Opened 7 months ago

Closed 7 months ago

#35017 closed Cleanup/optimization (duplicate)

Template openlayers.html with inline script - Content-Security-Policy

Reported by: Matthieu Marrast Owned by: nobody
Component: GIS Version: 5.0
Severity: Normal Keywords: CSP, Content-Security-Policies, script, unsafe-inline, inline script
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The template openlayers.html (https://github.com/django/django/blob/main/django/contrib/gis/templates/gis/openlayers.html) provides inline script:

<script>
        {% block base_layer %}
            var base_layer = new ol.layer.Tile({
                source: new ol.source.XYZ({
                    attributions: "NASA Worldview",
                    maxZoom: 8,
                    url: "https://map1{a-c}.vis.earthdata.nasa.gov/wmts-webmerc/" +
                         "BlueMarble_ShadedRelief_Bathymetry/default/%7BTime%7D/" +
                         "GoogleMapsCompatible_Level8/{z}/{y}/{x}.jpg"
                })
            });
        {% endblock %}
        {% block options %}var options = {
            base_layer: base_layer,
            geom_name: '{{ geom_type }}',
            id: '{{ id }}',
            map_id: '{{ id }}_map',
            map_srid: {{ map_srid|unlocalize }},
            name: '{{ name }}'
        };
        {% endblock %}
        var {{ module }} = new MapWidget(options);
</script>

So to make it works with Content-Security-Policies, we must add script-src 'unsafe-inline' in our HTTP response headers.
This is not safe. Security and pentest tools raise alerts regarding this.

Without this security policy, the map is not shown.

References:

Change History (1)

comment:1 by Tim Graham, 7 months ago

Resolution: duplicate
Status: newclosed

Duplicate of #25706.

Note: See TracTickets for help on using tickets.
Back to Top