Opened 6 months ago
Closed 6 months ago
#35017 closed Cleanup/optimization (duplicate)
Template openlayers.html with inline script - Content-Security-Policy
| Reported by: | Matthieu Marrast | Owned by: | nobody |
|---|---|---|---|
| Component: | GIS | Version: | 5.0 |
| Severity: | Normal | Keywords: | CSP, Content-Security-Policies, script, unsafe-inline, inline script |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The template openlayers.html (https://github.com/django/django/blob/main/django/contrib/gis/templates/gis/openlayers.html) provides inline script:
<script>
{% block base_layer %}
var base_layer = new ol.layer.Tile({
source: new ol.source.XYZ({
attributions: "NASA Worldview",
maxZoom: 8,
url: "https://map1{a-c}.vis.earthdata.nasa.gov/wmts-webmerc/" +
"BlueMarble_ShadedRelief_Bathymetry/default/%7BTime%7D/" +
"GoogleMapsCompatible_Level8/{z}/{y}/{x}.jpg"
})
});
{% endblock %}
{% block options %}var options = {
base_layer: base_layer,
geom_name: '{{ geom_type }}',
id: '{{ id }}',
map_id: '{{ id }}_map',
map_srid: {{ map_srid|unlocalize }},
name: '{{ name }}'
};
{% endblock %}
var {{ module }} = new MapWidget(options);
</script>
So to make it works with Content-Security-Policies, we must add script-src 'unsafe-inline' in our HTTP response headers.
This is not safe. Security and pentest tools raise alerts regarding this.
Without this security policy, the map is not shown.
References:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- https://www.w3.org/TR/CSP2/
- https://www.w3.org/TR/CSP/
- https://caniuse.com/#search=content+security+policy
- https://content-security-policy.com/
- https://github.com/shapesecurity/salvation
- https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
Note:
See TracTickets
for help on using tickets.
Duplicate of #25706.