Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policies / Permission Policies #277

Merged
merged 4 commits into from
Sep 21, 2023
Merged

Content Security Policies / Permission Policies #277

merged 4 commits into from
Sep 21, 2023

Conversation

vincentporte
Copy link
Contributor

@vincentporte vincentporte commented May 24, 2023
edited
Loading

Description

🎸 Paramétrage des Content Security Policies et Permission Policies
🛸 Installation de django-csp et de django-permissions-policy

🚧 htmx view appelée par une class based view Django
surcharge du middleware pour avoir la même valeur de request.csp_nonce dans les 2 templates rendus (vérifier l'utilité)

Type de changement

🚧 technique

Points d'attention

🦺 suppression de onclick=DisabledMe dans l'appel HTMX & correction du placement du script pour masquer le bouton voir les 99 réponses

@vincentporte vincentporte self-assigned this May 24, 2023
@vincentporte vincentporte force-pushed the vincentporte/security_setup branch from 5d40ba2 to 0dde636 Compare May 25, 2023 13:53
@jbuget
Copy link

jbuget commented May 30, 2023

@vincentporte T'as moyen de mettre les stacktrace (ou capture) des erreurs ?

@vincentporte vincentporte force-pushed the vincentporte/security_setup branch 2 times, most recently from 55dd49c to 4ecc1e5 Compare June 12, 2023 12:45
@vincentporte vincentporte added the recette-jetable review_app label Jun 13, 2023
@github-actions
Copy link
Contributor

🥁 La recette jetable est prête ! 👉 Je veux tester cette PR !

@vincentporte vincentporte force-pushed the vincentporte/security_setup branch 4 times, most recently from 95a8d42 to 405819c Compare June 19, 2023 15:27
@vincentporte vincentporte force-pushed the vincentporte/security_setup branch from 613d845 to 6c484dd Compare June 20, 2023 09:44
@vincentporte vincentporte added recette-jetable review_app and removed recette-jetable review_app labels Jun 20, 2023
@github-actions
Copy link
Contributor

🥁 La recette jetable est prête ! 👉 Je veux tester cette PR !

@vincentporte vincentporte removed the recette-jetable review_app label Jun 26, 2023
@vincentporte vincentporte force-pushed the vincentporte/security_setup branch from 8bb37c8 to da96e67 Compare July 17, 2023 15:36
@vincentporte vincentporte force-pushed the vincentporte/security_setup branch from da96e67 to 6c9cca2 Compare July 26, 2023 16:36
@vincentporte vincentporte force-pushed the vincentporte/security_setup branch 3 times, most recently from 474a930 to 9b682ee Compare September 19, 2023 11:12
@vincentporte vincentporte added the recette-jetable review_app label Sep 19, 2023
@github-actions
Copy link
Contributor

🥁 La recette jetable est prête ! 👉 Je veux tester cette PR !

@vincentporte vincentporte force-pushed the vincentporte/security_setup branch 3 times, most recently from 3fc80ad to 199db8e Compare September 21, 2023 09:45
@vincentporte vincentporte force-pushed the vincentporte/security_setup branch from 199db8e to 0c77af3 Compare September 21, 2023 09:56
@vincentporte vincentporte force-pushed the vincentporte/security_setup branch from 9bcdd00 to 4efcc19 Compare September 21, 2023 10:29
@vincentporte vincentporte merged commit 106a056 into master Sep 21, 2023
4 checks passed
@vincentporte vincentporte deleted the vincentporte/security_setup branch September 21, 2023 10:35
vperron
vperron reviewed Sep 21, 2023
View reviewed changes
Copy link

@vperron vperron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Je n'ai pas lu en détail mais si tu as à nouveau besoin d'une lecture plus poussée, je regarderai :) En gros je comparerai probablement juste avec les Emplois ^^

Sur ce il faut que j'aille déjeuner 🤡

config/settings/base.py
CSP_FONT_SRC = ("'self'", "https://fonts.gstatic.com/", "data:")
CSP_SCRIPT_SRC = (
"'self'",
"https://cdn.jsdelivr.net",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

c'est un peu vénère ça, ça autorise en gros n'importe quel script sur le CDN entier, dont des versions piratées ou vulnérables. A priori c'est mieux de réussir à mettre les chemins vers les scripts vraiment utilisés par la commu !

config/settings/base.py
"autoplay": [],
"camera": [],
"encrypted-media": [],
"fullscreen": [],
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pas de lecture de la commu en fullscreen, sir !

lacommunaute/templates/pages/home.html
class="matomo-event btn-link stretched-link"
data-matomo-category="engagement"
data-matomo-action="view"
data-matomo-option="news">
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changement de version du linter ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vperron vperron vperron left review comments

Assignees

@vincentporte vincentporte

Labels
recette-jetable review_app
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vincentporte @jbuget @vperron