Address Wagtail CSP issues #6052

escattone · 2024-06-06T23:54:42Z

Highlights

This PR ensures a tight CSP policy for Wagtail CMS login page (/cms/login/), but loosens the policy with unsafe-inline for script-src and style-src for all of the other Wagtail CMS pages (/cms/*), which are currently restricted to Mozilla LDAP users.
It looks possible to remove unsafe-inline for all of the non-login Wagtail CMS pages, but that'll require calculating some hashes for scripts that are constant, overriding about 17 other templates (by copying most of their code) and adding a nonce to all of their inline scripts, and that's only what I know so far. There may be more. All of that work is postponed until a later date. Hopefully, Wagtail will resolve more of their CSP issues before we need to tackle that, but I think we'll need to tackle that at the point when we're ready to open the Wagtail CMS to users outside of Mozilla.
It adds a new wagtail.scss file that's built by our usual webpack flow and included in all of the Wagtail CMS pages, so we can add our own CSS as needed.
It overrides wagtail/admin/templates/wagtailadmin/admin_base.html with kitsune/sumo/templates/wagtailadmin/admin_base.html to include a nonce to secure the inline script it contains. It's not clean in the sense that it copies code from Wagtail, but I couldn't see any other way forward.

escattone added 2 commits June 6, 2024 15:07

remove most Wagtail CSP violations but keep tight CSP

cd3f96d

relax CSP for now when behind LDAP

61b0315

escattone requested review from akatsoulas and smithellis June 7, 2024 23:37

akatsoulas approved these changes Jun 12, 2024

View reviewed changes

escattone merged commit dbe82a5 into mozilla:main Jun 12, 2024
2 checks passed

escattone deleted the resolve-wagtail-csp-issues-1817 branch June 12, 2024 17:22

escattone mentioned this pull request Jun 14, 2024

adjust CSP for wagtail admin console #6067

Merged