@@ -127,15 +127,6 @@ def SHOW_DEBUG_TOOLBAR(self):
127
127
SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
128
128
X_FRAME_OPTIONS = "DENY"
129
129
130
- # Content Security Policy
131
- # https://django-csp.readthedocs.io/
132
- CSP_DEFAULT_SRC = None # This could be improved
133
- CSP_FRAME_ANCESTORS = ("'none'" ,)
134
- CSP_OBJECT_SRC = ("'none'" ,)
135
- CSP_REPORT_URI = None
136
- CSP_REPORT_ONLY = False
137
- CSP_EXCLUDE_URL_PREFIXES = ("/admin/" ,)
138
- RTD_CSP_UPDATE_HEADERS = {}
139
130
140
131
# Read the Docs
141
132
READ_THE_DOCS_EXTENSIONS = ext
@@ -402,6 +393,81 @@ def MIDDLEWARE(self):
402
393
]
403
394
PYTHON_MEDIA = False
404
395
396
+ # Content Security Policy
397
+ # https://django-csp.readthedocs.io/
398
+ CSP_FRAME_ANCESTORS = ("'none'" ,)
399
+ CSP_OBJECT_SRC = ("'none'" ,)
400
+ CSP_REPORT_URI = None
401
+ CSP_REPORT_ONLY = False
402
+ CSP_EXCLUDE_URL_PREFIXES = ("/admin/" ,)
403
+
404
+ # Default to disallow everything, and then allow specific sources on each directive.
405
+ CSP_DEFAULT_SRC = ["'none'" ]
406
+ CSP_SCRIPT_SRC = [
407
+ "'self'" ,
408
+ STATIC_URL ,
409
+ # Some of our JS deps are using eval.
410
+ "'unsafe-eval'" ,
411
+ # Allow fontawesome to load.
412
+ "https://kit.fontawesome.com" ,
413
+ # Stripe (used for Gold subscriptions)
414
+ "https://js.stripe.com/" ,
415
+ ]
416
+ CSP_CONNECT_SRC = [
417
+ "'self'" ,
418
+ # Allow sentry to report errors.
419
+ "https://*.ingest.us.sentry.io" ,
420
+ # Allow fontawesome to load.
421
+ "https://ka-p.fontawesome.com" ,
422
+ "https://kit.fontawesome.com" ,
423
+ # Plausible analytics
424
+ "https://plausible.io/api/event" ,
425
+ ]
426
+ CSP_IMG_SRC = [
427
+ "'self'" ,
428
+ # Some of our styles include images as data URLs.
429
+ "data:" ,
430
+ # We load avatars from GitHub, GitLab, and Bitbucket,
431
+ # and other services. They don't use a single specific domain,
432
+ # so we just allow any https domain here.
433
+ "https:" ,
434
+ ]
435
+ CSP_STYLE_SRC = [
436
+ "'self'" ,
437
+ STATIC_URL ,
438
+ # We have lots of inline styles!
439
+ # TODO: we should remove this.
440
+ "'unsafe-inline'" ,
441
+ ]
442
+ CSP_BASE_URI = ["'self'" ]
443
+ CSP_FORM_ACTION = [
444
+ "'self'" ,
445
+ # Allow our support form to submit to external domains.
446
+ SUPPORT_FORM_ENDPOINT ,
447
+ # Chrome and Safari block form submissions if it redirects to a different domain.
448
+ # We redirect to external domains for some forms, like login.
449
+ "https://github.com" ,
450
+ "https://gitlab.com" ,
451
+ "https://bitbucket.org" ,
452
+ "https://id.atlassian.com" ,
453
+ "https://accounts.google.com" ,
454
+ # We also redirect to Stripe on subscription forms.
455
+ "https://billing.stripe.com" ,
456
+ "https://checkout.stripe.com" ,
457
+ ]
458
+ CSP_FONT_SRC = [
459
+ "'self'" ,
460
+ STATIC_URL ,
461
+ # Allow fontawesome to load.
462
+ "data:" ,
463
+ "https://ka-p.fontawesome.com" ,
464
+ ]
465
+ CSP_FRAME_SRC = [
466
+ # Stripe (used for Gold subscriptions)
467
+ "https://js.stripe.com/" ,
468
+ ]
469
+ RTD_CSP_UPDATE_HEADERS = {}
470
+
405
471
# Django Storage subclass used to write build artifacts to cloud or local storage
406
472
# https://docs.readthedocs.io/page/development/settings.html#rtd-build-media-storage
407
473
RTD_BUILD_MEDIA_STORAGE = "readthedocs.builds.storage.BuildMediaFileSystemStorage"
0 commit comments