Configuring Content Security Policy

userportal/settings/10-base.py

@@ -1,13 +1,5 @@
 """
 Django settings for userportal project.
-
-Generated by 'django-admin startproject' using Django 3.1.7.
-
-For more information on this file, see
-https://docs.djangoproject.com/en/3.1/topics/settings/
-
-For the full list of settings and their values, see
-https://docs.djangoproject.com/en/3.1/ref/settings/
 """
 
 from pathlib import Path
@@ -43,6 +35,7 @@
     'django.contrib.staticfiles',
     'django.contrib.humanize',
     'djangosaml2',
+    'csp',
     'watchman',
 
     'pages',
@@ -78,6 +71,7 @@
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'djangosaml2.middleware.SamlSessionMiddleware',
+    'csp.middleware.CSPMiddleware',
 ]
 
 ROOT_URLCONF = 'userportal.urls'
@@ -204,3 +198,9 @@
     'DEFAULT_PAGINATION_CLASS': 'rest_framework_datatables.pagination.DatatablesPageNumberPagination',
     'PAGE_SIZE': 100,
 }
+
+# Content Security Policy
+CSP_DEFAULT_SRC = ("'self'")
+CSP_IMG_SRC = ("'self'", "data:", 'object-arbutus.cloud.computecanada.ca')
+CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", 'cdn.jsdelivr.net', 'cdnjs.cloudflare.com', 'cdn.datatables.net')
+CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", 'cdn.jsdelivr.net', 'cdnjs.cloudflare.com', 'cdn.datatables.net', 'code.jquery.com', 'cdn.plot.ly')