CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

CSP: Exclude PDF editor (just doesn't work in FF)

Browse Source
This commit is contained in:
Raphael Michel
2017-09-28 18:44:12 +02:00
parent 29b157f287
commit 784f6e703c
4 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/pretix/base/middleware.py
View File

@@ -220,7 +220,14 @@ class SecurityMiddleware(MiddlewareMixin):
domain = '%s:%d' % (domain, siteurlsplit.port) domain = '%s:%d' % (domain, siteurlsplit.port)
dynamicdomain += " " + domain dynamicdomain += " " + domain
if request.path not in self.CSP_EXEMPT: if request.path not in self.CSP_EXEMPT and not getattr(resp, '_csp_ignore', False):
resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain, resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain,
media=mediadomain, nonce=request.csp_nonce) media=mediadomain, nonce=request.csp_nonce)
for k, v in h.items():
h[k] = ' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain,
nonce=request.csp_nonce).split(' ')
resp['Content-Security-Policy'] = _render_csp(h)
elif 'Content-Security-Policy' in resp:
del resp['Content-Security-Policy']
return resp return resp

3
src/pretix/base/views/csp.py
View File

@@ -1,8 +1,7 @@
import json import json
import logging import logging
from django.http import ( from django.http import HttpResponse, HttpResponseBadRequest
HttpResponseBadRequest, HttpResponse)
from django.views.decorators.csrf import csrf_exempt from django.views.decorators.csrf import csrf_exempt
logger = logging.getLogger('pretix.security.csp') logger = logging.getLogger('pretix.security.csp')

2
src/pretix/plugins/ticketoutputpdf/views.py
View File

@@ -44,7 +44,7 @@ class EditorView(EventPermissionRequiredMixin, TemplateView):
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
resp = super().get(request, *args, **kwargs) resp = super().get(request, *args, **kwargs)
resp['Content-Security-Policy'] = "script-src 'unsafe-eval'; style-src 'unsafe-inline'; img-src blob:; font-src data: blob:" resp._csp_ignore = True
return resp return resp
def process_upload(self): def process_upload(self):

2
src/pretix/urls.py
View File

@@ -5,7 +5,7 @@ from django.views.generic import RedirectView
import pretix.control.urls import pretix.control.urls
import pretix.presale.urls import pretix.presale.urls
from .base.views import cachedfiles, health, js_catalog, metrics, redirect, csp from .base.views import cachedfiles, csp, health, js_catalog, metrics, redirect
base_patterns = [ base_patterns = [
url(r'^download/(?P<id>[^/]+)/$', cachedfiles.DownloadView.as_view(), url(r'^download/(?P<id>[^/]+)/$', cachedfiles.DownloadView.as_view(),