mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-05-15 23:13:18 +00:00
Added support for secure cookies and django-csp
This commit is contained in:
parent
006ff697b9
commit
36605efd20
|
@ -101,6 +101,7 @@ MIDDLEWARE = [
|
||||||
"django.middleware.locale.LocaleMiddleware",
|
"django.middleware.locale.LocaleMiddleware",
|
||||||
"django.middleware.common.CommonMiddleware",
|
"django.middleware.common.CommonMiddleware",
|
||||||
"django.middleware.csrf.CsrfViewMiddleware",
|
"django.middleware.csrf.CsrfViewMiddleware",
|
||||||
|
"csp.middleware.CSPMiddleware",
|
||||||
"django.contrib.auth.middleware.AuthenticationMiddleware",
|
"django.contrib.auth.middleware.AuthenticationMiddleware",
|
||||||
"bookwyrm.middleware.TimezoneMiddleware",
|
"bookwyrm.middleware.TimezoneMiddleware",
|
||||||
"bookwyrm.middleware.IPBlocklistMiddleware",
|
"bookwyrm.middleware.IPBlocklistMiddleware",
|
||||||
|
@ -335,6 +336,8 @@ PROJECT_DIR = os.path.dirname(os.path.abspath(__file__))
|
||||||
PROTOCOL = "http"
|
PROTOCOL = "http"
|
||||||
if USE_HTTPS:
|
if USE_HTTPS:
|
||||||
PROTOCOL = "https"
|
PROTOCOL = "https"
|
||||||
|
SESSION_COOKIE_SECURE = True
|
||||||
|
CSRF_COOKIE_SECURE = True
|
||||||
|
|
||||||
USE_S3 = env.bool("USE_S3", False)
|
USE_S3 = env.bool("USE_S3", False)
|
||||||
|
|
||||||
|
@ -358,11 +361,17 @@ if USE_S3:
|
||||||
MEDIA_FULL_URL = MEDIA_URL
|
MEDIA_FULL_URL = MEDIA_URL
|
||||||
STATIC_FULL_URL = STATIC_URL
|
STATIC_FULL_URL = STATIC_URL
|
||||||
DEFAULT_FILE_STORAGE = "bookwyrm.storage_backends.ImagesStorage"
|
DEFAULT_FILE_STORAGE = "bookwyrm.storage_backends.ImagesStorage"
|
||||||
|
CSP_DEFAULT_SRC = ("'self'", AWS_S3_CUSTOM_DOMAIN)
|
||||||
|
CSP_SCRIPT_SRC = ("'self'", AWS_S3_CUSTOM_DOMAIN)
|
||||||
else:
|
else:
|
||||||
STATIC_URL = "/static/"
|
STATIC_URL = "/static/"
|
||||||
MEDIA_URL = "/images/"
|
MEDIA_URL = "/images/"
|
||||||
MEDIA_FULL_URL = f"{PROTOCOL}://{DOMAIN}{MEDIA_URL}"
|
MEDIA_FULL_URL = f"{PROTOCOL}://{DOMAIN}{MEDIA_URL}"
|
||||||
STATIC_FULL_URL = f"{PROTOCOL}://{DOMAIN}{STATIC_URL}"
|
STATIC_FULL_URL = f"{PROTOCOL}://{DOMAIN}{STATIC_URL}"
|
||||||
|
CSP_DEFAULT_SRC = ("'self'")
|
||||||
|
CSP_SCRIPT_SRC = ("'self'")
|
||||||
|
|
||||||
|
CSP_INCLUDE_NONCE_IN=['script-src']
|
||||||
|
|
||||||
OTEL_EXPORTER_OTLP_ENDPOINT = env("OTEL_EXPORTER_OTLP_ENDPOINT", None)
|
OTEL_EXPORTER_OTLP_ENDPOINT = env("OTEL_EXPORTER_OTLP_ENDPOINT", None)
|
||||||
OTEL_EXPORTER_OTLP_HEADERS = env("OTEL_EXPORTER_OTLP_HEADERS", None)
|
OTEL_EXPORTER_OTLP_HEADERS = env("OTEL_EXPORTER_OTLP_HEADERS", None)
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
const tour = new Shepherd.Tour({
|
const tour = new Shepherd.Tour({
|
||||||
exitOnEsc: true,
|
exitOnEsc: true,
|
||||||
});
|
});
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
const tour = new Shepherd.Tour({
|
const tour = new Shepherd.Tour({
|
||||||
exitOnEsc: true,
|
exitOnEsc: true,
|
||||||
});
|
});
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
const initiateTour = new Shepherd.Tour({
|
const initiateTour = new Shepherd.Tour({
|
||||||
exitOnEsc: true,
|
exitOnEsc: true,
|
||||||
});
|
});
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
{% load utilities %}
|
{% load utilities %}
|
||||||
{% load user_page_tags %}
|
{% load user_page_tags %}
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
|
|
||||||
const tour = new Shepherd.Tour({
|
const tour = new Shepherd.Tour({
|
||||||
exitOnEsc: true,
|
exitOnEsc: true,
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
|
|
||||||
let localResult = document.querySelector(".local-book-search-result");
|
let localResult = document.querySelector(".local-book-search-result");
|
||||||
let remoteResult = document.querySelector(".remote-book-search-result");
|
let remoteResult = document.querySelector(".remote-book-search-result");
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
const tour = new Shepherd.Tour({
|
const tour = new Shepherd.Tour({
|
||||||
exitOnEsc: true,
|
exitOnEsc: true,
|
||||||
