From 36605efd206610fdd64283b5caec3f5662195ada Mon Sep 17 00:00:00 2001
From: Robert George <rrgeorge@raphus.social>
Date: Wed, 1 Feb 2023 12:59:10 -0800
Subject: [PATCH] Added support for secure cookies and django-csp

---
 bookwyrm/settings.py                                     | 9 +++++++++
 bookwyrm/templates/guided_tour/book.html                 | 2 +-
 bookwyrm/templates/guided_tour/group.html                | 2 +-
 bookwyrm/templates/guided_tour/home.html                 | 2 +-
 bookwyrm/templates/guided_tour/lists.html                | 2 +-
 bookwyrm/templates/guided_tour/search.html               | 2 +-
 bookwyrm/templates/guided_tour/user_books.html           | 2 +-
 bookwyrm/templates/guided_tour/user_groups.html          | 2 +-
 bookwyrm/templates/guided_tour/user_profile.html         | 2 +-
 bookwyrm/templates/layout.html                           | 2 +-
 bookwyrm/templates/ostatus/template.html                 | 4 ++--
 .../templates/settings/dashboard/registration_chart.html | 2 +-
 bookwyrm/templates/settings/dashboard/status_chart.html  | 2 +-
 bookwyrm/templates/settings/dashboard/user_chart.html    | 2 +-
 bookwyrm/templates/settings/dashboard/works_chart.html   | 2 +-
 bookwyrm/views/admin/dashboard.py                        | 3 +++
 requirements.txt                                         | 1 +
 17 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/bookwyrm/settings.py b/bookwyrm/settings.py
index 61240dbfa..abd71b2dd 100644
--- a/bookwyrm/settings.py
+++ b/bookwyrm/settings.py
@@ -101,6 +101,7 @@ MIDDLEWARE = [
     "django.middleware.locale.LocaleMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
+    "csp.middleware.CSPMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "bookwyrm.middleware.TimezoneMiddleware",
     "bookwyrm.middleware.IPBlocklistMiddleware",
@@ -335,6 +336,8 @@ PROJECT_DIR = os.path.dirname(os.path.abspath(__file__))
 PROTOCOL = "http"
 if USE_HTTPS:
     PROTOCOL = "https"
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
 
 USE_S3 = env.bool("USE_S3", False)
 
@@ -358,11 +361,17 @@ if USE_S3:
     MEDIA_FULL_URL = MEDIA_URL
     STATIC_FULL_URL = STATIC_URL
     DEFAULT_FILE_STORAGE = "bookwyrm.storage_backends.ImagesStorage"
+    CSP_DEFAULT_SRC = ("'self'", AWS_S3_CUSTOM_DOMAIN)
+    CSP_SCRIPT_SRC = ("'self'", AWS_S3_CUSTOM_DOMAIN)
 else:
     STATIC_URL = "/static/"
     MEDIA_URL = "/images/"
     MEDIA_FULL_URL = f"{PROTOCOL}://{DOMAIN}{MEDIA_URL}"
     STATIC_FULL_URL = f"{PROTOCOL}://{DOMAIN}{STATIC_URL}"
+    CSP_DEFAULT_SRC = ("'self'")
+    CSP_SCRIPT_SRC = ("'self'")
+
+CSP_INCLUDE_NONCE_IN=['script-src']
 
 OTEL_EXPORTER_OTLP_ENDPOINT = env("OTEL_EXPORTER_OTLP_ENDPOINT", None)
 OTEL_EXPORTER_OTLP_HEADERS = env("OTEL_EXPORTER_OTLP_HEADERS", None)
diff --git a/bookwyrm/templates/guided_tour/book.html b/bookwyrm/templates/guided_tour/book.html
index 44a37f65e..a0d60e831 100644
--- a/bookwyrm/templates/guided_tour/book.html
+++ b/bookwyrm/templates/guided_tour/book.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
     });
diff --git a/bookwyrm/templates/guided_tour/group.html b/bookwyrm/templates/guided_tour/group.html
index 088437233..98fa4757a 100644
--- a/bookwyrm/templates/guided_tour/group.html
+++ b/bookwyrm/templates/guided_tour/group.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
     });
diff --git a/bookwyrm/templates/guided_tour/home.html b/bookwyrm/templates/guided_tour/home.html
index 37e874afa..be8d095af 100644
--- a/bookwyrm/templates/guided_tour/home.html
+++ b/bookwyrm/templates/guided_tour/home.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
 const initiateTour = new Shepherd.Tour({
     exitOnEsc: true,
 });
diff --git a/bookwyrm/templates/guided_tour/lists.html b/bookwyrm/templates/guided_tour/lists.html
index 4c4d241c8..72218e395 100644
--- a/bookwyrm/templates/guided_tour/lists.html
+++ b/bookwyrm/templates/guided_tour/lists.html
@@ -2,7 +2,7 @@
 {% load utilities %}
 {% load user_page_tags %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
 
