Merge pull request #2916 from cweider/csp

feature(security): finalize Content Security Policy integration
freelawproject · Jul 20, 2023 · 3fe0e4f · 3fe0e4f
2 parents bc04eeb + 1947f64
commit 3fe0e4f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 14 deletions.
diff --git a/cl/settings/project/security.py b/cl/settings/project/security.py
@@ -85,9 +85,9 @@
     "'self'",
     f"https://{AWS_S3_CUSTOM_DOMAIN}/",  # for embedded PDFs
     "https://hcaptcha.com/",
-    "https://*.hcaptcha.com",
+    "https://*.hcaptcha.com/",
     "https://plausible.io/",
-    "https://api.stripe.com",
+    "https://api.stripe.com/",
 )
 CSP_FONT_SRC = (
     "'self'",
@@ -98,16 +98,16 @@
     "'self'",
     f"https://{AWS_S3_CUSTOM_DOMAIN}/",  # for embedded PDFs
     "https://hcaptcha.com/",
-    "https://*.hcaptcha.com",
-    "https://js.stripe.com",
-    "https://hooks.stripe.com",
+    "https://*.hcaptcha.com/",
+    "https://js.stripe.com/",
+    "https://hooks.stripe.com/",
 )
 CSP_IMG_SRC = (
     "'self'",
     f"https://{AWS_S3_CUSTOM_DOMAIN}/",
-    "https://portraits.free.law",
+    "https://portraits.free.law/",
     "data:",  # @tailwindcss/forms uses data URIs for images.
-    "https://*.stripe.com",
+    "https://*.stripe.com/",
 )
 CSP_MEDIA_SRC = (
     "'self'",
@@ -123,16 +123,16 @@
     "'report-sample'",
     f"https://{AWS_S3_CUSTOM_DOMAIN}/",
     "https://hcaptcha.com/",
-    "https://*.hcaptcha.com",
+    "https://*.hcaptcha.com/",
     "https://plausible.io/",
-    "https://js.stripe.com",
+    "https://js.stripe.com/",
 )
 CSP_STYLE_SRC = (
     "'self'",
     "'report-sample'",
     f"https://{AWS_S3_CUSTOM_DOMAIN}/",
     "https://hcaptcha.com/",
-    "https://*.hcaptcha.com",
+    "https://*.hcaptcha.com/",
     "'unsafe-inline'",
 )
 CSP_DEFAULT_SRC = (
@@ -145,6 +145,3 @@
     (DEVELOPMENT, TESTING)
 ):  # Development and test aren’t used over HTTPS (yet)
     CSP_UPGRADE_INSECURE_REQUESTS = True
-if SENTRY_REPORT_URI:
-    CSP_REPORT_URI = SENTRY_REPORT_URI
-CSP_REPORT_ONLY = True
diff --git a/cl/visualizations/templates/new_visualization.html b/cl/visualizations/templates/new_visualization.html
@@ -12,7 +12,7 @@
     <script src="{% static "js/typeahead.jquery.js" %}"></script>
     <script src="{% static "js/scotus_map_new.js" %}"></script>
 
-    <script type="application/javascript">
+    <script type="text/javascript" nonce="{{ request.csp_nonce }}">
         var last_year = "{{ SCDB_LATEST_CASE }}";
         var opinions = {
             {% for viz in demo_viz %}