External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-29 06:45:09 -02:30
Code Issues Packages Projects Releases Wiki Activity

Add w3c-compliant reporting for CSP violations

Browse Source
This commit is contained in:
Jake McDermott
2020-12-07 07:22:45 -05:00
parent 12077627e4
commit 548ebd5999
2 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
awx/ui_next/public/index.html
View File

@@ -7,7 +7,7 @@
</script> </script>
<meta <meta
http-equiv="Content-Security-Policy" http-equiv="Content-Security-Policy"
content="default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'nonce-{{ csp_nonce }}' *.pendo.io; script-src 'self' 'nonce-{{ csp_nonce }}' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/" content="default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'nonce-{{ csp_nonce }}' *.pendo.io; script-src 'self' 'nonce-{{ csp_nonce }}' *.pendo.io; img-src 'self' *.pendo.io data:;"
/> />
<% } %> <% } %>
<meta charset="utf-8" /> <meta charset="utf-8" />

25
awx/ui_next/src/setupCSP.js
View File

@@ -3,3 +3,28 @@
// Set a special variable to add `nonce` attributes to all styles/script tags // Set a special variable to add `nonce` attributes to all styles/script tags
// See https://github.com/webpack/webpack/pull/3210 // See https://github.com/webpack/webpack/pull/3210
__webpack_nonce__ = window.NONCE_ID; __webpack_nonce__ = window.NONCE_ID;
// Send report when a CSP violation occurs
// See: https://w3c.github.io/webappsec-csp/2/#violation-reports
// See: https://developer.mozilla.org/en-US/docs/Web/API/SecurityPolicyViolationEvent
document.addEventListener('securitypolicyviolation', e => {
const violation = {
'csp-report': {
'blocked-uri': e.blockedURI,
'document-uri': e.documentURI,
'effective-directive': e.effectiveDirective,
'original-policy': e.originalPolicy,
referrer: e.referrer,
'status-code': e.statusCode,
'violated-directive': e.violatedDirective,
},
};
if (e.sourceFile) violation['csp-report']['source-file'] = e.sourceFile;
if (e.lineNumber) violation['csp-report']['line-number'] = e.lineNumber;
if (e.columnNumber) violation['csp-report']['column-number'] = e.columnNumber;
const xhr = new XMLHttpRequest();
xhr.open('POST', '/csp-violation/', true);
xhr.setRequestHeader('content-type', 'application/csp-report');
xhr.send(JSON.stringify(violation));
});