External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-18 17:37:30 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4167 from ryanpetrello/csp

Browse Source 
add a reasonable default Content Security Policy

Reviewed-by: https://github.com/softwarefactory-project-zuul[bot]
This commit is contained in:
softwarefactory-project-zuul[bot]
2019-06-26 20:21:20 +00:00
committed by GitHub
parent 273415b9aa eacf819caf
commit 5c338e582a
4 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
awx/main/views.py
View File

@@ -1,14 +1,20 @@
# Copyright (c) 2015 Ansible, Inc. # Copyright (c) 2015 Ansible, Inc.
# All Rights Reserved. # All Rights Reserved.
import json
# Django # Django
from django.http import HttpResponse
from django.shortcuts import render from django.shortcuts import render
from django.utils.html import format_html from django.utils.html import format_html
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django.views.decorators.csrf import csrf_exempt
# Django REST Framework # Django REST Framework
from rest_framework import exceptions, permissions, views from rest_framework import exceptions, permissions, views
import logging
def _force_raising_exception(view_obj, request, format=None): def _force_raising_exception(view_obj, request, format=None):
raise view_obj.exception_class() raise view_obj.exception_class()
@@ -84,3 +90,10 @@ def handle_500(request):
'content': _('A server error has occurred.'), 'content': _('A server error has occurred.'),
} }
return handle_error(request, 500, **kwargs) return handle_error(request, 500, **kwargs)
@csrf_exempt
def handle_csp_violation(request):
logger = logging.getLogger('awx')
logger.error(json.loads(request.body))
return HttpResponse(content=None)

2
awx/urls.py
View File

@@ -8,6 +8,7 @@ from awx.main.views import (
handle_403, handle_403,
handle_404, handle_404,
handle_500, handle_500,
handle_csp_violation,
) )
@@ -20,6 +21,7 @@ urlpatterns = [
url(r'^(?:api/)?403.html$', handle_403), url(r'^(?:api/)?403.html$', handle_403),
url(r'^(?:api/)?404.html$', handle_404), url(r'^(?:api/)?404.html$', handle_404),
url(r'^(?:api/)?500.html$', handle_500), url(r'^(?:api/)?500.html$', handle_500),
url(r'^csp-violation/', handle_csp_violation),
] ]
if settings.SETTINGS_MODULE == 'awx.settings.development': if settings.SETTINGS_MODULE == 'awx.settings.development':

2
installer/roles/image_build/templates/nginx.conf.j2
View File

@@ -61,6 +61,8 @@ http {
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security max-age=15768000;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY"; add_header X-Frame-Options "DENY";

4
tools/docker-compose/nginx.vh.default.conf
View File

@@ -22,6 +22,8 @@ server {
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security max-age=15768000;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
location /static/ { location /static/ {
root /awx_devel; root /awx_devel;
@@ -82,6 +84,8 @@ server {
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security max-age=15768000;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
location /static/ { location /static/ {
root /awx_devel; root /awx_devel;