Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Django , Content Security Policy directive

Tags:

css

django

google-app-engine

I am trying to import font-awesome to my app using the following:

<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" type="text/css">

This returns the following error in the JS console:

Refused to load the stylesheet 'http://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".

The Django app is a djangae (Django + GoogleAppEngine) example app which I am using as a starting point for what I want to make. https://github.com/davide-ceretti/googleappengine-djangae-blog.

The import happens in base.html. How can I fix this? I assume it's a setting, but I can't track it down.

p.s. I get the same error for another import:

<link href='http://fonts.googleapis.com/css?family=Lora:400,700,400italic,700italic' rel='stylesheet' type='text/css'>
like image 946
Giannis Avatar asked Jul 26 '15 09:07

Giannis

3 Answers

Protecting a django app with a Content Security Policy is pretty straight forward and in your case the header should looks something like this:

Content-Security-Policy: default-src 'none'; script-src 'self' www.google-analytics.com; connect-src 'self'; img-src 'self' www.google-analytics.com; style-src 'self' fonts.googleapis.com; font-src 'self' fonts.gstatic.com;
  1. pip install django-csp
  2. adjust your project’s settings module to add the “django-csp” middleware to your middleware classes
  3. add the above CSP header

Some more resources:

http://django-csp.readthedocs.io/en/latest/

https://www.templarbit.com/blog/2018/06/14/content-security-policy-with-django

like image 87
Bjoern Zinssmeister Avatar answered Nov 16 '22 04:11

Bjoern Zinssmeister

Add this to your settings.py:

# Keep our policy as strict as possible
CSP_DEFAULT_SRC = ("'none'",)
CSP_STYLE_SRC = ("'self'", 'fonts.googleapis.com')
CSP_SCRIPT_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'", 'fonts.gstatic.com')
CSP_IMG_SRC = ("'self'",)

And have a look at http://www.w3.org/TR/CSP/

like image 18
iago1460 Avatar answered Nov 16 '22 03:11

iago1460

That is from the browser in HTML5. Here's a good article on how to fix it in your headers:

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

There's also a Django app for handling this header:

http://django-csp.readthedocs.org/en/latest/configuration.html

Good luck!

like image 4
FlipperPA Avatar answered Nov 16 '22 03:11

FlipperPA
Sign in to Comment

Related questions

height 100% in Chrome
How do I detect the inherited background-color of an element using jQuery/JS?
Hide div element with jQuery, when mouse isn't moving for a period of time?
Listing known CSS classes using Javascript
Why does this CSS gradient show up with the wrong colours in IE 7?
Rotating a div element
Is it possible to set css properties by id prefix?
How to determine if width has px or %
Replacing the Close icon for a JQueryUI Dialog box
How to enable line break at hyphens on Firefox
Can't get a border around a html div element
What is an "em" if the font-size of the document is specified in ems?
CSS challenge, can I do this without introducing more HTML? [duplicate]
Disable and Enable submit button in jquery
Prevent or disable automatic image resize in a div with css (using bootstrap)
What does the CSS trick *+html do?
<div style display="none" > inside a table not working
DIV in <td> float right
Binding WPF Datagrid cell background colour with trigger
How to add a CSS stylesheet in FXML

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!