set CSP inside django's settings and allow setting a CSP_NONCE for inline <script>'s in templates. Since archweb heavily uses this pattern it's the best compromise.
-rw-r--r--requirements.txt1
-rw-r--r--settings.py8
-rw-r--r--templates/devel/clock.html2
-rw-r--r--templates/devel/index.html2
-rw-r--r--templates/devel/packages.html2
-rw-r--r--templates/devel/profile.html2
-rw-r--r--templates/mirrors/mirror_details.html2
-rw-r--r--templates/mirrors/mirrors.html2
-rw-r--r--templates/mirrors/status.html2
-rw-r--r--templates/mirrors/url_details.html2
-rw-r--r--templates/news/add.html2
-rw-r--r--templates/packages/details.html2
-rw-r--r--templates/packages/differences.html2
-rw-r--r--templates/packages/groups.html2
-rw-r--r--templates/packages/packages_list.html2
-rw-r--r--templates/packages/signoffs.html2
-rw-r--r--templates/packages/stale_relations.html2
-rw-r--r--templates/public/keys.html2
-rw-r--r--templates/registration/login.html2
-rw-r--r--templates/releng/release_list.html2
-rw-r--r--templates/todolists/list.html2
-rw-r--r--templates/todolists/view.html2
-rw-r--r--templates/visualize/index.html2
23 files changed, 30 insertions, 21 deletions
diff --git a/requirements.txt b/requirements.txt
index 515471ba..56f4bd0a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,3 +10,4 @@ pytz>=2017.3
parse==1.11.1
django-jinja==2.4.1
sqlparse==0.2.4
+django-csp==3.5
diff --git a/settings.py b/settings.py
index 10114f11..17377c25 100644
--- a/settings.py
+++ b/settings.py
@@ -53,6 +53,7 @@ MIDDLEWARE = (
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.middleware.http.ConditionalGetMiddleware',
+ 'csp.middleware.CSPMiddleware',
)
# Base of the URL hierarchy
@@ -92,6 +93,12 @@ SECURE_CONTENT_TYPE_NOSNIFF = True
# X-XSS-Protection, enables cross-site scripting filter in most browsers
SECURE_BROWSER_XSS_FILTER = True
+# CSP Settings
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_SCRIPT_SRC = ("'self'",)
+CSP_INCLUDE_NONCE_IN = ['script-src']
+CSP_IMG_SRC = ("'self'", 'data:',)
+
# Use new test runner
TEST_RUNNER = 'django.test.runner.DiscoverRunner'
@@ -194,6 +201,7 @@ TEMPLATES = [
'django.contrib.auth.context_processors.auth',
'django.template.context_processors.debug',
'django.contrib.messages.context_processors.messages',
+ 'csp.context_processors.nonce',
],
}
}
diff --git a/templates/devel/clock.html b/templates/devel/clock.html
index 2c5bfacf..88cc93e7 100644
--- a/templates/devel/clock.html
+++ b/templates/devel/clock.html
@@ -61,7 +61,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$("#clocks-table:has(tbody tr)").tablesorter({
widgets: ['zebra'],
diff --git a/templates/devel/index.html b/templates/devel/index.html
index dfe1d1fa..4f788d6d 100644
--- a/templates/devel/index.html
+++ b/templates/devel/index.html
@@ -167,7 +167,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$("#stats-message").html('Loading developer stats…');
$("#stats-area").load('stats/', function(response, status, xhr) {
diff --git a/templates/devel/packages.html b/templates/devel/packages.html
index c75f81eb..762fc6f0 100644
--- a/templates/devel/packages.html
+++ b/templates/devel/packages.html
@@ -78,7 +78,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$(".results").tablesorter({widgets: ['zebra']});
});
diff --git a/templates/devel/profile.html b/templates/devel/profile.html
index acdc22a9..50bb33dd 100644
--- a/templates/devel/profile.html
+++ b/templates/devel/profile.html
@@ -29,7 +29,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
modify_attributes({
'#id_email': {type: 'email'},
'#id_alias': {autocorrect: 'off', autocapitalize: 'off'},
diff --git a/templates/mirrors/mirror_details.html b/templates/mirrors/mirror_details.html
index 0c0d5559..05a4b0da 100644
--- a/templates/mirrors/mirror_details.html
+++ b/templates/mirrors/mirror_details.html
@@ -115,7 +115,7 @@
<script type="text/javascript" src="{% static "d3-3.0.6.min.js" %}"></script>
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
<script type="text/javascript" src="{% static "mirror_status.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$("#available_urls:has(tbody tr)").tablesorter(
{widgets: ['zebra'], sortList: [[1,0], [2,0]],
diff --git a/templates/mirrors/mirrors.html b/templates/mirrors/mirrors.html
index 7da11268..55eb0f8c 100644
--- a/templates/mirrors/mirrors.html
+++ b/templates/mirrors/mirrors.html
@@ -47,7 +47,7 @@
</div>
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$(".results").tablesorter({widgets: ['zebra'], sortList: [[2,0], [0,0]]});
});
diff --git a/templates/mirrors/status.html b/templates/mirrors/status.html
index 39d68460..fb318480 100644
--- a/templates/mirrors/status.html
+++ b/templates/mirrors/status.html
@@ -77,7 +77,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
var headers = { 4: { sorter: 'duration' }, 5: { sorter: 'mostlydigit' },
6: { sorter: 'mostlydigit' }, 7: { sorter: 'mostlydigit' },
diff --git a/templates/mirrors/url_details.html b/templates/mirrors/url_details.html
index 2454eda4..6e64b08c 100644
--- a/templates/mirrors/url_details.html
+++ b/templates/mirrors/url_details.html
@@ -64,7 +64,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$("#check_logs:has(tbody tr)").tablesorter(