});
|
});
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
const tour = new Shepherd.Tour({
|
const tour = new Shepherd.Tour({
|
||||||
exitOnEsc: true,
|
exitOnEsc: true,
|
||||||
});
|
});
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
const tour = new Shepherd.Tour({
|
const tour = new Shepherd.Tour({
|
||||||
exitOnEsc: true,
|
exitOnEsc: true,
|
||||||
});
|
});
|
||||||
|
|
|
@ -183,7 +183,7 @@
|
||||||
{% include 'snippets/footer.html' %}
|
{% include 'snippets/footer.html' %}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
var csrf_token = '{{ csrf_token }}';
|
var csrf_token = '{{ csrf_token }}';
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
<title>{% block title %}{% endblock %}</title>
|
<title>{% block title %}{% endblock %}</title>
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||||
<link href="{% sass_src site_theme %}" rel="stylesheet" type="text/css" />
|
<link href="{% sass_src site_theme %}" rel="stylesheet" type="text/css" />
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
function closeWindow() {
|
function closeWindow() {
|
||||||
window.close();
|
window.close();
|
||||||
}
|
}
|
||||||
|
@ -32,7 +32,7 @@
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
var csrf_token = '{{ csrf_token }}';
|
var csrf_token = '{{ csrf_token }}';
|
||||||
</script>
|
</script>
|
||||||
<script src="{% static 'js/bookwyrm.js' %}?v={{ js_cache }}"></script>
|
<script src="{% static 'js/bookwyrm.js' %}?v={{ js_cache }}"></script>
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
var registerStats = new Chart(
|
var registerStats = new Chart(
|
||||||
document.getElementById('register_stats'),
|
document.getElementById('register_stats'),
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
|
|
||||||
var statusStats = new Chart(
|
var statusStats = new Chart(
|
||||||
document.getElementById('status_stats'),
|
document.getElementById('status_stats'),
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
|
|
||||||
var userStats = new Chart(
|
var userStats = new Chart(
|
||||||
document.getElementById('user_stats'),
|
document.getElementById('user_stats'),
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
<script>
|
<script nonce="{{request.csp_nonce}}">
|
||||||
|
|
||||||
var worksStats = new Chart(
|
var worksStats = new Chart(
|
||||||
document.getElementById('works_stats'),
|
document.getElementById('works_stats'),
|
||||||
|
|
|
@ -12,6 +12,8 @@ from django.utils import timezone
|
||||||
from django.utils.decorators import method_decorator
|
from django.utils.decorators import method_decorator
|
||||||
from django.views import View
|
from django.views import View
|
||||||
|
|
||||||
|
from csp.decorators import csp_update
|
||||||
|
|
||||||
from bookwyrm import models, settings
|
from bookwyrm import models, settings
|
||||||
from bookwyrm.connectors.abstract_connector import get_data
|
from bookwyrm.connectors.abstract_connector import get_data
|
||||||
from bookwyrm.connectors.connector_manager import ConnectorException
|
from bookwyrm.connectors.connector_manager import ConnectorException
|
||||||
|
@ -27,6 +29,7 @@ from bookwyrm.utils import regex
|
||||||
class Dashboard(View):
|
class Dashboard(View):
|
||||||
"""admin overview"""
|
"""admin overview"""
|
||||||
|
|
||||||
|
@csp_update(SCRIPT_SRC='https://cdn.jsdelivr.net/npm/chart.js@3.5.1/dist/chart.min.js')
|
||||||
def get(self, request):
|
def get(self, request):
|
||||||
"""list of users"""
|
"""list of users"""
|
||||||
data = get_charts_and_stats(request)
|
data = get_charts_and_stats(request)
|
||||||
|
|
|
@ -8,6 +8,7 @@ django-compressor==4.3.1
|
||||||
django-imagekit==4.1.0
|
django-imagekit==4.1.0
|
||||||
django-model-utils==4.3.1
|
django-model-utils==4.3.1
|
||||||
django-sass-processor==1.2.2
|
django-sass-processor==1.2.2
|
||||||
|
django-csp==3.7
|
||||||
environs==9.5.0
|
environs==9.5.0
|
||||||
flower==1.2.0
|
flower==1.2.0
|
||||||
libsass==0.22.0
|
libsass==0.22.0
|
||||||
|
|
Loading…
Reference in a new issue