Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛[#68] add CSP headers for DRF spectacular schema #69

Merged
merged 3 commits into from
Sep 25, 2024
Merged

🐛[#68] add CSP headers for DRF spectacular schema #69

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
157bc99
:bug:[#68] add CSP headers for DRF spectacular schema
Coperh Sep 13, 2024
91abb7a
:recycle:[#68] move unsafe-inline source
Coperh Sep 20, 2024
45bef6b
:sparkles:[#68] remove CDN links
Coperh Sep 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 19 additions & 17 deletions open_api_framework/conf/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,7 @@
"vng_api_common",
"notifications_api_common",
"drf_spectacular",
"drf_spectacular_sidecar",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't used this package before, so I'm not sure how it works, but what does it do in this case? If I check the github it contains the static assets, but we're still fetching them via CDNs right now.

I think it would be best if we use these self hosted assets, by changing the SPECTACULAR_SETTINGS (https://github.com/tfranzel/drf-spectacular?tab=readme-ov-file#self-contained-ui-installation), and then we can probably remove the changes to the CSP directives

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's supposed to be self contained but stil has CSP errors without these links added.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stevenbal I thought so, but it looks even using sidecar required some csp tweaking:
https://drf-spectacular.readthedocs.io/en/latest/faq.html#solution-for-redoc

"rest_framework",
"django_markup",
"solo",
Expand Down Expand Up @@ -955,9 +956,7 @@ def init_sentry(before_send: Callable | None = None):
# NOTE: make sure values are a tuple or list, and to quote special values like 'self'

# ideally we'd use BASE_URI but it'd have to be lazy or cause issues
CSP_DEFAULT_SRC = [
"'self'",
] + config(
CSP_DEFAULT_SRC = ["'self'"] + config(
"CSP_EXTRA_DEFAULT_SRC",
default=[],
split=True,
Expand Down Expand Up @@ -998,12 +997,16 @@ def init_sentry(before_send: Callable | None = None):
+ CORS_ALLOWED_ORIGINS
)

CSP_IMG_SRC = CSP_DEFAULT_SRC + config(
"CSP_EXTRA_IMG_SRC",
default=[],
split=True,
group="Content Security Policy",
help_text="Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``.",
CSP_IMG_SRC = (
CSP_DEFAULT_SRC
+ ["data:", "cdn.redoc.ly"] # used by DRF spectacular
+ config(
"CSP_EXTRA_IMG_SRC",
default=[],
split=True,
group="Content Security Policy",
help_text="Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``.",
)
)

# affects <object> and <embed> tags, block everything by default but allow deploy-time
Expand All @@ -1018,8 +1021,13 @@ def init_sentry(before_send: Callable | None = None):

# we must include this explicitly, otherwise the style-src only includes the nonce because
# of CSP_INCLUDE_NONCE_IN
CSP_STYLE_SRC = CSP_DEFAULT_SRC
CSP_SCRIPT_SRC = CSP_DEFAULT_SRC
CSP_STYLE_SRC = CSP_DEFAULT_SRC + [
"'unsafe-inline'",
"fonts.googleapis.com",
] # used by DRF spectacular
CSP_SCRIPT_SRC = CSP_DEFAULT_SRC + ["'unsafe-inline'"]
CSP_FONT_SRC = ("'self'", "fonts.gstatic.com")
CSP_WORKER_SRC = ("'self'", "blob:")

# firefox does not get the nonce from default-src, see
# https://stackoverflow.com/a/63376012
Expand All @@ -1035,9 +1043,3 @@ def init_sentry(before_send: Callable | None = None):
# CSP_SANDBOX # too much

CSP_UPGRADE_INSECURE_REQUESTS = False # TODO enable on production?

CSP_EXCLUDE_URL_PREFIXES = (
# ReDoc/Swagger pull in external sources, so don't enforce CSP on API endpoints/documentation.
"/api/",
"/admin/",
)
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ dependencies = [
"djangorestframework>=3.15.2",
"djangorestframework-gis>=1.0",
"django-filter>=24.2",
"drf-spectacular>=0.27.2",
"drf-spectacular[sidecar]>=0.27.2",
"django-csp>=3.8",
"djangorestframework-inclusions>=1.2.0",
"commonground-api-common>=1.12.1",
Expand Down
Loading