Merge pull request #2644 from rrgeorge/rrgeorge/csp

Add Content-Security-Policy headers and secure cookies
2023-02-10 16:37:39 -08:00 · 2023-02-10 16:37:39 -08:00 · 2c2daf5fdf
commit 2c2daf5fdf
parent cc9e94261c b82231202c
18 changed files with 33 additions and 15 deletions
--- a/bookwyrm/views/admin/dashboard.py
+++ b/bookwyrm/views/admin/dashboard.py
@ -12,6 +12,8 @@ from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.views import View

+from csp.decorators import csp_update
+
 from bookwyrm import models, settings
 from bookwyrm.connectors.abstract_connector import get_data
 from bookwyrm.connectors.connector_manager import ConnectorException
@ -27,6 +29,9 @@ from bookwyrm.utils import regex
 class Dashboard(View):
    """admin overview"""

+    @csp_update(
+        SCRIPT_SRC="https://cdn.jsdelivr.net/npm/chart.js@3.5.1/dist/chart.min.js"
+    )
    def get(self, request):
        """list of users"""
        data = get_charts_and_stats(request)
--- a/bookwyrm/views/search.py
+++ b/bookwyrm/views/search.py
@ -8,6 +8,8 @@ from django.http import JsonResponse
 from django.template.response import TemplateResponse
 from django.views import View

+from csp.decorators import csp_update
+
 from bookwyrm import models
 from bookwyrm.connectors import connector_manager
 from bookwyrm.book_search import search, format_search_result
@ -21,6 +23,7 @@ from .helpers import handle_remote_webfinger
 class Search(View):
    """search users or books"""

+    @csp_update(IMG_SRC="*")
    def get(self, request):
        """that search bar up top"""
        if is_api_request(request):