From 23fc6286def2a38972d1e01e0b1fe63e6e4e247b Mon Sep 17 00:00:00 2001
From: "Benjamin W. Broersma" <bw@broersma.com>
Date: Sat, 30 Nov 2024 16:38:46 +0100
Subject: [PATCH] Removed django-csp, CSP now via nginx

CSP fix for #1214.
---
 docker/batch-test.env                                | 1 -
 docker/defaults.env                                  | 1 -
 docker/develop.env                                   | 1 -
 docker/docker-compose.yml                            | 1 -
 docker/host-dist.env                                 | 1 -
 docker/test.env                                      | 1 -
 docker/webserver/all.headers                         | 1 +
 docker/webserver/nginx_templates/app.conf.template   | 7 -------
 docker/webserver/nginx_templates/csp.header.template | 1 +
 internetnl/internet.nl.dist.env                      | 1 -
 internetnl/settings.py                               | 4 ----
 requirements.in                                      | 1 -
 requirements.txt                                     | 3 ---
 13 files changed, 2 insertions(+), 22 deletions(-)
 create mode 100644 docker/webserver/nginx_templates/csp.header.template

diff --git a/docker/batch-test.env b/docker/batch-test.env
index c565a1148..adde46eee 100644
--- a/docker/batch-test.env
+++ b/docker/batch-test.env
@@ -72,7 +72,6 @@ INTERNETNL_CACHE_RESET_ALLOWLIST=target.test
 
 # allow localhost for healthchecks, the public domain for the app and it's subdomains for connection tests
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.internet.test,internet.test
-CSP_DEFAULT_SRC="'self',*.internet.test"
 
 IPV6_TEST_ADDR=fd00:43:1::100
 CONN_TEST_DOMAIN=internet.test
diff --git a/docker/defaults.env b/docker/defaults.env
index f2ddbd85c..3ef7fc15d 100644
--- a/docker/defaults.env
+++ b/docker/defaults.env
@@ -158,7 +158,6 @@ POSTGRES_DB=internetnl_db1
 
 # allow localhost for healthchecks, the public domain for the app and it's subdomains for connection tests
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.internet.nl,internet.nl,host.docker.internal
-CSP_DEFAULT_SRC="'self',*.internet.nl"
 
 # to low of an interval burdens the services, to high causes slow compose up/restarts
 HEALTHCHECK_INTERVAL=60s
diff --git a/docker/develop.env b/docker/develop.env
index 6d46109da..e435c4aed 100644
--- a/docker/develop.env
+++ b/docker/develop.env
@@ -30,7 +30,6 @@ INTERNETNL_CACHE_TTL=30
 
 # allow localhost for healthchecks, the public domain for the app and it's subdomains for connection tests
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.internet.test,internet.test,host.docker.internal,host-gateway
-CSP_DEFAULT_SRC="'self',*.internet.test"
 
 # domainname used for connection test
 CONN_TEST_DOMAIN=internet.test
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index ce2d1b2ae..b4b90b3d2 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -150,7 +150,6 @@ services:
       - CONN_TEST_DOMAIN
       - SMTP_EHLO_DOMAIN
       - IPV6_TEST_ADDR
-      - CSP_DEFAULT_SRC
       - IPV4_IP_RESOLVER_INTERNAL_VALIDATING
       - IPV4_IP_RESOLVER_INTERNAL_PERMISSIVE
       - SENTRY_DSN
diff --git a/docker/host-dist.env b/docker/host-dist.env
index 86f76962a..bba3f5710 100644
--- a/docker/host-dist.env
+++ b/docker/host-dist.env
@@ -12,7 +12,6 @@ IPV6_IP_PUBLIC=$IPV6_IP_PUBLIC
 IPV4_IP_PUBLIC=$IPV4_IP_PUBLIC
 
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.$INTERNETNL_DOMAINNAME,$INTERNETNL_DOMAINNAME
-CSP_DEFAULT_SRC="'self',https://*.$INTERNETNL_DOMAINNAME"
 
 MATOMO_SUBDOMAIN_TRACKING=*.$INTERNETNL_DOMAINNAME
 
diff --git a/docker/test.env b/docker/test.env
index 65e421622..7f9097993 100644
--- a/docker/test.env
+++ b/docker/test.env
@@ -69,7 +69,6 @@ INTERNETNL_CACHE_RESET_ALLOWLIST=target.test
 
 # allow localhost for healthchecks, the public domain for the app and it's subdomains for connection tests
 ALLOWED_HOSTS=127.0.0.1,::1,localhost,.internet.test,internet.test
-CSP_DEFAULT_SRC="'self',*.internet.test"
 
