Security: enable Content-Security-Policy header

pytition/petition/static/css/petition.css

@@ -173,7 +173,8 @@ nav.navbar {
 .reassurance {
  padding-bottom: 30px;
  padding-top: 20px;
- font-size: 11px
+ font-size: 11px;
+ text-align: justify
 }
 
 input[type=email],

pytition/petition/templates/layouts/base.html

@@ -55,9 +55,9 @@
  </div>
 
  <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
- <script src="{% static "vendor/jquery-3.3.1/jquery-3.3.1.min.js" %}"></script>
- <script src="{% static "vendor/popper-1.14.6/popper.min.js" %}"></script>
- <script src="{% static "vendor/bootstrap-4.3.1/js/bootstrap.min.js" %}"></script>
+ <script src="{% static "vendor/jquery-3.3.1/jquery-3.3.1.min.js" %}" nonce="{{request.csp_nonce}}"></script>
+ <script src="{% static "vendor/popper-1.14.6/popper.min.js" %}" nonce="{{request.csp_nonce}}"></script>
+ <script src="{% static "vendor/bootstrap-4.3.1/js/bootstrap.min.js" %}" nonce="{{request.csp_nonce}}"></script>
  {% block extrajs %}
  {% endblock %}
 </body>

pytition/petition/templates/layouts/edit_layout.html

@@ -2,13 +2,15 @@
 {% load i18n %}
 {% load static %}
 {% load petition_extras %}
+{% load media_csp %}
+
 {% block media %}
  {{ block.super }}
- {{ content_form.media }}
- {{ email_form.media }}
- {{ newsletter_form.media }}
- {{ social_network_form.media }}
- {{ style_form.media }}
+ {% media_csp content_form %}
+ {% media_csp email_form %}
+ {% media_csp newsletter_form %}
+ {% media_csp social_network_form %}
+ {% media_csp style_form %}
 {% endblock %}
 
 {% block content %}

pytition/petition/templates/layouts/wizard_layout.html

@@ -3,12 +3,14 @@
 {% load widget_tweaks %}
 {% load petition_extras %}
 {% load static %}
+{% load media_csp %}
+
 {% block media %}
- {{ form.media }}
+ {% media_csp form %}
 {% endblock %}
 {% block extracss %}
  {{ block.super }}
- <link href="{% static 'vendor/smartwizard/dist/css/smart_wizard_theme_arrows.css' %}" rel="stylesheet" type="text/css" />
+ <link href="{% static 'vendor/smartwizard/dist/css/smart_wizard_theme_arrows.css' %}" rel="stylesheet" type="text/css" nonce="{{ request.csp_nonce }}"/>
 {% endblock %}
 
 {% block content %}

pytition/petition/templates/petition/account_settings.html

@@ -132,7 +132,7 @@ <h5 class="modal-title" id="org_leave_modal_label">{% trans "Leaving an organiza
 
 {% block extrajs %}
 {{ block.super }}
-<script>
+<script nonce="{{request.csp_nonce}}">
 $(function() {
  {% if not password_change_form_submitted %}
  $('#password_change_form').find('form input').removeClass('is-valid').removeClass('is-invalid');

pytition/petition/templates/petition/edit_petition.html

@@ -2,13 +2,15 @@
 {% load i18n %}
 {% load static %}
 {% load petition_extras %}
+{% load media_csp %}
+
 {% block media %}
  {{ block.super }}
- {{ content_form.media }}
- {{ email_form.media }}
- {{ newsletter_form.media }}
- {{ social_network_form.media }}
- {{ style_form.media }}
+ {% media_csp content_form %}
+ {% media_csp email_form %}
+ {% media_csp newsletter_form %}
+ {% media_csp social_network_form %}
+ {% media_csp style_form %}
 {% endblock %}
 
 {% block extracss %}
@@ -128,7 +130,7 @@
 
 {% block extrajs %}
  {{ block.super }}
-<script>
+<script nonce="{{request.csp_nonce}}">
 $(function (){
 $('a[data-toggle="list"]').on('shown.bs.tab', function(e){
  const paneID = $(e.target).attr('href');

pytition/petition/templates/petition/new_petition_step1.html

@@ -39,8 +39,8 @@
 
 {% block extrajs %}
  {{ block.super }}
- <script type="text/javascript" src="{% static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}"></script>
- <script type="text/javascript">
+ <script type="text/javascript" src="{% static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}" nonce="{{request.csp_nonce}}"></script>
+ <script type="text/javascript" nonce="{{request.csp_nonce}}">
  $(document).ready(function(){
  $('#smartwizard').smartWizard({
  theme: 'arrows',

pytition/petition/templates/petition/new_petition_step2.html

@@ -3,8 +3,10 @@
 {% load widget_tweaks %}
 {% load petition_extras %}
 {% load static %}
+{% load media_csp %}
+
 {% block media %}
- {{ form.media }}
+ {% media_csp form %}
 {% endblock %}
 
