Add frame-ancestors and form action policy. Fix scripts broken by CSP.

2026-02-06 15:46:44 +00:00 · 2023-11-06 16:02:08 +01:00 · 2023-11-06 16:02:08 +01:00 · 6812c95077
commit 6812c95077
parent 57e161b5d3
3 changed files with 10 additions and 4 deletions
--- a/apimanager/apimanager/settings.py
+++ b/apimanager/apimanager/settings.py
@ -96,10 +96,12 @@ MIDDLEWARE = [

 # Inline styles loaded by jsoneditor.min.js have been allowed by adding their hashes to CSP_STYLE_SRC

-CSP_IMG_SRC = ("'self'", 'https://static.openbankproject.com')
+CSP_IMG_SRC = ("'self' data:", 'https://static.openbankproject.com')
 CSP_STYLE_SRC = ("'self' 'sha256-z2a+NIknPDE7NIEqE1lfrnG39eWOhJXWsXHYGGNb5oU=' 'sha256-Dn0vMZLidJplZ4cSlBMg/F5aa7Vol9dBMHzBF4fGEtk=' 'sha256-sA0hymKbXmMTpnYi15KmDw4u6uRdLXqHyoYIaORFtjU=' 'sha256-jUuiwf3ITuJc/jfynxWHLwTZifHIlhddD8NPmmVBztk=' 'sha256-RqzjtXRBqP4i+ruV3IRuHFq6eGIACITqGbu05VSVXsI='", 'https://cdnjs.cloudflare.com', )
-CSP_SCRIPT_SRC = ("'self'", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com', "'unsafe-hashes'")
-CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src'] 
+CSP_SCRIPT_SRC = ("'self' 'sha256-4Hr8ttnXaUA4A6o0hGi3NUGNP2Is3Ep0W+rvm+W7BAk=' 'sha256-GgQWQ4Ejk4g9XpAZJ4YxIgZDgp7CdQCmqjMOMh9hD2g=' 'sha256-05NIAwVBHkAzKcXTfkYqTnBPtkpX+AmQvM/raql3qo0='", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com')
+CSP_FONT_SRC = ("'self'", 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/') 
+CSP_FRAME_ANCESTORS = ("'self'")
+CSP_FORM_ACTION = ("'self'")

 #cache the view page, we set 60s = 1m,
 # CACHE_MIDDLEWARE_SECONDS = 60
--- a/apimanager/customers/static/customers/css/customers.css
+++ b/apimanager/customers/static/customers/css/customers.css
@ -6,3 +6,7 @@ input#id_kyc_status {
    width: auto;
    margin: -4px 0;
 }
+
+.displaynone {
+    display:none;
+}
--- a/apimanager/customers/templates/customers/create.html
+++ b/apimanager/customers/templates/customers/create.html
@ -96,7 +96,7 @@
                    {{ form.date_of_birth_date }}
                </div>
            </div>
-            <div class="col-xs-12 col-sm-4" style="display:none">
+            <div class="col-xs-12 col-sm-4 displaynone">
                {% if form.date_of_birth_time.errors %}<div class="alert alert-danger">{{ form.date_of_birth_time.errors }}</div>{% endif %}
                <div class="form-group">
                    {{ form.date_of_birth_time.label_tag }}