Skip to content

Commit fa74ac7

Browse files
committed
Settings: bring CSP settings from -ops
Closes readthedocs/readthedocs-ops#1502
1 parent 632aec2 commit fa74ac7

File tree

1 file changed

+75
-9
lines changed

1 file changed

+75
-9
lines changed

readthedocs/settings/base.py

Lines changed: 75 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -127,15 +127,6 @@ def SHOW_DEBUG_TOOLBAR(self):
127127
SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
128128
X_FRAME_OPTIONS = "DENY"
129129

130-
# Content Security Policy
131-
# https://django-csp.readthedocs.io/
132-
CSP_DEFAULT_SRC = None # This could be improved
133-
CSP_FRAME_ANCESTORS = ("'none'",)
134-
CSP_OBJECT_SRC = ("'none'",)
135-
CSP_REPORT_URI = None
136-
CSP_REPORT_ONLY = False
137-
CSP_EXCLUDE_URL_PREFIXES = ("/admin/",)
138-
RTD_CSP_UPDATE_HEADERS = {}
139130

140131
# Read the Docs
141132
READ_THE_DOCS_EXTENSIONS = ext
@@ -402,6 +393,81 @@ def MIDDLEWARE(self):
402393
]
403394
PYTHON_MEDIA = False
404395

396+
# Content Security Policy
397+
# https://django-csp.readthedocs.io/
398+
CSP_FRAME_ANCESTORS = ("'none'",)
399+
CSP_OBJECT_SRC = ("'none'",)
400+
CSP_REPORT_URI = None
401+
CSP_REPORT_ONLY = False
402+
CSP_EXCLUDE_URL_PREFIXES = ("/admin/",)
403+
404+
# Default to disallow everything, and then allow specific sources on each directive.
405+
CSP_DEFAULT_SRC = ["'none'"]
406+
CSP_SCRIPT_SRC = [
407+
"'self'",
408+
STATIC_URL,
409+
# Some of our JS deps are using eval.
410+
"'unsafe-eval'",
411+
# Allow fontawesome to load.
412+
"https://kit.fontawesome.com",
413+
# Stripe (used for Gold subscriptions)
414+
"https://js.stripe.com/",
415+
]
416+
CSP_CONNECT_SRC = [
417+
"'self'",
418+
# Allow sentry to report errors.
419+
"https://*.ingest.us.sentry.io",
420+
# Allow fontawesome to load.
421+
"https://ka-p.fontawesome.com",
422+
"https://kit.fontawesome.com",
423+
# Plausible analytics
424+
"https://plausible.io/api/event",
425+
]
426+
CSP_IMG_SRC = [
427+
"'self'",
428+
# Some of our styles include images as data URLs.
429+
"data:",
430+
# We load avatars from GitHub, GitLab, and Bitbucket,
431+
# and other services. They don't use a single specific domain,
432+
# so we just allow any https domain here.
433+
"https:",
434+
]
435+
CSP_STYLE_SRC = [
436+
"'self'",
437+
STATIC_URL,
438+
# We have lots of inline styles!
439+
# TODO: we should remove this.
440+
"'unsafe-inline'",
441+
]
442+
CSP_BASE_URI = ["'self'"]
443+
CSP_FORM_ACTION = [
444+
"'self'",
445+
# Allow our support form to submit to external domains.
446+
SUPPORT_FORM_ENDPOINT,
447+
# Chrome and Safari block form submissions if it redirects to a different domain.
448+
# We redirect to external domains for some forms, like login.
449+
"https://github.com",
450+
"https://gitlab.com",
451+
"https://bitbucket.org",
452+
"https://id.atlassian.com",
453+
"https://accounts.google.com",
454+
# We also redirect to Stripe on subscription forms.
455+
"https://billing.stripe.com",
456+
"https://checkout.stripe.com",
457+
]
458+
CSP_FONT_SRC = [
459+
"'self'",
460+
STATIC_URL,
461+
# Allow fontawesome to load.
462+
"data:",
463+
"https://ka-p.fontawesome.com",
464+
]
465+
CSP_FRAME_SRC = [
466+
# Stripe (used for Gold subscriptions)
467+
"https://js.stripe.com/",
468+
]
469+
RTD_CSP_UPDATE_HEADERS = {}
470+
405471
# Django Storage subclass used to write build artifacts to cloud or local storage
406472
# https://docs.readthedocs.io/page/development/settings.html#rtd-build-media-storage
407473
RTD_BUILD_MEDIA_STORAGE = "readthedocs.builds.storage.BuildMediaFileSystemStorage"

0 commit comments

Comments
 (0)