Replacing X-Frame-Options HTTP header with CSP #402
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was necessary to make CSP policies happy. The current directives don't allow inline code such as "onclick" if nonce is used.
Simplest solution to toolbar.js being blocked by CSP
ens-lgil
reviewed
Jan 13, 2025
pgs_web/settings.py
Outdated
| CSP_STYLE_SRC = ("'self'", | ||
| "'unsafe-inline'", | ||
| "https://cdn.jsdelivr.net/", | ||
| "https://use.fontawesome.com/", |
There was a problem hiding this comment.
Wondering if we should store the following URLs into variables as they appear mor than once:
There was a problem hiding this comment.
I will think about it, to me it would make the code less clear. Or on the other extreme we could also use variables for those in css.html and js.html
There was a problem hiding this comment.
Yes, the final goal would be to store all the URLs in variables, so we will need to change the URLs in one place only.
We have some here: https://github.com/PGScatalog/PGS_Catalog/blob/master/pgs_web/constants.py#L51
Needed for social media links update (X and bluesky)
ens-lgil
approved these changes
Jan 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The HTTP header X-Frame-Options "Deny" would not allow the PGS Catalog to be displayed in an iframe on the EBI training website. There is supposed to be the option "allow-from https://..." but it is not supported by mordern browsers anymore. The solution was either removing this security header, or to update it with Content Security Policies (CSP) header.
CSP use the directive "frame-ancestors" to allow specific websites to show a page into iframes.
The consequence though was the need to specify all trusted external resources that we use (js and css) to allow the browser to load them, in an iframe or not, because of CSP strictness. One problem was with the external resources imported from other resources, which need to be allowed too. To avoid this issue, I chose to use a "nonce" for javascript imports along with the 'strict-dynamic' option. Script HTML elements with the nonce are considered trusted and with 'strict-dynamic' can load any other resource they need. It could only work with scripts though, each style source (css) still need to be specified in the header, which didnt cause too much trouble. To avoid the tedious task to add the nonce in all <script> elements in the templates, I added a middleware class to do it automatically. The rest of the CSP implementation is done with django-csp.
The current policies were tested with https://csp-evaluator.withgoogle.com/ and considered good.