diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | awx/settings/defaults.py | 1 | ||||
| -rw-r--r-- | awx/ui/context_processors.py | 8 | ||||
| -rw-r--r-- | awx/ui_next/public/index.html | 2 | ||||
| -rw-r--r-- | awx/ui_next/src/index.jsx | 1 | ||||
| -rw-r--r-- | awx/ui_next/src/nonce.js | 5 | ||||
| -rw-r--r-- | installer/roles/kubernetes/templates/configmap.yml.j2 | 2 | ||||
| -rw-r--r-- | installer/roles/local_docker/templates/nginx.conf.j2 | 2 | ||||
| -rw-r--r-- | tools/docker-compose/nginx.vh.default.conf | 4 |
9 files changed, 18 insertions, 9 deletions
@@ -474,7 +474,7 @@ ui-release: ui-devel ui-devel: awx/ui_next/node_modules $(NPM_BIN) --prefix awx/ui_next run extract-strings $(NPM_BIN) --prefix awx/ui_next run compile-strings - $(NPM_BIN) --prefix awx/ui_next run build + INLINE_RUNTIME_CHUNK=false $(NPM_BIN) --prefix awx/ui_next run build git checkout awx/ui_next/src/locales mkdir -p awx/public/static/css mkdir -p awx/public/static/js diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index 6204486456..d47277eaed 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -248,6 +248,7 @@ TEMPLATES = [ 'django.template.context_processors.static', 'django.template.context_processors.tz', 'django.contrib.messages.context_processors.messages', + 'awx.ui.context_processors.csp', 'social_django.context_processors.backends', 'social_django.context_processors.login_redirect', ], diff --git a/awx/ui/context_processors.py b/awx/ui/context_processors.py new file mode 100644 index 0000000000..87c071c285 --- /dev/null +++ b/awx/ui/context_processors.py @@ -0,0 +1,8 @@ +import base64 +import os + + +def csp(request): + return { + 'csp_nonce': base64.encodebytes(os.urandom(32)).decode().rstrip(), + } diff --git a/awx/ui_next/public/index.html b/awx/ui_next/public/index.html index 2d7ff373b7..510accb63e 100644 --- a/awx/ui_next/public/index.html +++ b/awx/ui_next/public/index.html @@ -1,6 +1,7 @@ <!DOCTYPE html> <html lang="en"> <head> + <script nonce="{{csp_nonce}}" type="text/javascript">window.NONCE_ID = '{{csp_nonce}}';</script> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <meta name="theme-color" content="#000000" /> @@ -8,6 +9,7 @@ name="description" content="AWX" /> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'nonce-{{csp_nonce}}' *.pendo.io; script-src 'self' 'nonce-{{csp_nonce}}' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"> <title>AWX</title> </head> <body> diff --git a/awx/ui_next/src/index.jsx b/awx/ui_next/src/index.jsx index ad616077ef..a5203370ab 100644 --- a/awx/ui_next/src/index.jsx +++ b/awx/ui_next/src/index.jsx @@ -1,5 +1,6 @@ import React from 'react'; import ReactDOM from 'react-dom'; +import './nonce'; import '@patternfly/react-core/dist/styles/base.css'; import App from './App'; import { BrandName } from './variables'; diff --git a/awx/ui_next/src/nonce.js b/awx/ui_next/src/nonce.js new file mode 100644 index 0000000000..81fed45c6d --- /dev/null +++ b/awx/ui_next/src/nonce.js @@ -0,0 +1,5 @@ +/* global __webpack_nonce__ */ // eslint-disable-line no-unused-vars + +// CSP: Set a special variable to add `nonce` attributes to all styles/script tags +// See https://github.com/webpack/webpack/pull/3210 +__webpack_nonce__ = window.NONCE_ID; // eslint-disable-line no-global-assign, camelcase diff --git a/installer/roles/kubernetes/templates/configmap.yml.j2 b/installer/roles/kubernetes/templates/configmap.yml.j2 index b7553811c1..b239b96783 100644 --- a/installer/roles/kubernetes/templates/configmap.yml.j2 +++ b/installer/roles/kubernetes/templates/configmap.yml.j2 @@ -69,8 +69,6 @@ data: # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; - add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) add_header X-Frame-Options "DENY"; diff --git a/installer/roles/local_docker/templates/nginx.conf.j2 b/installer/roles/local_docker/templates/nginx.conf.j2 index 0c93510bc9..327b59a2fe 100644 --- a/installer/roles/local_docker/templates/nginx.conf.j2 +++ b/installer/roles/local_docker/templates/nginx.conf.j2 @@ -67,8 +67,6 @@ http { # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; - add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) add_header X-Frame-Options "DENY"; diff --git a/tools/docker-compose/nginx.vh.default.conf b/tools/docker-compose/nginx.vh.default.conf index ff7f604b5e..73a4d1cd8d 100644 --- a/tools/docker-compose/nginx.vh.default.conf +++ b/tools/docker-compose/nginx.vh.default.conf @@ -22,8 +22,6 @@ server { # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; - add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; location /static/ { root /awx_devel; @@ -84,8 +82,6 @@ server { # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; - add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; location /static/ { root /awx_devel; |