Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flask-admin isn't Content Security Policy-friendly #1135

Closed
toolness opened this issue Dec 10, 2015 · 11 comments
Closed

Flask-admin isn't Content Security Policy-friendly #1135

toolness opened this issue Dec 10, 2015 · 11 comments

Comments

@toolness
Copy link

My current project uses Content Security Policy; one of the default behaviors for CSP is to prevent the execution of inline scripts, which improves resilience in the face of XSS attacks and the like.

However, it seems that there a handful of inline <script> tags in flask-admin views, like the following one which appears on my model list view:

<script language="javascript">
        (function($) {
            $('[data-role=tooltip]').tooltip({
                html: true,
                placement: 'bottom'
            });

        })(jQuery);
    </script>

Similar to pallets-eco/flask-debugtoolbar#88, some of these can be worked around by a hash-source CSP directive, but it'd be really awesome if flask-admin was compatible with the most helpful CSP defaults out-of-the-box!

@mrjoes
Copy link
Contributor

mrjoes commented Dec 10, 2015

Pull requests are always welcome!

@jxltom
Copy link
Contributor

jxltom commented Oct 21, 2018

Why this is closed?

@petrus-jvrensburg
Copy link
Contributor

@jxltom let me re-open it. Are you working on a fix? A pull-request would be great!

@jxltom
Copy link
Contributor

jxltom commented Oct 23, 2018

Probably it will be better to keep this open since it is not solved and then someone may fix this. 😄

I can't gurantee the PR but I will try to do that since CSP is important for securities.

@nk9
Copy link

nk9 commented Jun 5, 2019

A lot of the code which needs to be modified is in bootstrap2 and 3. What is the flask_admin policy on modifying vendor code?

@nk9
Copy link

nk9 commented Jun 30, 2019

I can't guarantee I'll fix this, but I have done some amount of work on it so I can use it on my site. I am working toward a PR, we'll see. But it would be very helpful to get an answer about modifying upstream code which flask-admin has forked in its repo. @petrus-jvrensburg @mrjoes is there a policy on this? If it's not possible to change those, then there's little point in submitting a PR.

@petrus-jvrensburg
Copy link
Contributor

Nope. Modifying the vendor code in this repo isn't a good idea. It would make it too difficult to update dependencies later.

I would suggest to either fork the project to maintain your own versions of the modified vendor code, or to implement some alternative template mode that doesn't rely on the problematic vendor code at all.

@nk9
Copy link

nk9 commented Jul 1, 2019

Yeah, I've had to make my own fork. While I understand the reasons, that's unfortunate—it means Flask-Admin will be waiting for Bootstrap 5 to support CSPs. Still, there's non-vendor code to change, so this issue should remain open.

@dfeinzeig
Copy link

anyone already have hashes handy to work around this?

@errorfourten
Copy link

anyone already have hashes handy to work around this?

For "return modelActions.execute('delete');", you can use 'sha256-ftmTNsdfRKq6ZNyHL+p7dI9xRqueDTpseN1IaUUgQW4='

For "return faHelpers.safeConfirm('Are you sure you want to delete this record?');", you can use 'sha256-gikCNhEl+fhjSb8779qEr3zNPPm8nyTyg8MPyBYs+Tw='

These are the only scripts I have found that needed hashing. Just leaving them here in case any future person needs them!

@samuelhwilliams
Copy link
Contributor

Thanks for reporting this issue. As there are a few issues open on the topic of CSP, I'm go to close this one in favour of #2344, so that we can keep conversation in one place.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

No branches or pull requests

8 participants