Opened 12 months ago
Closed 12 months ago
#35017 closed Cleanup/optimization (duplicate)
Template openlayers.html with inline script - Content-Security-Policy
Reported by: | Matthieu Marrast | Owned by: | nobody |
---|---|---|---|
Component: | GIS | Version: | 5.0 |
Severity: | Normal | Keywords: | CSP, Content-Security-Policies, script, unsafe-inline, inline script |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The template openlayers.html (https://github.com/django/django/blob/main/django/contrib/gis/templates/gis/openlayers.html) provides inline script:
<script> {% block base_layer %} var base_layer = new ol.layer.Tile({ source: new ol.source.XYZ({ attributions: "NASA Worldview", maxZoom: 8, url: "https://map1{a-c}.vis.earthdata.nasa.gov/wmts-webmerc/" + "BlueMarble_ShadedRelief_Bathymetry/default/%7BTime%7D/" + "GoogleMapsCompatible_Level8/{z}/{y}/{x}.jpg" }) }); {% endblock %} {% block options %}var options = { base_layer: base_layer, geom_name: '{{ geom_type }}', id: '{{ id }}', map_id: '{{ id }}_map', map_srid: {{ map_srid|unlocalize }}, name: '{{ name }}' }; {% endblock %} var {{ module }} = new MapWidget(options); </script>
So to make it works with Content-Security-Policies, we must add script-src 'unsafe-inline'
in our HTTP response headers.
This is not safe. Security and pentest tools raise alerts regarding this.
Without this security policy, the map is not shown.
References:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- https://www.w3.org/TR/CSP2/
- https://www.w3.org/TR/CSP/
- https://caniuse.com/#search=content+security+policy
- https://content-security-policy.com/
- https://github.com/shapesecurity/salvation
- https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
Note:
See TracTickets
for help on using tickets.
Duplicate of #25706.