Skip to content

Commit

Permalink
Add CSP: frame-ancestors support
Browse files Browse the repository at this point in the history
  • Loading branch information
hmpf committed Feb 26, 2024
1 parent c732d24 commit d0d47eb
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 0 deletions.
2 changes: 2 additions & 0 deletions python/nav/django/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@
# Middleware
MIDDLEWARE = (
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'csp.middleware.CSPMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'nav.web.auth.middleware.AuthenticationMiddleware',
Expand Down Expand Up @@ -271,6 +272,7 @@
_needs_tls = bool(_websecurity_config.getboolean('security', 'needs_tls'))
SESSION_COOKIE_SECURE = _needs_tls
X_FRAME_OPTIONS = _websecurity_config.get_x_frame_options()
CSP_FRAME_ANCESTORS = _websecurity_config.get_frame_ancestors()

# Hack for hackers to use features like debug_toolbar etc.
# https://code.djangoproject.com/wiki/SplitSettings (Rob Golding's method)
Expand Down
23 changes: 23 additions & 0 deletions python/nav/web/security.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,26 @@ def get_x_frame_options(self):
if frames_flag == 'none':
return 'DENY'
return 'SAMEORIGIN'

def get_frame_ancestors(self):
"""Return a list of sources
A single 'none' or a string of one or more of self, source-scheme and
host-scheme are valid. There is currently no validator for host-scheme,
so source-scheme and host-scheme are both outputted as-is.
To be set in django settings and used by the django-csp middleware.
"""
default = "'self'"
frames_flag = self.get(self.FRAMES_OPTION) or self.FRAMES_DEFAULT
pieces = frames_flag.split()
valid_pieces = []
for piece in pieces:
if piece == 'none':
valid_pieces.append("'none'")
break
if piece == 'self':
valid_pieces.append(default)
else:
valid_pieces.append(piece)
return valid_pieces or [default]
1 change: 1 addition & 0 deletions requirements/base.txt
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ dnspython<3.0.0,>=2.1.0
django-filter>=2
djangorestframework>=3.12,<3.13
django-crispy-forms>=1.8,<1.9
django-csp
crispy-forms-foundation>=0.7,<0.8

# REST framework
Expand Down

0 comments on commit d0d47eb

Please sign in to comment.