nohype/main-site
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'fix(csp): skip restrictive CSP on Wagtail/Django admin paths' (#25) from fix/csp-wagtail-admin into main
All checks were successful
CI / ci (push) Has been skipped
Details
CI / pr-e2e (push) Has been skipped
Details
CI / nightly-e2e (push) Has been skipped
Details
CI / deploy (push) Successful in 23s
Details

Browse Source 
Reviewed-on: #25
This commit was merged in pull request #25.
This commit is contained in:
mark
2026-03-02 15:36:12 +00:00
parent f7c89be05c 43594777e0
commit a59d21cfcb
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
apps/core/middleware.py
View File

@@ -18,10 +18,14 @@ class SecurityHeadersMiddleware:
def __init__(self, get_response):
self.get_response = get_response
ADMIN_PREFIXES = ("/cms/", "/django-admin/")
def __call__(self, request):
nonce = secrets.token_urlsafe(16)
request.csp_nonce = nonce
response = self.get_response(request)
if request.path.startswith(self.ADMIN_PREFIXES):
return response
response["Content-Security-Policy"] = (
f"default-src 'self'; "
f"script-src 'self' 'nonce-{nonce}'; "