CSP: Exclude PDF editor (just doesn't work in FF)

2026-05-06 15:24:02 +00:00 · 2017-09-28 18:44:12 +02:00
parent 29b157f287
commit 784f6e703c
4 changed files with 11 additions and 5 deletions
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -220,7 +220,14 @@ class SecurityMiddleware(MiddlewareMixin):
                    domain = '%s:%d' % (domain, siteurlsplit.port)
                dynamicdomain += " " + domain

-        if request.path not in self.CSP_EXEMPT:
+        if request.path not in self.CSP_EXEMPT and not getattr(resp, '_csp_ignore', False):
            resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain,
                                                                    media=mediadomain, nonce=request.csp_nonce)
+            for k, v in h.items():
+                h[k] = ' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain,
+                                          nonce=request.csp_nonce).split(' ')
+            resp['Content-Security-Policy'] = _render_csp(h)
+        elif 'Content-Security-Policy' in resp:
+            del resp['Content-Security-Policy']
+
        return resp
--- a/src/pretix/base/views/csp.py
+++ b/src/pretix/base/views/csp.py
@@ -1,8 +1,7 @@
 import json
 import logging

-from django.http import (
-    HttpResponseBadRequest, HttpResponse)
+from django.http import HttpResponse, HttpResponseBadRequest
 from django.views.decorators.csrf import csrf_exempt

 logger = logging.getLogger('pretix.security.csp')
--- a/src/pretix/plugins/ticketoutputpdf/views.py
+++ b/src/pretix/plugins/ticketoutputpdf/views.py
@@ -44,7 +44,7 @@ class EditorView(EventPermissionRequiredMixin, TemplateView):

    def get(self, request, *args, **kwargs):
        resp = super().get(request, *args, **kwargs)
-        resp['Content-Security-Policy'] = "script-src 'unsafe-eval'; style-src 'unsafe-inline'; img-src blob:; font-src data: blob:"
+        resp._csp_ignore = True
        return resp

    def process_upload(self):
--- a/src/pretix/urls.py
+++ b/src/pretix/urls.py
@@ -5,7 +5,7 @@ from django.views.generic import RedirectView
 import pretix.control.urls
 import pretix.presale.urls

-from .base.views import cachedfiles, health, js_catalog, metrics, redirect, csp
+from .base.views import cachedfiles, csp, health, js_catalog, metrics, redirect

 base_patterns = [
    url(r'^download/(?P<id>[^/]+)/$', cachedfiles.DownloadView.as_view(),