 {% block wizard_content %}
@@ -46,8 +48,8 @@
 
 {% block extrajs %}
  {{ block.super }}
- <script type="text/javascript" src="{% static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}"></script>
- <script type="text/javascript">
+ <script type="text/javascript" src="{% static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}" nonce="{{request.csp_nonce}}"></script>
+ <script type="text/javascript" nonce="{{request.csp_nonce}}">
  $(document).ready(function(){
  $('#smartwizard').smartWizard({
  theme: 'arrows',

pytition/petition/templates/petition/new_petition_step3.html

@@ -3,8 +3,10 @@
 {% load widget_tweaks %}
 {% load petition_extras %}
 {% load static %}
+{% load media_csp %}
+
 {% block media %}
- {{ form.media }}
+ {% media_csp form %}
 {% endblock %}
 
 {% block wizard_content %}
@@ -55,8 +57,8 @@ <h4 class="card-title"> {{ title }}</h4>
 
 {% block extrajs %}
  {{ block.super }}
- <script type="text/javascript" src="{% static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}"></script>
- <script type="text/javascript">
+ <script type="text/javascript" src="{% static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}" nonce="{{request.csp_nonce}}"></script>
+ <script type="text/javascript" nonce="{{request.csp_nonce}}">
  $(document).ready(function(){
  $('#smartwizard').smartWizard({
  theme: 'arrows',

pytition/petition/templates/petition/org_base.html

@@ -45,7 +45,7 @@ <h4><span class="oi oi-layers"></span> {% trans "Petition templates" %} ({{ org.
 
 {% block extrajs %}
 {{ block.super }}
-<script>
+<script nonce="{{request.csp_nonce}}">
  {% include "petition/orga.js" %}
 </script>
 {% endblock extrajs %}

pytition/petition/templates/petition/petition_change_form.html

@@ -3,7 +3,7 @@
 {% load petition_extras %}
 
 {% block extrahead %}{{ block.super }}
-<script type="text/javascript" src="{% url 'admin:jsi18n' %}"></script>
+<script type="text/javascript" src="{% url 'admin:jsi18n' %}" nonce="{{request.csp_nonce}}"></script>
 {{ media }}
 {% endblock %}
 
@@ -84,7 +84,7 @@ <h2><a href="{% url urlname %}?petition__id__exact={{ original.id }}&confirmed__
 {% block admin_change_form_document_ready %}
  <script type="text/javascript"
  id="django-admin-form-add-constants"
- src="{% static 'admin/js/change_form.js' %}"
+ src="{% static 'admin/js/change_form.js' %}" nonce="{{request.csp_nonce}}"
  {% if adminform and add %}
  data-model-name="{{ opts.model_name }}"
  {% endif %}>

pytition/petition/templates/petition/petition_detail.html

@@ -50,8 +50,8 @@
 {% endblock %}
 
 {% block extracss %}
-<link href="{% static "css/petition.css" %}" rel="stylesheet" type="text/css">
-<style type="text/css">
+<link href="{% static "css/petition.css" %}" rel="stylesheet" type="text/css" nonce="{{ request.csp_nonce }}">
+<style type="text/css" nonce="{{request.csp_nonce}}">
 {% if petition.bgcolor != "#FFFFFF" %}
 body {
  background-color: {{ petition.bgcolor }};
@@ -66,7 +66,7 @@
 {% endblock %}
 
 {% block extrajshead %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 dataLayer = [];
 </script>
 {% endblock %}
@@ -169,7 +169,7 @@ <h1 class="jumbotron-heading">{{ petition.title|html_sanitize|striptags|safe }}
  </form>
  </div>
  <div class="reassurance" id="reassurance">
- <p style="text-align:justify">
+ <p>
  {{ petition.sign_form_footer }}
  </p>
  </div>
@@ -186,7 +186,7 @@ <h1 class="jumbotron-heading">{{ petition.title|html_sanitize|striptags|safe }}
 {% endblock main_content %}
 
