Introduce a strict Content-Security-Policy

Makefile

@@ -474,7 +474,7 @@ ui-release: ui-devel
 ui-devel: awx/ui_next/node_modules
 	$(NPM_BIN) --prefix awx/ui_next run extract-strings
 	$(NPM_BIN) --prefix awx/ui_next run compile-strings
-	$(NPM_BIN) --prefix awx/ui_next run build
+	INLINE_RUNTIME_CHUNK=false $(NPM_BIN) --prefix awx/ui_next run build
 	git checkout awx/ui_next/src/locales
 	mkdir -p awx/public/static/css
 	mkdir -p awx/public/static/js

awx/settings/defaults.py

@@ -248,6 +248,7 @@ TEMPLATES = [
                 'django.template.context_processors.static',
                 'django.template.context_processors.tz',
                 'django.contrib.messages.context_processors.messages',
+                'awx.ui.context_processors.csp',
                 'social_django.context_processors.backends',
                 'social_django.context_processors.login_redirect',
             ],

awx/ui/context_processors.py

@@ -0,0 +1,8 @@
+import base64
+import os
+
+
+def csp(request):
+    return {
+        'csp_nonce': base64.encodebytes(os.urandom(32)).decode().rstrip(),
+    }

awx/ui_next/public/index.html

@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <html lang="en">
   <head>
+    <script nonce="{{csp_nonce}}" type="text/javascript">window.NONCE_ID = '{{csp_nonce}}';</script>
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <meta name="theme-color" content="#000000" />
@@ -8,6 +9,7 @@
       name="description"
       content="AWX"
     />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'nonce-{{csp_nonce}}' *.pendo.io; script-src 'self' 'nonce-{{csp_nonce}}' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/">
     <title>AWX</title>
   </head>
   <body>

awx/ui_next/src/index.jsx

@@ -1,5 +1,6 @@
 import React from 'react';
 import ReactDOM from 'react-dom';
+import './nonce';
 import '@patternfly/react-core/dist/styles/base.css';
 import App from './App';
 import { BrandName } from './variables';

awx/ui_next/src/nonce.js

@@ -0,0 +1,5 @@
+/* global __webpack_nonce__ */ // eslint-disable-line no-unused-vars
+
+// CSP: Set a special variable to add `nonce` attributes to all styles/script tags
+// See https://github.com/webpack/webpack/pull/3210
+__webpack_nonce__ = window.NONCE_ID; // eslint-disable-line no-global-assign, camelcase

installer/roles/kubernetes/templates/configmap.yml.j2

@@ -69,8 +69,6 @@ data:
 
             # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
             add_header Strict-Transport-Security max-age=15768000;
-            add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-            add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
 
             # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
             add_header X-Frame-Options "DENY";

installer/roles/local_docker/templates/nginx.conf.j2

@@ -67,8 +67,6 @@ http {
 
         # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
         add_header Strict-Transport-Security max-age=15768000;
-        add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-        add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
 
         # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
         add_header X-Frame-Options "DENY";

tools/docker-compose/nginx.vh.default.conf

@@ -22,8 +22,6 @@ server {
 
     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     add_header Strict-Transport-Security max-age=15768000;
-    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-    add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
 
     location /static/ {
         root /awx_devel;
@@ -84,8 +82,6 @@ server {
 
     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     add_header Strict-Transport-Security max-age=15768000;
-    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-    add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
 
     location /static/ {
         root /awx_devel;