{widgets: ['zebra'], sortList: [[0,1]],
diff --git a/templates/news/add.html b/templates/news/add.html
index 51094659..f171b503 100644
--- a/templates/news/add.html
+++ b/templates/news/add.html
@@ -35,7 +35,7 @@
</div>
{% load cdn %}{% jquery %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(enablePreview);
</script>
{% endblock %}
diff --git a/templates/packages/details.html b/templates/packages/details.html
index 2851abd6..768ce43f 100644
--- a/templates/packages/details.html
+++ b/templates/packages/details.html
@@ -11,7 +11,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ CSP_NONCE }}">
$(document).ready(function() {
ajaxifyFiles();
collapseDependsList("#pkgdepslist");
diff --git a/templates/packages/differences.html b/templates/packages/differences.html
index 30750798..c650c6e8 100644
--- a/templates/packages/differences.html
+++ b/templates/packages/differences.html
@@ -42,7 +42,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$('#table_multilib_differences').tablesorter({widgets: ['zebra'], sortList: [[5, 0]]});
});
diff --git a/templates/packages/groups.html b/templates/packages/groups.html
index c135791f..9f9fef35 100644
--- a/templates/packages/groups.html
+++ b/templates/packages/groups.html
@@ -34,7 +34,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$(".results").tablesorter({widgets: ['zebra'], sortList: [[1,0], [0,0]]});
});
diff --git a/templates/packages/packages_list.html b/templates/packages/packages_list.html
index 3dcc03dc..72311235 100644
--- a/templates/packages/packages_list.html
+++ b/templates/packages/packages_list.html
@@ -45,7 +45,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$(".results").tablesorter({widgets: ['zebra'], sortList: [[2,0]]});
});
diff --git a/templates/packages/signoffs.html b/templates/packages/signoffs.html
index 9f6437c2..e2214845 100644
--- a/templates/packages/signoffs.html
+++ b/templates/packages/signoffs.html
@@ -82,7 +82,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$('.results').tablesorter({widgets: ['zebra'], sortList: [[0,0]],
headers: { 5: { sorter: 'epochdate' }, 7: { sorter: false }, 8: {sorter: false } } });
diff --git a/templates/packages/stale_relations.html b/templates/packages/stale_relations.html
index 218ddb3e..8aec424d 100644
--- a/templates/packages/stale_relations.html
+++ b/templates/packages/stale_relations.html
@@ -114,7 +114,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$('#inactive-user:not(:has(tbody tr.empty))').tablesorter({widgets: ['zebra'], headers: { 0: { sorter: false }, 2: { sorter: false } }, sortList: [[1,0]]});
$('#missing-pkgbase:not(:has(tbody tr.empty))').tablesorter({widgets: ['zebra'], headers: { 0: { sorter: false } }, sortList: [[1,0]]});
diff --git a/templates/public/keys.html b/templates/public/keys.html
index 37d5b232..978abaab 100644
--- a/templates/public/keys.html
+++ b/templates/public/keys.html
@@ -139,7 +139,7 @@
<script type="text/javascript" src="{% static "d3-3.0.6.min.js" %}"></script>
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
<script type="text/javascript" src="{% static "visualize.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$("#key-status").tablesorter({
sortLocaleCompare: true,
diff --git a/templates/registration/login.html b/templates/registration/login.html
index b5894319..f9acbe99 100644
--- a/templates/registration/login.html
+++ b/templates/registration/login.html
@@ -20,7 +20,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
modify_attributes({
'#id_username': {autocorrect: 'off', autocapitalize: 'off'}
});
diff --git a/templates/releng/release_list.html b/templates/releng/release_list.html
index bca30042..44d94f14 100644
--- a/templates/releng/release_list.html
+++ b/templates/releng/release_list.html
@@ -57,7 +57,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$(".results").tablesorter({
widgets: ['zebra'],
diff --git a/templates/todolists/list.html b/templates/todolists/list.html
index 04676812..042ff602 100644
--- a/templates/todolists/list.html
+++ b/templates/todolists/list.html
@@ -56,7 +56,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
// I'm not sure why it didn't autodetect digit, but it has to be explicit
// http://stackoverflow.com/questions/302749/jquery-tablesorter-problem
diff --git a/templates/todolists/view.html b/templates/todolists/view.html
index 8360533b..b5d69459 100644
--- a/templates/todolists/view.html
+++ b/templates/todolists/view.html
@@ -112,7 +112,7 @@
{% block script_block %}
{% load cdn %}{% jquery %}{% jquery_tablesorter %}
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
$(".results").tablesorter({
widgets: ['zebra'],
diff --git a/templates/visualize/index.html b/templates/visualize/index.html
index 446bdebe..5b992ea4 100644
--- a/templates/visualize/index.html
+++ b/templates/visualize/index.html
@@ -30,7 +30,7 @@
<script type="text/javascript" src="{% static "d3-3.0.6.min.js" %}"></script>
<script type="text/javascript" src="{% static "archweb.js" %}"></script>
<script type="text/javascript" src="{% static "visualize.js" %}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce={{ CSP_NONCE }}>
$(document).ready(function() {
var orderings = {
"repo": { url: "{% url 'visualize-byrepo' %}", color_attr: "repo" },