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
diff --git a/bookwyrm/templates/guided_tour/search.html b/bookwyrm/templates/guided_tour/search.html
index 3e726aeb8..8a96ae0dc 100644
--- a/bookwyrm/templates/guided_tour/search.html
+++ b/bookwyrm/templates/guided_tour/search.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
 
     let localResult = document.querySelector(".local-book-search-result");
     let remoteResult = document.querySelector(".remote-book-search-result");
diff --git a/bookwyrm/templates/guided_tour/user_books.html b/bookwyrm/templates/guided_tour/user_books.html
index 2a4629050..c86d3cd34 100644
--- a/bookwyrm/templates/guided_tour/user_books.html
+++ b/bookwyrm/templates/guided_tour/user_books.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
     });
diff --git a/bookwyrm/templates/guided_tour/user_groups.html b/bookwyrm/templates/guided_tour/user_groups.html
index fc6169521..58502fbc9 100644
--- a/bookwyrm/templates/guided_tour/user_groups.html
+++ b/bookwyrm/templates/guided_tour/user_groups.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     const tour = new Shepherd.Tour({
         exitOnEsc: true,
     });
diff --git a/bookwyrm/templates/guided_tour/user_profile.html b/bookwyrm/templates/guided_tour/user_profile.html
index 29a94a2ad..f831744b9 100644
--- a/bookwyrm/templates/guided_tour/user_profile.html
+++ b/bookwyrm/templates/guided_tour/user_profile.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
 const tour = new Shepherd.Tour({
     exitOnEsc: true,
 });
diff --git a/bookwyrm/templates/layout.html b/bookwyrm/templates/layout.html
index 1227e39c4..c3408f44e 100644
--- a/bookwyrm/templates/layout.html
+++ b/bookwyrm/templates/layout.html
@@ -183,7 +183,7 @@
 {% include 'snippets/footer.html' %}
 {% endblock %}
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     var csrf_token = '{{ csrf_token }}';
 </script>
 
diff --git a/bookwyrm/templates/ostatus/template.html b/bookwyrm/templates/ostatus/template.html
index eb904a693..25d2430c0 100644
--- a/bookwyrm/templates/ostatus/template.html
+++ b/bookwyrm/templates/ostatus/template.html
@@ -11,7 +11,7 @@
     <title>{% block title %}{% endblock %}</title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <link href="{% sass_src site_theme %}" rel="stylesheet" type="text/css" />
-    <script>
+    <script nonce="{{request.csp_nonce}}">
         function closeWindow() {
             window.close();
         }
@@ -32,7 +32,7 @@
     </div>
 </div>
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     var csrf_token = '{{ csrf_token }}';
 </script>
 <script src="{% static 'js/bookwyrm.js' %}?v={{ js_cache }}"></script>
diff --git a/bookwyrm/templates/settings/dashboard/registration_chart.html b/bookwyrm/templates/settings/dashboard/registration_chart.html
index 3b258fec8..bb51ed8bc 100644
--- a/bookwyrm/templates/settings/dashboard/registration_chart.html
+++ b/bookwyrm/templates/settings/dashboard/registration_chart.html
@@ -1,5 +1,5 @@
 {% load i18n %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 var registerStats = new Chart(
     document.getElementById('register_stats'),
     {
diff --git a/bookwyrm/templates/settings/dashboard/status_chart.html b/bookwyrm/templates/settings/dashboard/status_chart.html
index a59036a51..93ea315ab 100644
--- a/bookwyrm/templates/settings/dashboard/status_chart.html
+++ b/bookwyrm/templates/settings/dashboard/status_chart.html
@@ -1,5 +1,5 @@
 {% load i18n %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 
 var statusStats = new Chart(
     document.getElementById('status_stats'),
diff --git a/bookwyrm/templates/settings/dashboard/user_chart.html b/bookwyrm/templates/settings/dashboard/user_chart.html
index a8d356bb8..499554af6 100644
--- a/bookwyrm/templates/settings/dashboard/user_chart.html
+++ b/bookwyrm/templates/settings/dashboard/user_chart.html
@@ -1,5 +1,5 @@
 {% load i18n %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 
 var userStats = new Chart(
     document.getElementById('user_stats'),
diff --git a/bookwyrm/templates/settings/dashboard/works_chart.html b/bookwyrm/templates/settings/dashboard/works_chart.html
index c65014e98..41cb13a6b 100644
--- a/bookwyrm/templates/settings/dashboard/works_chart.html
+++ b/bookwyrm/templates/settings/dashboard/works_chart.html
@@ -1,5 +1,5 @@
 {% load i18n %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 
 var worksStats = new Chart(
     document.getElementById('works_stats'),
diff --git a/bookwyrm/views/admin/dashboard.py b/bookwyrm/views/admin/dashboard.py
index 19583bfa1..4db3c5702 100644
--- a/bookwyrm/views/admin/dashboard.py
+++ b/bookwyrm/views/admin/dashboard.py
@@ -12,6 +12,8 @@ from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.views import View
 
+from csp.decorators import csp_update
+
 from bookwyrm import models, settings
 from bookwyrm.connectors.abstract_connector import get_data
 from bookwyrm.connectors.connector_manager import ConnectorException
@@ -27,6 +29,7 @@ from bookwyrm.utils import regex
 class Dashboard(View):
     """admin overview"""
 
+    @csp_update(SCRIPT_SRC='https://cdn.jsdelivr.net/npm/chart.js@3.5.1/dist/chart.min.js')
     def get(self, request):
         """list of users"""
         data = get_charts_and_stats(request)
diff --git a/requirements.txt b/requirements.txt
index e71fb52c8..cee91b434 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,6 +8,7 @@ django-compressor==4.3.1
 django-imagekit==4.1.0
 django-model-utils==4.3.1
 django-sass-processor==1.2.2
+django-csp==3.7
 environs==9.5.0
 flower==1.2.0
 libsass==0.22.0