wger icon indicating copy to clipboard operation
wger copied to clipboard

Published 20 hours ago verified publisher icon wger-project

Support Content-Security-Policy

Open jelly opened this issue 1 year ago • 0 comments

Use case

Just having setup wger, I accidentally left the default CSP policy apply in nginx which makes some stuff not load:

nginx conf

    add_header Content-Security-Policy "default-src 'self';";

CSP warnings

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-pL66BdwWVXVeMJCEP/OlW8pCOSUqfqkRaXFB8c64TBo='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

overview/:84 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-mjUy7dFc9gDb60NcMaH4/R0NQGqCh192/PlG/UkLyOI='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

overview/:87 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-+KlL3+6ljLTdps4RZkXTMhY587nhiszOFQVSl9ycyuU='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

output.1cfcbf2246c6.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

l @ output.1cfcbf2246c6.js:1
(anonymous) @ output.1cfcbf2246c6.js:1
(anonymous) @ output.1cfcbf2246c6.js:1
(anonymous) @ output.1cfcbf2246c6.js:1
(anonymous) @ output.1cfcbf2246c6.js:1

Proposal

CSP is relatively easy to add in a Django project with django-csp, this allows you to add middleware and a nounce for inline JavaScript so it is allowed.

jelly avatar Aug 17 '24 13:08 jelly