Move unsafe inline styles in base HTML to base CSS

2026-02-06 18:06:45 +00:00 · 2023-11-06 12:29:47 +01:00 · 2023-11-06 12:29:47 +01:00 · 57e161b5d3
commit 57e161b5d3
parent 016f73e02b
3 changed files with 34 additions and 11 deletions
--- a/apimanager/apimanager/settings.py
+++ b/apimanager/apimanager/settings.py
@ -94,13 +94,12 @@ MIDDLEWARE = [
 # Or the whole static folder could be uploaded to github, this prevents API manager breaking when
 # we run it on a server that may not connect to these sites

-#TODO inline script and style attributes should be modified in the template base.html so that they 
-# are no longer inline, this allows us to remove the 'unsafe-inline' policy.
+# Inline styles loaded by jsoneditor.min.js have been allowed by adding their hashes to CSP_STYLE_SRC

 CSP_IMG_SRC = ("'self'", 'https://static.openbankproject.com')
-CSP_STYLE_SRC = ("'self'", "'unsafe-inline'",'https://cdnjs.cloudflare.com') #Change 'unsafe-inline' later to use Nonces
-CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com')
-CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src']
+CSP_STYLE_SRC = ("'self' 'sha256-z2a+NIknPDE7NIEqE1lfrnG39eWOhJXWsXHYGGNb5oU=' 'sha256-Dn0vMZLidJplZ4cSlBMg/F5aa7Vol9dBMHzBF4fGEtk=' 'sha256-sA0hymKbXmMTpnYi15KmDw4u6uRdLXqHyoYIaORFtjU=' 'sha256-jUuiwf3ITuJc/jfynxWHLwTZifHIlhddD8NPmmVBztk=' 'sha256-RqzjtXRBqP4i+ruV3IRuHFq6eGIACITqGbu05VSVXsI='", 'https://cdnjs.cloudflare.com', )
+CSP_SCRIPT_SRC = ("'self'", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com', "'unsafe-hashes'")
+CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src'] 

 #cache the view page, we set 60s = 1m,
 # CACHE_MIDDLEWARE_SECONDS = 60
@ -137,7 +136,8 @@ TEMPLATES = [
                'base.context_processors.api_tester_url',
                'base.context_processors.portal_page',
                'base.context_processors.logo_url',
-                'base.context_processors.override_css_url'
+                'base.context_processors.override_css_url',
+                'csp.context_processors.nonce'
            ],
        },
    },
--- a/apimanager/base/static/css/base.css
+++ b/apimanager/base/static/css/base.css
@ -31,6 +31,9 @@ footer a:hover, .footer a:focus {
 	color: #fff;
 }

+.footer-content-wrapper {
+	cursor:pointer;
+}

 .navbar-brand img {
 	height: 20px;
@ -74,6 +77,20 @@ footer a:hover, .footer a:focus {
 	margin-top: -6px;
 }

+.navbar-inner {
+	margin-left:15% !important;
+}
+
+.navbar-nav {
+	margin-left:8rem;
+}
+
+.obp-home-button {
+	position:absolute;
+	margin-left: -70px !important;
+	top:-5px;
+}
+
 /*.dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:active {*/
    /*background-color: #53c4ef;*/
 /*}*/
@ -211,6 +228,12 @@ table.tablesorter thead tr .headerSortDown, table.tablesorter thead tr .headerSo
    margin-left:5rem;
    text-decoration: none !important;
 }
+
+.language-select > a {
+	color:#fff;
+	text-decoration: none !important;
+}
+
 #uk {
    cursor:pointer;
 }
--- a/apimanager/base/templates/base.html
+++ b/apimanager/base/templates/base.html
@ -19,7 +19,7 @@

 <body>
        <nav class="navbar navbar-default navbar-fixed-top" role="navigation">
-            <div style="margin-left:15% !important;">
+            <div class="navbar-inner">
                <div class="navbar-header">
                    <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
 						<span class="sr-only">Toggle navigation</span>
@ -29,8 +29,8 @@
 					</button>
                </div>
                <div id="navbar" class="collapse navbar-collapse">
-                    <ul class="nav navbar-nav" style="margin-left:8rem">
-                        <li> <a href="{% url 'home' %}" style="position:absolute; margin-left: -70px !important; top:-5px"><img src="{{ logo_url }}" alt="brand"></a></li>
+                    <ul class="nav navbar-nav">
+                        <li> <a class="obp-home-button" href="{% url 'home' %}"><img src="{{ logo_url }}" alt="brand"></a></li>
                        <li><a href="{{ API_PORTAL }}">{% trans "Home" %}</a></li>
                        {% url "consumers-index" as consumers_index_url %}
                        <li {% if consumers_index_url in request.path %} class="active" {% endif %}><a href="{{ consumers_index_url }}">{% trans "Consumers" %}</a></li>
@ -107,7 +107,7 @@
                                <p class="navbar-right button-select"><span id="navbar-login-username">{{API_USERNAME}}</span>&nbsp;&nbsp;<a href="/logout" class="btn btn-default">{% trans "Logout" %} </a></p>
                                {% endif %}
                            </li>
-                        <li class="language-select language_underline_format"><a style="color:#fff; text-decoration: none !important;">Language
+                        <li class="language-select language_underline_format"><a>Language
                            <span id="gb">EN</span>
                            |
                            <span id="es">ES</span></a></li>
@ -128,7 +128,7 @@
    {% endif %}
        <div class="container" id="body-container">
            {% block content %}{% endblock content %}
-            <div class="footer-content-wrapper" data-lift="WebUI.homePage" style="cursor:pointer">
+            <div class="footer-content-wrapper" data-lift="WebUI.homePage">
            </div>
        </div>
    <footer>