Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modal that loads new view/template into another view/template doesn't respect the CSP; Fails to run scripts. #246

Open
ChefCodev opened this issue Oct 8, 2024 · 0 comments
Open

Modal that loads new view/template into another view/template doesn't respect the CSP; Fails to run scripts. #246

ChefCodev opened this issue Oct 8, 2024 · 0 comments

Comments

@ChefCodev
Copy link

ChefCodev commented Oct 8, 2024
edited
Loading

I didn't include the template code because it is irrelevant. This is the script tag in the template:

<script nonce="{{ CSP_NONCE }}" src="{% static 'js/mmImport.js' %}" defer  
  data-mmimporturl="{% url 'mmImport' %}">
 </script>

In Settings.py

MIDDLEWARE = [
    'csp.middleware.CSPMiddleware'
      ....]
TEMPLATES = [
    { ....
       'context_processors': [
                .....
                'csp.context_processors.nonce',
            ],
.... }

#Content Security Policy',

CSP_DEFAULT_SRC = ("'self'")

CSP_IMG_SRC = ("'self'")

CSP_STYLE_SRC = ("'self'")

CSP_SCRIPT_SRC = ("'self'")

CSP_INCLUDE_NONCE_IN = ('script-src')`

So two scenarios...

I load this view/template in a modal that is in the homepage. If I include 'unsafe-inline, no issues. It works. Form/view/template behaves normally. Without unsafe-inline and just the above policies, it gives the following error:

[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (mmHomepage, line 0)
I load the view as its own page/template; not a modal. Straight forward Django template. With CSP policies as above, the page works normally. No errors.
I suspect it is the way a view/template is handled by bootstrap modals. Not sure where to look. I am new to Django-csp so not familiar with this. Just started familiarizing myself with the spec.

I also tried bringing this js code into the template, so not calling a separate file. No luck. Same error.

UPDATE: I used a decorator to override CSP on the homepage view:

@method_decorator(csp_exempt)
def dispatch(self, *args, **kwargs):
    return super().dispatch(*args, **kwargs)

This allowed the modal template JS to run without any errors.

Overriding the modal view with csp_exempt, however, and leaving the policy in place on the homepage, does not work.

I confirmed using curl that the modal view/template still had the same CSP policy applied; It did.

So... essentially it appears that the homepage CSP is conflicting with the modal template CSP.

I'll continue plugging away but any suggestions are welcome!

Please help! Thanks!
@ChefCodev ChefCodev changed the title Why does my content-security-profile not work properly for a view/template loaded in a bootstrap modal? Works fine otherwise Modal that loads new view/template into another view/template doesn't respect the CSP; Fails to run scripts. Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ChefCodev