nohype/main-site
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c5ba6cf90f8d5f37233589e9833cebfaf6de817
main-site/apps/core/middleware.py
Mark 43594777e0
All checks were successful
CI / nightly-e2e (pull_request) Has been skipped
Details
CI / deploy (pull_request) Has been skipped
Details
CI / pr-e2e (pull_request) Successful in 1m11s
Details
CI / ci (pull_request) Successful in 1m22s
Details
fix(csp): skip restrictive CSP on Wagtail/Django admin paths 
The SecurityHeadersMiddleware applied a strict style-src policy to all
responses, blocking inline styles that Wagtail admin relies on for
layout. Skip the custom CSP for /cms/ and /django-admin/ paths.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-02 15:34:09 +00:00

42 lines
1.3 KiB
Python
Raw Blame History

from __future__ import annotations
import secrets
from .consent import ConsentService
class ConsentMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
request.consent = ConsentService.get_consent(request)
return self.get_response(request)
class SecurityHeadersMiddleware:
def __init__(self, get_response):
self.get_response = get_response
ADMIN_PREFIXES = ("/cms/", "/django-admin/")
def __call__(self, request):
nonce = secrets.token_urlsafe(16)
request.csp_nonce = nonce
response = self.get_response(request)
if request.path.startswith(self.ADMIN_PREFIXES):
return response
response["Content-Security-Policy"] = (
f"default-src 'self'; "
f"script-src 'self' 'nonce-{nonce}'; "
"style-src 'self' https://fonts.googleapis.com; "
"img-src 'self' data: blob:; "
"font-src 'self' https://fonts.gstatic.com; "
"connect-src 'self'; "
"object-src 'none'; "
"base-uri 'self'; "
"frame-ancestors 'self'"
)
response["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
return response
Reference in New Issue View Git Blame Copy Permalink