78c4313874
style-src and font-src were 'self' only, blocking fonts.googleapis.com stylesheet and fonts.gstatic.com font files. Add both origins so Space Grotesk, Inter and Fira Code load correctly in production. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
38 lines
1.1 KiB
Python
38 lines
1.1 KiB
Python
from __future__ import annotations
|
|
|
|
import secrets
|
|
|
|
from .consent import ConsentService
|
|
|
|
|
|
class ConsentMiddleware:
|
|
def __init__(self, get_response):
|
|
self.get_response = get_response
|
|
|
|
def __call__(self, request):
|
|
request.consent = ConsentService.get_consent(request)
|
|
return self.get_response(request)
|
|
|
|
|
|
class SecurityHeadersMiddleware:
|
|
def __init__(self, get_response):
|
|
self.get_response = get_response
|
|
|
|
def __call__(self, request):
|
|
nonce = secrets.token_urlsafe(16)
|
|
request.csp_nonce = nonce
|
|
response = self.get_response(request)
|
|
response["Content-Security-Policy"] = (
|
|
f"default-src 'self'; "
|
|
f"script-src 'self' 'nonce-{nonce}'; "
|
|
"style-src 'self' https://fonts.googleapis.com; "
|
|
"img-src 'self' data: blob:; "
|
|
"font-src 'self' https://fonts.gstatic.com; "
|
|
"connect-src 'self'; "
|
|
"object-src 'none'; "
|
|
"base-uri 'self'; "
|
|
"frame-ancestors 'self'"
|
|
)
|
|
response["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
|
|
return response
|