add a reasonable default Content Security Policy

ideally we'd improve this over time to remove the `unsafe-inline` lines, but we can't due that today because Angular1 makes use of a lot of inline <script> and <style> tag generation see: https://github.com/ansible/awx/issues/2056
2026-05-08 01:47:35 -02:30 · 2019-06-26 10:02:36 -04:00
parent e612a167e2
commit eacf819caf
4 changed files with 21 additions and 0 deletions
--- a/awx/main/views.py
+++ b/awx/main/views.py
@@ -1,14 +1,20 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.

+import json
+
 # Django
+from django.http import HttpResponse
 from django.shortcuts import render
 from django.utils.html import format_html
 from django.utils.translation import ugettext_lazy as _
+from django.views.decorators.csrf import csrf_exempt

 # Django REST Framework
 from rest_framework import exceptions, permissions, views

+import logging
+

 def _force_raising_exception(view_obj, request, format=None):
    raise view_obj.exception_class()
@@ -84,3 +90,10 @@ def handle_500(request):
        'content': _('A server error has occurred.'),
    }
    return handle_error(request, 500, **kwargs)
+
+
+@csrf_exempt
+def handle_csp_violation(request):
+    logger = logging.getLogger('awx')
+    logger.error(json.loads(request.body))
+    return HttpResponse(content=None)