TP2000-1644 Strengthen Content Security Policy configuration (#1393)

* Bump django-csp to 3.8 * Add missing object-src CSP directive * Add missing base-uri CSP directive * Add missing trusted-types CSP directive * Add missing strict-dynamic CSP directive * Create default Trusted Types policy
uktrade · Jan 27, 2025 · eef617b · eef617b
1 parent 2cfaeb2
commit eef617b
Show file tree

Hide file tree

Showing 8 changed files with 42 additions and 3 deletions.
diff --git a/common/static/common/js/application.js b/common/static/common/js/application.js
@@ -9,6 +9,7 @@ const imagePath = (name) => images(name, true);
 
 require.context("govuk-frontend/govuk/assets");
 
+import "./trustedTypes";
 import { initAll } from "govuk-frontend";
 
 import showHideCheckboxes from "./showHideCheckboxes";

diff --git a/common/static/common/js/trustedTypes.js b/common/static/common/js/trustedTypes.js
@@ -0,0 +1,12 @@
+import DOMPurify from "dompurify";
+
+/**
+ * Creates a default Trusted Types policy that serves as a fallback policy
+ * to sanitise direct sink usage in third-party dependencies.
+ */
+if (typeof window.trustedTypes !== "undefined") {
+  window.trustedTypes.createPolicy("default", {
+    createHTML: (to_escape) =>
+      DOMPurify.sanitize(to_escape, { RETURN_TRUSTED_TYPE: true }),
+  });
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -21,6 +21,7 @@
     "chart.js": "^3.9.1",
     "chartjs-adapter-moment": "^1.0.0",
     "css-loader": "^5.2.6",
+    "dompurify": "^3.2.3",
     "file-loader": "^6.2.0",
     "govuk-frontend": "^3.15.0",
     "govuk-react": "^0.10.6",
@@ -78,4 +79,4 @@
     "pre-commit": "^1.2.2",
     "react-test-renderer": "^18.2.0"
   }
-}
+}
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,4 +1,4 @@
 -r requirements.txt
 
-django_debug_toolbar
+django_debug_toolbar==5.0.1
 pre-commit
diff --git a/requirements.txt b/requirements.txt
@@ -14,7 +14,7 @@ defusedxml==0.7.*
 dj-database-url==0.5.0
 django-chunk-upload-handlers==0.0.13
 django-crispy-forms==1.14.0
-django-csp==3.6
+django-csp==3.8
 django-cte==1.3.1
 django-extensions==3.2.3
 django-filter==23.5

diff --git a/settings/common.py b/settings/common.py
@@ -223,6 +223,7 @@
     "https://tagmanager.google.com/",
 )
 CSP_SCRIPT_SRC = (
+    "'strict-dynamic'",
     "'self'",
     "'unsafe-eval'",
     "'unsafe-inline'",
@@ -231,6 +232,10 @@
     "ajax.googleapis.com/",
 )
 CSP_FONT_SRC = ("'self'", "'unsafe-inline'")
+CSP_OBJECT_SRC = ("'none'",)
+CSP_BASE_URI = ("'none'",)
+CSP_REQUIRE_TRUSTED_TYPES_FOR = ("'script'",)
+CSP_TRUSTED_TYPES = ("tap#webpack", "dompurify", "default")
 CSP_INCLUDE_NONCE_IN = ("script-src",)
 CSP_REPORT_ONLY = False
 

diff --git a/webpack.config.js b/webpack.config.js
@@ -18,6 +18,9 @@ module.exports = {
     // (they are picked up by `collectstatic`)
     publicPath: "/assets/webpack_bundles/",
     filename: "[name]-[hash].js",
+    trustedTypes: {
+      policyName: "tap#webpack",
+    },
   },
 
   plugins: [