 {% block extrajs %}
-<script type="text/javascript" src="{% static "js/petition.js" %}"></script>
+<script type="text/javascript" src="{% static "js/petition.js" %}" nonce="{{request.csp_nonce}}"></script>
 {% endblock %}
 
 {% block footer %}

pytition/petition/templates/petition/signature_change_form.html

@@ -2,7 +2,7 @@
 {% load i18n admin_urls static admin_modify %}
 
 {% block extrahead %}{{ block.super }}
-<script type="text/javascript" src="{% url 'admin:jsi18n' %}"></script>
+<script type="text/javascript" src="{% url 'admin:jsi18n' %}" nonce="{{request.csp_nonce}}></script>
 {{ media }}
 {% endblock %}
 
@@ -75,7 +75,7 @@
 {% block admin_change_form_document_ready %}
  <script type="text/javascript"
  id="django-admin-form-add-constants"
- src="{% static 'admin/js/change_form.js' %}"
+ src="{% static 'admin/js/change_form.js' %}" nonce="{{request.csp_nonce}}
  {% if adminform and add %}
  data-model-name="{{ opts.model_name }}"
  {% endif %}>

pytition/petition/templates/petition/signature_data.html

@@ -110,7 +110,7 @@ <h2>{% trans "Signatures" %}</h2>
 
 {% block extrajs %}
  {{ block.super }}
- <script>
+ <script nonce="{{request.csp_nonce}}">
  $(function() {
  $("#re-send-all").on("click", function() {
  $("#action").val("re-send-all");
@@ -122,4 +122,4 @@ <h2>{% trans "Signatures" %}</h2>
  });
  });
  </script>
-{% endblock extrajs %}
+{% endblock extrajs %}

pytition/petition/templates/petition/user_base.html

@@ -34,7 +34,7 @@ <h4><a href="{% url "user_profile" user.username %}"><span class="oi oi-person">
 
 {% block extrajs %}
 {{ block.super }}
-<script>
+<script nonce="{{request.csp_nonce}}">
  {% include "petition/user.js" %}
 </script>
 {% endblock %}

pytition/petition/views.py

@@ -105,9 +105,10 @@ def search(request):
  }
  )
 
-
+from csp.decorators import csp_replace
 # /<int:petition_id>/
 # Show information on a petition
+@csp_replace(STYLE_SRC='unsafe-inline')
 def detail(request, petition_id):
  petition = petition_from_id(petition_id)
  check_petition_is_accessible(request, petition)
@@ -1396,9 +1397,10 @@ def org_create(request):
  ctx.update({'form': form})
  return render(request, "petition/org_create.html", ctx)
 
-
+from csp.decorators import csp_update
 # GET /org/<slug:orgslugname>/<slug:petitionname>
 # Show a petition
+@csp_replace(STYLE_SRC="'unsafe-inline'", INCLUDE_NONCE_IN=('script-src',))
 def slug_show_petition(request, orgslugname=None, username=None, petitionname=None):
  try:
  pytitionuser = get_session_user(request)

pytition/pytition/settings/base.py

@@ -45,9 +45,11 @@
  'django.contrib.staticfiles',
  'widget_tweaks',
  'formtools',
+ 'csp_helpers',
 ]
 
 MIDDLEWARE = [
+ 'csp.middleware.CSPMiddleware',
  'django.middleware.security.SecurityMiddleware',
  'django.contrib.sessions.middleware.SessionMiddleware',
  'django.middleware.locale.LocaleMiddleware',
@@ -224,5 +226,13 @@
 
 LANGUAGES = global_settings.LANGUAGES + [('oc', gettext_lazy('Occitan'))]
 
+# Content Security Policy configuration
+CSP_INCLUDE_NONCE_IN=('script-src', 'style-src')
+CSP_DEFAULT_SRC=["'none'"]
+CSP_SCRIPT_SRC=["'strict-dynamic'"]
+CSP_IMG_SRC=['*']
+CSP_STYLE_SRC=["'self'"]
+CSP_FONT_SRC=["'self'"]
+
 if DEFAULT_INDEX_THUMBNAIL == "":
  print("Please set a default index thumbnail or your index page will not be very beautiful")

requirements.txt

@@ -9,3 +9,5 @@ beautifulsoup4~=4.6.3
 django-formtools==2.1
 bcrypt
 lxml
+django-csp
+django-csp-helpers