I have an issue with the CSP Header and how-to parameters in the setting.py in my Django apps.
Do you know how to set up for script and style source? and how to put the 'unsafe-inline' and 'style-src-elem' ? can someone explain how parameters works ?
setting.py
MIDDLEWARE = [
'csp.middleware.CSPMiddleware', ...]
CSP_DEFAULT_SRC = ("'none'", )
CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "fonts.googleapis.com", "'unsafe-inline'", 'https://stackpath.bootstrapcdn.com')
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", "ajax.googleapis.com", "www.googletagmanager.com", "www.google-analytics.com", 'https://cdn.jsdelivr.net','https://code.jquery.com', "'unsafe-inline'", 'https//ajax.cloudflare.com', "'unsafe-inline'", 'http://cdnjs.cloudflare.com/ajax/libs/highlightjs-line-numbers.js/')
CSP_IMG_SRC = ("'self'", "data:", "www.googletagmanager.com", "www.google-analytics.com")
CSP_FONT_SRC = ("'self'", "'unsafe-inline'", "fonts.gstatic.com",'https://fonts.cdnfonts.com', 'https://stackpath.bootstrapcdn.com')
CSP_CONNECT_SRC = ("'self'", )
CSP_OBJECT_SRC = ("'none'", )
CSP_BASE_URI = ("'none'", )
CSP_FRAME_ANCESTORS = ("'none'", )
CSP_FORM_ACTION = ("'self'", )
CSP_INCLUDE_NONCE_IN = ('script-src','script-src-elem')
CSP_REPORT_ONLY = True
Error return from google chrome localhost console
Do you what should I do? is there an easier way?
Related
I have a django app that is embedded in Shopify. It is working fine in all other browsers except in Safari Browser. In safari there is the above mentioned issue in the log and getting internal server error for all other functionalities of the app.This is a part of my settings.py for the CSP settings:
CSP_FRAME_ANCESTORS = ("'self'", 'https://*.myshopify.com')
# default source as self
CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'", "'unsafe-eval'", "https://fonts.gstatic.com")
# style from our domain and bootstrapcdn
CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "https://fonts.googleapis.com")
# scripts from our domain and other domains
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", "'unsafe-eval'")
# images from our domain and other domains
CSP_IMG_SRC = ("'self'",
"https://*.s3.amazonaws.com", "data:", "https://cdn.shopify.com")
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = True
XS_SHARING_ALLOWED_METHODS = ['POST', 'GET', 'PUT']
CSRF_COOKIE_SAMESITE = 'None'
CSRF_COOKIE_SECURE = True
STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles')
CSRF_TRUSTED_ORIGINS = [config('CSRF_TRUSTED_ORIGINS')]
Can anyone tell me what's the issue here?
The implemented support for various levels and directives of CSP differers between the browsers. Safari only recently added support for worker-src, see https://caniuse.com/?search=worker-src. If you upgrade to a more recent version it will probably work for you. However, you should also consider if your user base is ready and define fallbacks for other browsers if necessary.
help me, where am doing wrong
my settings.py
LANGUAGE_CODE = 'fr'
# LANGUAGE_COOKIE_NAME = 'LANGUAGES'
LOCALE_PATHS = (os.path.join(BASE_DIR, 'authentication/locale'),)
LANGUAGES = (
('fr', _('France')),
('en-us', _('English (US)')),
)
my views.py
def set_language(request):
language = request.POST.get('language', settings.LANGUAGE_CODE)
next_link = request.POST.get('next', "/")
user_language = 'fr'
translation.activate(user_language)
request.session[translation.LANGUAGE_SESSION_KEY] = "fr"
return redirect(next_link)
on local environment it works fine but not working on heroku, please help.
I'm trying to configure my site to pass the tests at:
https://observatory.mozilla.org
https://csp-evaluator.withgoogle.com/
I've been looking at this blog post. I'm using the Django app called django-csp to implement this. My Django settings in production are as follows:
# Content Security Policy
CSP_DEFAULT_SRC = ("'none'", )
CSP_STYLE_SRC = ("'self'", "fonts.googleapis.com", "'sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI='")
CSP_SCRIPT_SRC = ("'self'", )
CSP_IMG_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'", "fonts.gstatic.com")
CSP_CONNECT_SRC = ("'self'", )
CSP_OBJECT_SRC = ("'none'", )
CSP_BASE_URI = ("'none'", )
CSP_FRAME_ANCESTORS = ("'self'", 'https://example.com/', 'https://example.com/')
CSP_FORM_ACTION = ("'self'", )
CSP_INCLUDE_NONCE_IN = ('script-src',)
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_SSL_REDIRECT = True
X_FRAME_OPTIONS = 'DENY'
SECURE_HSTS_SECONDS = 60
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
Yet, when I run the aforementioned tests I fail even though I have the above setup. Moreover, in Chrome dev tools I receive no errors, which is great.
Anyone have advice on this please?
Thanks
Update:
I'm deploying the app via Heroku. When I test the appname.herokuapp.com url with Mozilla Observatory, I pass all the tests.
It seems that when I forward the domain appname.herokuapp.com to mywebsite.com, some settings are skipped? I failed the tests with mywebsite.com
I have added the CNAME www to be the value of the custom Heroku DNS.
Indeed, my issue was in the way I had configured my DNS settings. I kept my Django prodution settings as is (see above).
