External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-11 10:00:01 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4167 from ryanpetrello/csp

Browse Source 
add a reasonable default Content Security Policy

Reviewed-by: https://github.com/softwarefactory-project-zuul[bot]
This commit is contained in:
softwarefactory-project-zuul[bot] 2019-06-26 20:21:20 +00:00 committed by GitHub
commit 5c338e582a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
awx/main/views.py
View File

@ -1,14 +1,20 @@
# Copyright (c) 2015 Ansible, Inc.
# All Rights Reserved.
import json
# Django
from django.http import HttpResponse
from django.shortcuts import render
from django.utils.html import format_html
from django.utils.translation import ugettext_lazy as _
from django.views.decorators.csrf import csrf_exempt
# Django REST Framework
from rest_framework import exceptions, permissions, views
import logging
def _force_raising_exception(view_obj, request, format=None):
raise view_obj.exception_class()
@ -84,3 +90,10 @@ def handle_500(request):
'content': _('A server error has occurred.'),
}
return handle_error(request, 500, **kwargs)
@csrf_exempt
def handle_csp_violation(request):
logger = logging.getLogger('awx')
logger.error(json.loads(request.body))
return HttpResponse(content=None)

2
awx/urls.py
View File

@ -8,6 +8,7 @@ from awx.main.views import (
handle_403,
handle_404,
handle_500,
handle_csp_violation,
)
@ -20,6 +21,7 @@ urlpatterns = [
url(r'^(?:api/)?403.html$', handle_403),
url(r'^(?:api/)?404.html$', handle_404),
url(r'^(?:api/)?500.html$', handle_500),
url(r'^csp-violation/', handle_csp_violation),
]
if settings.SETTINGS_MODULE == 'awx.settings.development':

2
installer/roles/image_build/templates/nginx.conf.j2
View File

@ -61,6 +61,8 @@ http {
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";

4
tools/docker-compose/nginx.vh.default.conf
View File

@ -22,6 +22,8 @@ server {
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
location /static/ {
root /awx_devel;
@ -82,6 +84,8 @@ server {
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
location /static/ {
root /awx_devel;