Merge pull request #689 from alee/csp-ga

fix: adjust CSP settings for GA

django/core/jinja2/base.jinja

@@ -327,13 +327,13 @@
         <!-- End Google Tag Manager -->
         {% endscript %}
     {% endif %}
-    <script src="//cdnjs.cloudflare.com/ajax/libs/holder/2.9.7/holder.min.js"></script>
+    <script src="//cdnjs.cloudflare.com/ajax/libs/holder/2.9.8/holder.min.js"></script>
     {% if constants.DEPLOY_ENVIRONMENT.is_staging_or_production %}
 
-        {% with SENTRYJS_VERSION='7.37.2' %}
-            <script 
-                src="https://browser.sentry-cdn.com/{{SENTRYJS_VERSION}}/bundle.min.js" 
-                integrity="sha384-cT0oU6hl8pfWfV9R1e1pYLHs1+p/LTTq3TYeJa21BiU3CB3GLfxL4qcish2EefJK"
+        {% with SENTRYJS_VERSION='7.92.0' %}
+            <script
+                src="https://browser.sentry-cdn.com/{{SENTRYJS_VERSION}}/bundle.min.js"
+                integrity="sha384-twzJm4czBvefWTYieg38QNd4KycBrT5jt/HDyVbGCumN0zlLVmMNCVE7oDccARDg"
                 crossorigin="anonymous">
             </script>
             {% script defer=True %}

django/core/settings/production.py

@@ -35,14 +35,23 @@
     "'self'",
     "cdnjs.cloudflare.com",
     "browser.sentry-cdn.com",
-    "www.googletagmanager.com",
-    "www.google-analytics.com",
     "https://comses.net",
     "https://*.comses.net",
     "https://hcaptcha.com",
     "https://*.hcaptcha.com",
 )
-CSP_IMG_SRC = ("'self'", "data:", "i.ytimg.com", "www.google-analytics.com")
+CSP_CONNECT_SRC = (
+    "'self'",
+    "https://*.google-analytics.com",
+    "https://*.analytics.google.com",
+    "https://*.googletagmanager.com",
+    "https://*.g.doubleclick.net",
+    "https://*.google.com",
+    "https://*.google.<TLD>",
+)
+CSP_IMG_SRC = ("'self'", "data:", "i.ytimg.com", "https://*.google-analytics.com", "https://*.googletagmanager.com",
+               "https://*.analytics.google.com", "https://*.g.doubleclick.net", "https://*.google.com",
+               "https://*.google.<TLD>",)
 CSP_INCLUDE_NONCE_IN = ["script-src"]
 
 # Base URL to use when referring to full URLs within the Wagtail admin backend -

django/requirements.txt

@@ -1,14 +1,14 @@
 bagit==1.8.1
 bleach==6.1.0
 dedupe==2.0.23
-django-allauth==0.58.2
+django-allauth==0.61.1
 django-anymail[mailgun]==10.2
 django-cookie-law==2.2.0
 django-csp[jinja2]==3.7
 django-extensions==3.2.3
 django-guardian==2.4.0
 django-hcaptcha-field==1.4.0
-django-ipware==6.0.3
+django-ipware==6.0.4
 django-location-field==2.7.3
 django-markupfield==2.0.1
 django-modelcluster>=6.2.0
@@ -19,29 +19,29 @@ django-rest-swagger==2.2.0
 django-reversion==5.0.10
 django-robots==6.1
 django-timezone-field==6.1.0
-django-vite==2.1.3  # latest is 3.0.1
+django-vite==2.1.3  # latest is 3.0.3
 django-waffle==4.1.0
 djangorestframework==3.14.0
 djangorestframework-camel-case==1.4.2
-Django==4.2.7
+Django==4.2.10
 elasticsearch-dsl>=7.0.0,<8.0.0
 elasticsearch>=7.0.0,<8.0.0
 html2text>=2016.9.19
 jinja2==3.1.3
 jsonschema==4.19.0
-markdown==3.4.4
+markdown==3.5.2
 nltk>=3.2.5,<4.0.0
 numpy==1.24.3
 pandas==1.5.3
 psycopg2-binary==2.9.9
-pytz==2023.3
+pytz==2024.1
 redis==4.5.5
 requests==2.31.0
 semver==3.0.2
-sentry-sdk==1.39.1
+sentry-sdk==1.40.3
 shortuuid==1.0.11
-tzdata==2023.3
-uwsgi==2.0.23
+tzdata==2023.4
+uwsgi==2.0.24
 uwsgitop==0.11
 wagtail==5.2.2
 # used for institution -> affiliation data migration, unused afterwards