I added a custom domain in my Heroku settings and used the auto-generated server name in my CNAME settings in Cloudflare.
Then I ran a check in Mozilla Observatory and passed the tests.
I am trying to get django-social-auth to work with google logins.
I logged into google dev console > created a project > created a new client id in credentials as a web application which gave me the id and secrete.
I then get an error when i click the link on my site to log on with google
WrongBackend at /login/google-oauth2/
Incorrect authentication service "google-oauth2"
Here is my settings in settings.py
AUTHENTICATION_BACKENDS = (
'social.backends.open_id.OpenIdAuth',
'social.backends.google.GoogleOpenId',
'social.backends.google.GoogleOAuth2',
'social.backends.google.GoogleOAuth',
'social.backends.twitter.TwitterOAuth',
'social.backends.yahoo.YahooOpenId',
'django.contrib.auth.backends.ModelBackend',
)
TEMPLATE_CONTEXT_PROCESSORS = (
'social.apps.django_app.context_processors.backends',
'social.apps.django_app.context_processors.login_redirect',
'django.contrib.auth.context_processors.auth',
)
LOGIN_URL = '/login/'
LOGIN_REDIRECT_URL = '/oauth2callback/'
LOGIN_ERROR_URL = '/login-error/'
SOCIAL_AUTH_DEFAULT_USERNAME = 'new_social_auth_user'
SOCIAL_AUTH_UID_LENGTH = 16
SOCIAL_AUTH_ASSOCIATION_HANDLE_LENGTH = 16
SOCIAL_AUTH_NONCE_SERVER_URL_LENGTH = 16
SOCIAL_AUTH_ASSOCIATION_SERVER_URL_LENGTH = 16
SOCIAL_AUTH_ASSOCIATION_HANDLE_LENGTH = 16
SOCIAL_AUTH_ENABLED_BACKENDS = 'google'
GOOGLE_OAUTH2_CLIENT_ID = 'id.apps.googleusercontent.com'
GOOGLE_OAUTH2_CLIENT_SECRET = 'client_secret'
Does anyone know why i get that message? Thanks
Based on AUTHENTICATION_BACKENDS you mentioned, it seems you use python-social-auth (not django-social-auth) which has another syntax of key and secrect declaration.
references: python-social-auth documentation
SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = 'id.apps.googleusercontent.com'
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = 'client_secret'
I am trying to enable logging in via facebook,twitter and Google Open Auth 2. I am using the main documentation https://django-social-auth.readthedocs.org/en/latest/index.html. I have also used http://c2journal.com/2013/01/24/social-logins-with-django/
I have put all the necessary configurations in place. Here is my settings.py
....
AUTHENTICATION_BACKENDS = (
'social_auth.backends.twitter.TwitterBackend',
'social_auth.backends.facebook.FacebookBackend',
'social_auth.backends.google.GoogleOAuthBackend',
'social_auth.backends.google.GoogleOAuth2Backend',
'social_auth.backends.google.GoogleBackend',
'django.contrib.auth.backends.ModelBackend',
)
.....
TEMPLATE_CONTEXT_PROCESSORS = (
"social_auth.context_processors.social_auth_by_type_backends",
"django.contrib.auth.context_processors.auth",
)
......
SOCIAL_AUTH_ENABLED_BACKENDS = ('google','facebook','twitter')
.....
FACEBOOK_APP_ID='**********'
FACEBOOK_API_SECRET='**********************'
FACEBOOK_APP_NAMESPACE = '********_app'
FACEBOOK_EXTENDED_PERMISSIONS = ['email']
GOOGLE_OAUTH2_CLIENT_ID = '***************'
GOOGLE_OAUTH2_CLIENT_SECRET = '**************************'
TWITTER_CONSUMER_KEY = '***************'
TWITTER_CONSUMER_SECRET = '**********************'
........
INSTALLED_APPS = (
............
'social_auth',
)
I have added social-auth to my urls.py too
(r'^accounts/login/$', 'django.contrib.auth.views.login',
{'template_name': 'login.html'}),
(r'^accounts/logout/$', 'django.contrib.auth.views.logout_then_login'),
.....
urlpatterns = patterns('',
...
url(r'', include('social_auth.urls')),
...
)
On my login.html page, here is how I have called the links
<div>Login with Facebook</div>
</div>Login with Twitter</div>
</div>Login with Google</div>
The problem however, everytime I try logging in via any of these services, It seems the APP Id is missing.
I get this error on Facebook Invalid App ID: None and this one on twitter Only unicode objects are escapable. Got None of type .. Google doesn't work too but It tells me I cannot use raw IP addresses. I am using the server IP address. Please help.
I figured out what was the problem. I had installed python social auth then installed django-social auth. My application was still using the python-social-auth package.
Using the python-social-Auth syntax of naming configuration variables, I added the prefix
SOCIAL_AUTH_
to my config variables so that they now looked like this
SOCIAL_AUTH_FACEBOOK_SECRET='*******************'
SOCIAL_AUTH_FACEBOOK_APP_NAMESPACE = '*******'
SOCIAL_AUTH_FACEBOOK_EXTENDED_PERMISSIONS = ['email']
SOCIAL_AUTH_TWITTER_KEY = '********'
SOCIAL_AUTH_TWITTER_SECRET = '************'
SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = '*************************************'
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = '****************'
I can now log in. Thanks