 IPV6_TEST_ADDR=fd00:43:1::100
 CONN_TEST_DOMAIN=internet.test
diff --git a/docker/webserver/all.headers b/docker/webserver/all.headers
index 77e4349a8..27880a705 100644
--- a/docker/webserver/all.headers
+++ b/docker/webserver/all.headers
@@ -1,2 +1,3 @@
 include http.headers;
 include hsts.header;
+include conf.d/csp.header;
diff --git a/docker/webserver/nginx_templates/app.conf.template b/docker/webserver/nginx_templates/app.conf.template
index 6ec09a8a7..4459a0f04 100644
--- a/docker/webserver/nginx_templates/app.conf.template
+++ b/docker/webserver/nginx_templates/app.conf.template
@@ -77,9 +77,6 @@ server {
       # pass host for Django's allowed_hosts
       proxy_set_header Host $host;
 
-      # disable CSP on connection test
-      proxy_hide_header Content-Security-Policy;
-
       proxy_pass http://${IPV4_IP_APP_INTERNAL}:8080;
     }
 
@@ -117,9 +114,6 @@ server {
       # pass host for Django's allowed_hosts
       proxy_set_header Host $host;
 
-      # disable CSP on connection test
-      proxy_hide_header Content-Security-Policy;
-
       proxy_pass http://${IPV4_IP_APP_INTERNAL}:8080;
     }
 }
@@ -141,7 +135,6 @@ server {
     }
 
     include all.headers;
-    add_header 'Content-Security-Policy' "default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'" always;
 
     # redirect to no-www domainname
     location ~ /(.*) {
diff --git a/docker/webserver/nginx_templates/csp.header.template b/docker/webserver/nginx_templates/csp.header.template
new file mode 100644
index 000000000..33743270c
--- /dev/null
+++ b/docker/webserver/nginx_templates/csp.header.template
@@ -0,0 +1 @@
+add_header 'Content-Security-Policy' "base-uri 'self' https://*.${INTERNETNL_DOMAINNAME}; form-action 'self' https://*.${INTERNETNL_DOMAINNAME}; frame-ancestors 'none'; default-src 'self' https://*.${INTERNETNL_DOMAINNAME}";
diff --git a/internetnl/internet.nl.dist.env b/internetnl/internet.nl.dist.env
index 102578446..b771d077b 100644
--- a/internetnl/internet.nl.dist.env
+++ b/internetnl/internet.nl.dist.env
@@ -27,7 +27,6 @@ export ADMIN_EMAIL=django@internet.nl
 ### String, e-mail address
 export SERVER_EMAIL=django@internet.nl
 ### CSV String
-export CSP_DEFAULT_SRC='self',https://*.internet.nl
 ### CSV String
 export INTERNAL_IPS="localhost,127.0.0.1"
 ### String
diff --git a/internetnl/settings.py b/internetnl/settings.py
index f2358ee57..331aed486 100644
--- a/internetnl/settings.py
+++ b/internetnl/settings.py
@@ -50,8 +50,6 @@
 ADMIN_NAME = getenv("ADMIN_NAME", "Administrator")
 ADMIN_EMAIL = getenv("ADMIN_EMAIL", "Administrator")
 SERVER_EMAIL = getenv("SERVER_EMAIL", "django@internet.nl")
-CSP_DEFAULT_SRC = split_csv_trim(getenv("CSP_DEFAULT_SRC", "'self',*.internet.nl"))
-CSP_BASE_URI = CSP_FORM_ACTION = CSP_DEFAULT_SRC
 INTERNAL_IPS = split_csv_trim(getenv("INTERNAL_IPS", ""))
 TIME_ZONE = getenv("TIME_ZONE", "UTC")
 
@@ -186,11 +184,9 @@
     "django.contrib.messages.middleware.MessageMiddleware",
     "django_hosts.middleware.HostsResponseMiddleware",
     "internetnl.custom_middlewares.ActivateTranslationMiddleware",
-    "csp.middleware.CSPMiddleware",
 ]
 
 ADMINS = ((ADMIN_NAME, ADMIN_EMAIL),)
-CSP_FRAME_ANCESTORS = "'none'"
 ROOT_URLCONF = "internetnl.urls"
 ROOT_HOSTCONF = "internetnl.hosts"
 DEFAULT_HOST = "www"
diff --git a/requirements.in b/requirements.in
index 422b37a30..cd5492803 100644
--- a/requirements.in
+++ b/requirements.in
@@ -14,7 +14,6 @@ setuptools-rust
 beautifulsoup4
 cryptography<39.0.0
 django-bleach<3  # 3 and up has no Python 3.7 support
-django-csp
 django-enumfields
 django-hosts
 django-markdown_deux
diff --git a/requirements.txt b/requirements.txt
index 3de6e8ca2..b5f438298 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -62,12 +62,9 @@ django==4.2.15
     # via
     #   -r requirements.in
     #   django-bleach
-    #   django-csp
     #   django-redis
 django-bleach==2.0.0
     # via -r requirements.in
-django-csp==3.7
-    # via -r requirements.in
 django-enumfields==2.1.1
     # via -r requirements.in
 django-hosts==5.2