0

I'm trying to setup CSP for wagtail but because I'm using unsafe-inline in CSP_SCRIPT_SRC it's showing as insecure in observatory.mozilla.org

Content Security Policy (CSP) implemented unsafely.

This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.

My setup:

CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", 'unpkg.com', 'www.googletagmanager.com')
CSP_STYLE_SRC = ["'self'", "'unsafe-inline'"]
CSP_IMG_SRC = ("'self'", "'unsafe-inline'", 'https: data:')
CSP_FRAME_SRC = ("'self'", 'www.youtube-nocookie.com')
CSP_OBJECT_SRC = ["'unsafe-eval'"]
CSP_CONNECT_SRC = ["'self'", 'releases.wagtail.org/latest.txt', 'www.google-analytics.com']

Without having unsafe-inline, I get the below errors and the admin side menu disappears.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' unpkg.com www.googletagmanager.com". Either the 'unsafe-inline' keyword, a hash ('sha256-B2D5xPj6Cqf525g1afhgAHB1ntYV+95Bc11='), or a nonce ('nonce-...') is required to enable inline execution.

vendor.js?v=33f91953:2
Uncaught TypeError: Cannot destructure property 'ADMIN_API' of 'n.g.wagtailConfig' as it is undefined.
        at 434 (vendor.js?v=33f91953:2:247815)
        at r (core.js?v=33f91953:1:61223)
        at 7924 (core.js?v=33f91953:1:40333)
        at r (core.js?v=33f91953:1:61223)
        at core.js?v=33f91953:1:62545
        at r.O (core.js?v=33f91953:1:61479)
        at t (core.js?v=33f91953:1:62378)
        at vendor.js?v=33f91953:2:69
    434 @ vendor.js?v=33f91953:2
    r @ core.js?v=33f91953:1
    7924 @ core.js?v=33f91953:1
    r @ core.js?v=33f91953:1
    (anonymous) @ core.js?v=33f91953:1
    r.O @ core.js?v=33f91953:1
    t @ core.js?v=33f91953:1
    (anonymous) @ vendor.js?v=33f91953:2

vendor.js?v=33f91953:2 
Uncaught TypeError: Cannot destructure property 'ADMIN_API' of 'n.g.wagtailConfig' as it is undefined.
        at 434 (vendor.js?v=33f91953:2:247815)
        at r (sidebar.js?v=33f91953:2:51184)
        at 7534 (sidebar.js?v=33f91953:2:14432)
        at r (sidebar.js?v=33f91953:2:51184)
        at sidebar.js?v=33f91953:2:52506
        at r.O (sidebar.js?v=33f91953:2:51440)
        at sidebar.js?v=33f91953:2:52520
        at sidebar.js?v=33f91953:2:52526
squidg
  • 451
  • 6
  • 17

1 Answers1

1

This is a known issue that is getting worked on. Please see the following issues for details and discussion:

https://github.com/wagtail/wagtail/issues/1288

https://github.com/wagtail/wagtail/issues/7053

cnk
  • 981
  • 1
  • 5
  • 9