Skip to content

Support CSP Nonce for Jinja2 Assets #204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JVickery-TBS merged 13 commits into from
Aug 25, 2025
Merged

Support CSP Nonce for Jinja2 Assets #204

JVickery-TBS merged 13 commits into from
Aug 25, 2025

Conversation

@JVickery-TBS
Copy link

@JVickery-TBS JVickery-TBS commented Aug 13, 2025

Another thing from the VA scan, we need to support the strict-dynamic directive in the Content-Security-Policy header to properly use the WET scripts and WET JS Builder. The strict-dynamic directive basically says that other scripts are allowed to add script node objects to the DOM and those scripts are allowed to get executed. This NEEDS to have nonces to work securely though. And it seems that if you have the strict-dynamic directive set, some browsers will ignore some of the other directives so we need to add the nonce to all assets, hence this code addition.

The CSP_NONCE environ value gets set in the canada_security plugin now from this PR: open-data/ckanext-canada#1599

@JVickery-TBS
feat(dev): asset nonce;
b2ef6ca 
- Add support for CSP Nonces for strict-dynamic directive.
@JVickery-TBS JVickery-TBS requested a review from wardi August 13, 2025 16:31
@JVickery-TBS
feat(misc): changelog;
3b375eb 
- Added change log file.
@JVickery-TBS
fix(templates): inline eval;
3dcd228 
- Continued unsafe inline stuffs.
@JVickery-TBS
Merge branch 'canada-v2.10' into feature/csp_nonce
706066f
@JVickery-TBS
feat(templates): more csp;
ce89155 
- More inline things.
- More nonce usage.
@JVickery-TBS
feat(templates): more csp;
8359612 
- More inline things.
- More nonce usage.
@JVickery-TBS
feat(css): data to images;
30367ad 
- Move data images to actual images.
@JVickery-TBS
feat(dev): cache control;
119d919 
- Set no-cache for logged in users.
- Updated change log files.
@JVickery-TBS
fix(misc): typos and logs;
1ab202d 
- Fixed nonce typos.
- Removed dev console log.
- Added TODO comments.
wardi
wardi reviewed Aug 22, 2025
View reviewed changes
wardi
wardi reviewed Aug 22, 2025
View reviewed changes
wardi
wardi reviewed Aug 22, 2025
View reviewed changes
wardi
wardi reviewed Aug 22, 2025
View reviewed changes
Copy link
Member

@wardi wardi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to be rough to merge with the next version of ckan, but maybe still better than copying all these templates to ckanext-canada.

The bits that reference svgs that actually live in ckanext-canada should be moved over there or the svg files should be moved here, though

@JVickery-TBS
revert(css): data image;
dd56a45 
- Revert any overrides, they ar ein canada plugin now.
@JVickery-TBS
Copy link
Author

JVickery-TBS commented Aug 25, 2025

Yeah merging is gunna be a pain for sure, made sure to put the comments in so it can help us in the future

@JVickery-TBS
revert(css): data image;
18668ea 
- Revert any overrides, they ar ein canada plugin now.
@JVickery-TBS
revert(css): data image;
f238097 
- Revert any overrides, they ar ein canada plugin now.
@JVickery-TBS
feat(dev): validator;
980864f 
- New validator for http header values.
@JVickery-TBS JVickery-TBS merged commit f8dc69f into canada-v2.10 Aug 25, 2025
1 check passed
@JVickery-TBS JVickery-TBS deleted the feature/csp_nonce branch August 25, 2025 18:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wardi wardi wardi left review comments

Assignees

@wardi wardi

@JVickery-TBS JVickery-TBS

Labels

Security Requirement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JVickery-TBS @wardi