Skip to content

Support Content-Security-Policies via nonce values #2480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 3, 2024
Merged

Support Content-Security-Policies via nonce values #2480

merged 1 commit into from
Aug 3, 2024

Conversation

samuelhwilliams
Copy link
Contributor

@samuelhwilliams samuelhwilliams commented Jul 24, 2024
edited
Loading

Content-Security-Policy is a common way of restricting which assets (javascript, styles, etc) are loaded by the browser as a way of preventing a number of vulnerabilities.

Flask-Admin loads a fair amount of JavaScript and styling to support its functionality, and previously it has been difficult to get this to pass CSP checks.

We can add support for CSP by taking a CSP nonce generator and using that to inject a nonce value wherever we load these resources (either asking the client to download files or with inline scripts/styles).

fixes: #2344

@samuelhwilliams samuelhwilliams mentioned this pull request Jul 24, 2024
Closed
@samuelhwilliams samuelhwilliams force-pushed the support-csp-nonces branch 2 times, most recently from 4c8b4b8 to 02126dc Compare July 24, 2024 22:40
@samuelhwilliams samuelhwilliams mentioned this pull request Jul 24, 2024
Open
19 tasks
@samuelhwilliams samuelhwilliams force-pushed the support-csp-nonces branch 2 times, most recently from 5e5f7d4 to e47d0d6 Compare August 1, 2024 19:09
@samuelhwilliams samuelhwilliams marked this pull request as ready for review August 1, 2024 19:09
@samuelhwilliams
Support Content-Security-Policies via nonce values
fef1357 
Content-Security-Policy is a common way of restricting which assets
(javascript, styles, etc) are loaded by the browser as a way of
preventing a number of vulnerabilities.

Flask-Admin loads a fair amount of JavaScript and styling to support its
functionality, and previously it has been difficult to get this to pass
CSP checks.

We can add support for CSP by taking a CSP nonce generator and using
that to inject a nonce value wherever we load these resources (either
asking the client to download files or with inline scripts/styles).
@samuelhwilliams samuelhwilliams merged commit e4cf27e into master Aug 3, 2024
12 checks passed
@samuelhwilliams samuelhwilliams deleted the support-csp-nonces branch August 3, 2024 17:56
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Content-Security-Policy is blocking inline data
1 participant
@samuelhwilliams