From 157bc9904739293a0b754fd97178551b4ecd3d21 Mon Sep 17 00:00:00 2001
From: Conor Holden <conor@maykinmedia.nl>
Date: Fri, 13 Sep 2024 15:09:04 +0200
Subject: [PATCH 1/3] :bug:[#68] add CSP headers for DRF spectacular schema

---
 open_api_framework/conf/base.py | 31 +++++++++++++++----------------
 pyproject.toml                  |  2 +-
 2 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/open_api_framework/conf/base.py b/open_api_framework/conf/base.py
index 8a507a1..7ba15cc 100644
--- a/open_api_framework/conf/base.py
+++ b/open_api_framework/conf/base.py
@@ -213,6 +213,7 @@
     "vng_api_common",
     "notifications_api_common",
     "drf_spectacular",
+    "drf_spectacular_sidecar",
     "rest_framework",
     "django_markup",
     "solo",
@@ -955,9 +956,7 @@ def init_sentry(before_send: Callable | None = None):
 # NOTE: make sure values are a tuple or list, and to quote special values like 'self'
 
 # ideally we'd use BASE_URI but it'd have to be lazy or cause issues
-CSP_DEFAULT_SRC = [
-    "'self'",
-] + config(
+CSP_DEFAULT_SRC = ["'self'", "'unsafe-inline'"] + config(
     "CSP_EXTRA_DEFAULT_SRC",
     default=[],
     split=True,
@@ -998,12 +997,16 @@ def init_sentry(before_send: Callable | None = None):
     + CORS_ALLOWED_ORIGINS
 )
 
-CSP_IMG_SRC = CSP_DEFAULT_SRC + config(
-    "CSP_EXTRA_IMG_SRC",
-    default=[],
-    split=True,
-    group="Content Security Policy",
-    help_text="Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``.",
+CSP_IMG_SRC = (
+    CSP_DEFAULT_SRC
+    + ["data:", "cdn.redoc.ly", "cdn.jsdelivr.net"]  # used by DRF spectacular
+    + config(
+        "CSP_EXTRA_IMG_SRC",
+        default=[],
+        split=True,
+        group="Content Security Policy",
+        help_text="Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``.",
+    )
 )
 
 # affects <object> and <embed> tags, block everything by default but allow deploy-time
@@ -1018,8 +1021,10 @@ def init_sentry(before_send: Callable | None = None):
 
 # we must include this explicitly, otherwise the style-src only includes the nonce because
 # of CSP_INCLUDE_NONCE_IN
-CSP_STYLE_SRC = CSP_DEFAULT_SRC
+CSP_STYLE_SRC = CSP_DEFAULT_SRC + ["fonts.googleapis.com"]  # used by DRF spectacular
 CSP_SCRIPT_SRC = CSP_DEFAULT_SRC
+CSP_FONT_SRC = ("'self'", "fonts.gstatic.com")
+CSP_WORKER_SRC = ("'self'", "blob:")
 
 # firefox does not get the nonce from default-src, see
 # https://stackoverflow.com/a/63376012
@@ -1035,9 +1040,3 @@ def init_sentry(before_send: Callable | None = None):
 # CSP_SANDBOX # too much
 
 CSP_UPGRADE_INSECURE_REQUESTS = False  # TODO enable on production?
-
-CSP_EXCLUDE_URL_PREFIXES = (
-    # ReDoc/Swagger pull in external sources, so don't enforce CSP on API endpoints/documentation.
-    "/api/",
-    "/admin/",
-)
diff --git a/pyproject.toml b/pyproject.toml
index d21574b..e356514 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -38,7 +38,7 @@ dependencies = [
     "djangorestframework>=3.15.2",
     "djangorestframework-gis>=1.0",
     "django-filter>=24.2",
-    "drf-spectacular>=0.27.2",
+    "drf-spectacular[sidecar]>=0.27.2",
     "django-csp>=3.8",
     "djangorestframework-inclusions>=1.2.0",
     "commonground-api-common>=1.12.1",

From 91abb7a2776d339811035c65501f13cf794c3729 Mon Sep 17 00:00:00 2001
From: Conor Holden <conor@maykinmedia.nl>
Date: Fri, 20 Sep 2024 10:40:48 +0200
Subject: [PATCH 2/3] :recycle:[#68] move unsafe-inline source

---
 open_api_framework/conf/base.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/open_api_framework/conf/base.py b/open_api_framework/conf/base.py
index 7ba15cc..108ab2a 100644
--- a/open_api_framework/conf/base.py
+++ b/open_api_framework/conf/base.py
@@ -956,7 +956,7 @@ def init_sentry(before_send: Callable | None = None):
 # NOTE: make sure values are a tuple or list, and to quote special values like 'self'
 
 # ideally we'd use BASE_URI but it'd have to be lazy or cause issues
-CSP_DEFAULT_SRC = ["'self'", "'unsafe-inline'"] + config(
+CSP_DEFAULT_SRC = ["'self'"] + config(
     "CSP_EXTRA_DEFAULT_SRC",
     default=[],
     split=True,
@@ -1021,8 +1021,11 @@ def init_sentry(before_send: Callable | None = None):
 
 # we must include this explicitly, otherwise the style-src only includes the nonce because
 # of CSP_INCLUDE_NONCE_IN
-CSP_STYLE_SRC = CSP_DEFAULT_SRC + ["fonts.googleapis.com"]  # used by DRF spectacular
-CSP_SCRIPT_SRC = CSP_DEFAULT_SRC
+CSP_STYLE_SRC = CSP_DEFAULT_SRC + [
+    "'unsafe-inline'",
+    "fonts.googleapis.com",
+]  # used by DRF spectacular
+CSP_SCRIPT_SRC = CSP_DEFAULT_SRC + ["'unsafe-inline'"]
 CSP_FONT_SRC = ("'self'", "fonts.gstatic.com")
 CSP_WORKER_SRC = ("'self'", "blob:")
 

From 45bef6b6ad1930f7cd61d3774ad0b1217c6f1026 Mon Sep 17 00:00:00 2001
From: Conor Holden <conor@maykinmedia.nl>
Date: Mon, 23 Sep 2024 16:44:11 +0200
Subject: [PATCH 3/3] :sparkles:[#68] remove CDN links

---
 open_api_framework/conf/base.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/open_api_framework/conf/base.py b/open_api_framework/conf/base.py
index 108ab2a..0207132 100644
--- a/open_api_framework/conf/base.py
+++ b/open_api_framework/conf/base.py
@@ -999,7 +999,7 @@ def init_sentry(before_send: Callable | None = None):
 
 CSP_IMG_SRC = (
     CSP_DEFAULT_SRC
-    + ["data:", "cdn.redoc.ly", "cdn.jsdelivr.net"]  # used by DRF spectacular
+    + ["data:", "cdn.redoc.ly"]  # used by DRF spectacular
     + config(
         "CSP_EXTRA_IMG_SRC",
         default=[],