Removed django-csp, CSP now via nginx

CSP fix for #1214.

docker/batch-test.env

@@ -72,7 +72,6 @@ INTERNETNL_CACHE_RESET_ALLOWLIST=target.test
 
 # allow localhost for healthchecks, the public domain for the app and it's subdomains for connection tests
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.internet.test,internet.test
-CSP_DEFAULT_SRC="'self',*.internet.test"
 
 IPV6_TEST_ADDR=fd00:43:1::100
 CONN_TEST_DOMAIN=internet.test

docker/defaults.env

@@ -158,7 +158,6 @@ POSTGRES_DB=internetnl_db1
 
 # allow localhost for healthchecks, the public domain for the app and it's subdomains for connection tests
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.internet.nl,internet.nl,host.docker.internal
-CSP_DEFAULT_SRC="'self',*.internet.nl"
 
 # to low of an interval burdens the services, to high causes slow compose up/restarts
 HEALTHCHECK_INTERVAL=60s

docker/develop.env

@@ -30,7 +30,6 @@ INTERNETNL_CACHE_TTL=30
 
 # allow localhost for healthchecks, the public domain for the app and it's subdomains for connection tests
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.internet.test,internet.test,host.docker.internal,host-gateway
-CSP_DEFAULT_SRC="'self',*.internet.test"
 
 # domainname used for connection test
 CONN_TEST_DOMAIN=internet.test

docker/docker-compose.yml

@@ -150,7 +150,6 @@ services:
       - CONN_TEST_DOMAIN
       - SMTP_EHLO_DOMAIN
       - IPV6_TEST_ADDR
-      - CSP_DEFAULT_SRC
       - IPV4_IP_RESOLVER_INTERNAL_VALIDATING
       - IPV4_IP_RESOLVER_INTERNAL_PERMISSIVE
       - SENTRY_DSN

docker/host-dist.env

@@ -12,7 +12,6 @@ IPV6_IP_PUBLIC=$IPV6_IP_PUBLIC
 IPV4_IP_PUBLIC=$IPV4_IP_PUBLIC
 
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.$INTERNETNL_DOMAINNAME,$INTERNETNL_DOMAINNAME
-CSP_DEFAULT_SRC="'self',https://*.$INTERNETNL_DOMAINNAME"
 
 MATOMO_SUBDOMAIN_TRACKING=*.$INTERNETNL_DOMAINNAME
 

docker/test.env

@@ -69,7 +69,6 @@ INTERNETNL_CACHE_RESET_ALLOWLIST=target.test
 
 # allow localhost for healthchecks, the public domain for the app and it's subdomains for connection tests
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.internet.test,internet.test
-CSP_DEFAULT_SRC="'self',*.internet.test"
 
 IPV6_TEST_ADDR=fd00:43:1::100
 CONN_TEST_DOMAIN=internet.test

docker/webserver/all.headers

@@ -1,2 +1,3 @@
 include http.headers;
 include hsts.header;
+include conf.d/csp.header;

docker/webserver/nginx_templates/app.conf.template

@@ -77,9 +77,6 @@ server {
       # pass host for Django's allowed_hosts
       proxy_set_header Host $host;
 
-      # disable CSP on connection test
-      proxy_hide_header Content-Security-Policy;
-
       proxy_pass http://${IPV4_IP_APP_INTERNAL}:8080;
     }
 
@@ -117,9 +114,6 @@ server {
       # pass host for Django's allowed_hosts
       proxy_set_header Host $host;
 
-      # disable CSP on connection test
-      proxy_hide_header Content-Security-Policy;
-
       proxy_pass http://${IPV4_IP_APP_INTERNAL}:8080;
     }
 }
@@ -141,7 +135,6 @@ server {
     }
 
     include all.headers;
-    add_header 'Content-Security-Policy' "default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'" always;
 
     # redirect to no-www domainname
     location ~ /(.*) {

docker/webserver/nginx_templates/csp.header.template

@@ -0,0 +1 @@
+add_header 'Content-Security-Policy' "base-uri 'self' https://*.${INTERNETNL_DOMAINNAME}; form-action 'self' https://*.${INTERNETNL_DOMAINNAME}; frame-ancestors 'none'; default-src 'self' https://*.${INTERNETNL_DOMAINNAME}";

internetnl/internet.nl.dist.env

@@ -27,7 +27,6 @@ export [email protected]
 ### String, e-mail address
 export SERVER_EMAIL=[email protected]
 ### CSV String
-export CSP_DEFAULT_SRC='self',https://*.internet.nl
 ### CSV String
 export INTERNAL_IPS="localhost,127.0.0.1"
 ### String

internetnl/settings.py

@@ -50,8 +50,6 @@
 ADMIN_NAME = getenv("ADMIN_NAME", "Administrator")
 ADMIN_EMAIL = getenv("ADMIN_EMAIL", "Administrator")
 SERVER_EMAIL = getenv("SERVER_EMAIL", "[email protected]")
-CSP_DEFAULT_SRC = split_csv_trim(getenv("CSP_DEFAULT_SRC", "'self',*.internet.nl"))
-CSP_BASE_URI = CSP_FORM_ACTION = CSP_DEFAULT_SRC
 INTERNAL_IPS = split_csv_trim(getenv("INTERNAL_IPS", ""))
 TIME_ZONE = getenv("TIME_ZONE", "UTC")
 
@@ -186,11 +184,9 @@
     "django.contrib.messages.middleware.MessageMiddleware",
     "django_hosts.middleware.HostsResponseMiddleware",
     "internetnl.custom_middlewares.ActivateTranslationMiddleware",
-    "csp.middleware.CSPMiddleware",
 ]
 
 ADMINS = ((ADMIN_NAME, ADMIN_EMAIL),)
-CSP_FRAME_ANCESTORS = "'none'"
 ROOT_URLCONF = "internetnl.urls"
 ROOT_HOSTCONF = "internetnl.hosts"
 DEFAULT_HOST = "www"

requirements.in

@@ -14,7 +14,6 @@ setuptools-rust
 beautifulsoup4
 cryptography<39.0.0
 django-bleach<3  # 3 and up has no Python 3.7 support
-django-csp
 django-enumfields
 django-hosts
 django-markdown_deux

requirements.txt

@@ -62,12 +62,9 @@ django==4.2.15
     # via
     #   -r requirements.in
     #   django-bleach
-    #   django-csp
     #   django-redis
 django-bleach==2.0.0
     # via -r requirements.in
-django-csp==3.7
-    # via -r requirements.in
 django-enumfields==2.1.1
     # via -r requirements.in
 django-hosts==5.2