diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py index def5dd60f5..9526faa438 100644 --- a/src/pretix/base/middleware.py +++ b/src/pretix/base/middleware.py @@ -220,7 +220,14 @@ class SecurityMiddleware(MiddlewareMixin): domain = '%s:%d' % (domain, siteurlsplit.port) dynamicdomain += " " + domain - if request.path not in self.CSP_EXEMPT: + if request.path not in self.CSP_EXEMPT and not getattr(resp, '_csp_ignore', False): resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain, nonce=request.csp_nonce) + for k, v in h.items(): + h[k] = ' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain, + nonce=request.csp_nonce).split(' ') + resp['Content-Security-Policy'] = _render_csp(h) + elif 'Content-Security-Policy' in resp: + del resp['Content-Security-Policy'] + return resp diff --git a/src/pretix/base/views/csp.py b/src/pretix/base/views/csp.py index b4a72ad011..d31a1eb667 100644 --- a/src/pretix/base/views/csp.py +++ b/src/pretix/base/views/csp.py @@ -1,8 +1,7 @@ import json import logging -from django.http import ( - HttpResponseBadRequest, HttpResponse) +from django.http import HttpResponse, HttpResponseBadRequest from django.views.decorators.csrf import csrf_exempt logger = logging.getLogger('pretix.security.csp') diff --git a/src/pretix/plugins/ticketoutputpdf/views.py b/src/pretix/plugins/ticketoutputpdf/views.py index 64f7dfe3a8..8b6512267f 100644 --- a/src/pretix/plugins/ticketoutputpdf/views.py +++ b/src/pretix/plugins/ticketoutputpdf/views.py @@ -44,7 +44,7 @@ class EditorView(EventPermissionRequiredMixin, TemplateView): def get(self, request, *args, **kwargs): resp = super().get(request, *args, **kwargs) - resp['Content-Security-Policy'] = "script-src 'unsafe-eval'; style-src 'unsafe-inline'; img-src blob:; font-src data: blob:" + resp._csp_ignore = True return resp def process_upload(self): diff --git a/src/pretix/urls.py b/src/pretix/urls.py index bc4001e462..e54741604e 100644 --- a/src/pretix/urls.py +++ b/src/pretix/urls.py @@ -5,7 +5,7 @@ from django.views.generic import RedirectView import pretix.control.urls import pretix.presale.urls -from .base.views import cachedfiles, health, js_catalog, metrics, redirect, csp +from .base.views import cachedfiles, csp, health, js_catalog, metrics, redirect base_patterns = [ url(r'^download/(?P[^/]+)/$', cachedfiles.DownloadView.as_view(),