[Django] #35017: Template openlayers.html with inline script - Content-Security-Policy

7 views
Skip to first unread message

Django

unread,
Dec 5, 2023, 12:16:58 PM12/5/23
to django-...@googlegroups.com
#35017: Template openlayers.html with inline script - Content-Security-Policy
-------------------------------------+-------------------------------------
Reporter: Matthieu | Owner: nobody
Marrast |
Type: | Status: new
Cleanup/optimization |
Component: GIS | Version: 5.0
Severity: Normal | Keywords: CSP, Content-
| Security-Policies, script, unsafe-
Triage Stage: | inline, inline script
Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The template **openlayers.html**
(https://github.com/django/django/blob/main/django/contrib/gis/templates/gis/openlayers.html)
provides **inline script**:

{{{
<script>
{% block base_layer %}
var base_layer = new ol.layer.Tile({
source: new ol.source.XYZ({
attributions: "NASA Worldview",
maxZoom: 8,
url: "https://map1{a-c}.vis.earthdata.nasa.gov/wmts-
webmerc/" +
"BlueMarble_ShadedRelief_Bathymetry/default/%7BTime%7D/" +
"GoogleMapsCompatible_Level8/{z}/{y}/{x}.jpg"
})
});
{% endblock %}
{% block options %}var options = {
base_layer: base_layer,
geom_name: '{{ geom_type }}',
id: '{{ id }}',
map_id: '{{ id }}_map',
map_srid: {{ map_srid|unlocalize }},
name: '{{ name }}'
};
{% endblock %}
var {{ module }} = new MapWidget(options);
</script>
}}}

So to make it works with Content-Security-Policies, we must add `script-
src 'unsafe-inline'` in our HTTP response headers.
This is not safe. Security and pentest tools raise alerts regarding this.

Without this security policy, the map is not shown.

References:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- https://www.w3.org/TR/CSP2/
- https://www.w3.org/TR/CSP/
- https://caniuse.com/#search=content+security+policy
- https://content-security-policy.com/
- https://github.com/shapesecurity/salvation
-
https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

--
Ticket URL: <https://code.djangoproject.com/ticket/35017>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Dec 5, 2023, 1:54:24 PM12/5/23
to django-...@googlegroups.com
#35017: Template openlayers.html with inline script - Content-Security-Policy
-------------------------------------+-------------------------------------
Reporter: Matthieu Marrast | Owner: nobody
Type: | Status: closed

Cleanup/optimization |
Component: GIS | Version: 5.0
Severity: Normal | Resolution: duplicate
Keywords: CSP, Content- | Triage Stage:
Security-Policies, script, | Unreviewed
unsafe-inline, inline script |

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

* status: new => closed
* resolution: => duplicate


Comment:

Duplicate of #25706.

--
Ticket URL: <https://code.djangoproject.com/ticket/35017#comment:1>

Reply all
Reply to author
Forward
0 new messages