Django-CSP без unsafe-inline?

Я пытаюсь настроить CSP для трясогузки, но поскольку я используюCSP_SCRIPT_SRCна observatory.mozilla.org это отображается как небезопасное

      Content Security Policy (CSP) implemented unsafely.

This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.

Моя установка:

      CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", 'unpkg.com', 'www.googletagmanager.com')
CSP_STYLE_SRC = ["'self'", "'unsafe-inline'"]
CSP_IMG_SRC = ("'self'", "'unsafe-inline'", 'https: data:')
CSP_FRAME_SRC = ("'self'", 'www.youtube-nocookie.com')
CSP_OBJECT_SRC = ["'unsafe-eval'"]
CSP_CONNECT_SRC = ["'self'", 'releases.wagtail.org/latest.txt', 'www.google-analytics.com']

Безunsafe-inline, я получаю следующие ошибки, и боковое меню администратора исчезает.

      Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' unpkg.com www.googletagmanager.com". Either the 'unsafe-inline' keyword, a hash ('sha256-B2D5xPj6Cqf525g1afhgAHB1ntYV+95Bc11='), or a nonce ('nonce-...') is required to enable inline execution.

vendor.js?v=33f91953:2
Uncaught TypeError: Cannot destructure property 'ADMIN_API' of 'n.g.wagtailConfig' as it is undefined.
        at 434 (vendor.js?v=33f91953:2:247815)
        at r (core.js?v=33f91953:1:61223)
        at 7924 (core.js?v=33f91953:1:40333)
        at r (core.js?v=33f91953:1:61223)
        at core.js?v=33f91953:1:62545
        at r.O (core.js?v=33f91953:1:61479)
        at t (core.js?v=33f91953:1:62378)
        at vendor.js?v=33f91953:2:69
    434 @ vendor.js?v=33f91953:2
    r @ core.js?v=33f91953:1
    7924 @ core.js?v=33f91953:1
    r @ core.js?v=33f91953:1
    (anonymous) @ core.js?v=33f91953:1
    r.O @ core.js?v=33f91953:1
    t @ core.js?v=33f91953:1
    (anonymous) @ vendor.js?v=33f91953:2

vendor.js?v=33f91953:2 
Uncaught TypeError: Cannot destructure property 'ADMIN_API' of 'n.g.wagtailConfig' as it is undefined.
        at 434 (vendor.js?v=33f91953:2:247815)
        at r (sidebar.js?v=33f91953:2:51184)
        at 7534 (sidebar.js?v=33f91953:2:14432)
        at r (sidebar.js?v=33f91953:2:51184)
        at sidebar.js?v=33f91953:2:52506
        at r.O (sidebar.js?v=33f91953:2:51440)
        at sidebar.js?v=33f91953:2:52520
        at sidebar.js?v=33f91953:2:52526
Источник

1 ответ

Это известная проблема, над которой работают. Подробную информацию и обсуждение можно найти в следующих вопросах:

https://github.com/wagtail/wagtail/issues/1288

https://github.com/wagtail/wagtail/issues/7053

Источник
Другие вопросы по тегам