From 3814cb5b58318d335837d93f2860a30d8d7e5545 Mon Sep 17 00:00:00 2001 From: Christof Dorner Date: Tue, 21 Feb 2023 22:02:52 +0100 Subject: [PATCH] Add config variable for additional CSP hosts --- .env.example | 5 +++++ bookwyrm/settings.py | 9 +++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.env.example b/.env.example index 4c1c2eefe..522bf2df4 100644 --- a/.env.example +++ b/.env.example @@ -120,3 +120,8 @@ OTEL_SERVICE_NAME= # for your instance: # https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header HTTP_X_FORWARDED_PROTO=false + +# Additional hosts to allow in the Content-Security-Policy, "self" (should be DOMAIN) +# and AWS_S3_CUSTOM_DOMAIN (if used) are added by default. +# Value should be a comma-separated list of host names. +CSP_ADDITIONAL_HOSTS= diff --git a/bookwyrm/settings.py b/bookwyrm/settings.py index a86586eeb..4e5779e99 100644 --- a/bookwyrm/settings.py +++ b/bookwyrm/settings.py @@ -330,6 +330,7 @@ IMAGEKIT_DEFAULT_CACHEFILE_STRATEGY = "bookwyrm.thumbnail_generation.Strategy" # https://docs.djangoproject.com/en/3.2/howto/static-files/ PROJECT_DIR = os.path.dirname(os.path.abspath(__file__)) +CSP_ADDITIONAL_HOSTS = env.list("CSP_ADDITIONAL_HOSTS", []) # Storage @@ -361,15 +362,15 @@ if USE_S3: MEDIA_FULL_URL = MEDIA_URL STATIC_FULL_URL = STATIC_URL DEFAULT_FILE_STORAGE = "bookwyrm.storage_backends.ImagesStorage" - CSP_DEFAULT_SRC = ("'self'", AWS_S3_CUSTOM_DOMAIN) - CSP_SCRIPT_SRC = ("'self'", AWS_S3_CUSTOM_DOMAIN) + CSP_DEFAULT_SRC = ["'self'", AWS_S3_CUSTOM_DOMAIN] + CSP_ADDITIONAL_HOSTS + CSP_SCRIPT_SRC = ["'self'", AWS_S3_CUSTOM_DOMAIN] + CSP_ADDITIONAL_HOSTS else: STATIC_URL = "/static/" MEDIA_URL = "/images/" MEDIA_FULL_URL = f"{PROTOCOL}://{DOMAIN}{MEDIA_URL}" STATIC_FULL_URL = f"{PROTOCOL}://{DOMAIN}{STATIC_URL}" - CSP_DEFAULT_SRC = "'self'" - CSP_SCRIPT_SRC = "'self'" + CSP_DEFAULT_SRC = ["'self'"] + CSP_ADDITIONAL_HOSTS + CSP_SCRIPT_SRC = ["'self'"] + CSP_ADDITIONAL_HOSTS CSP_INCLUDE_NONCE_IN = ["script-src"]