nohype/main-site
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(csp): skip restrictive CSP on Wagtail/Django admin paths #25

Merged
mark merged 1 commits from fix/csp-wagtail-admin into main 2026-03-02 15:36:13 +00:00
Conversation 0 Commits 1 Files Changed 1 +4
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
apps/core/middleware.py
View File

@@ -18,10 +18,14 @@ class SecurityHeadersMiddleware:
def __init__(self, get_response): def __init__(self, get_response):
self.get_response = get_response self.get_response = get_response
ADMIN_PREFIXES = ("/cms/", "/django-admin/")
def __call__(self, request): def __call__(self, request):
nonce = secrets.token_urlsafe(16) nonce = secrets.token_urlsafe(16)
request.csp_nonce = nonce request.csp_nonce = nonce
response = self.get_response(request) response = self.get_response(request)
if request.path.startswith(self.ADMIN_PREFIXES):
return response
response["Content-Security-Policy"] = ( response["Content-Security-Policy"] = (
f"default-src 'self'; " f"default-src 'self'; "
f"script-src 'self' 'nonce-{nonce}'; " f"script-src 'self' 'nonce-{nonce}'; "