Specify unsafe-inline CSP for Swagger UI

Instead of injecting CSP nonce, which does not work because nginx configuration is overwriting the header
2 months ago · f2b0b4f298
2 changed files with 3 additions and 28 deletions
--- a/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
+++ b/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
@ -18,6 +18,9 @@ map $request_uri $csp_header {
    # The CSP for the Stripe donation page:
    # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
    "~^/donate_stripe$" "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
+    # The CSP for the API explorer Swagger UI:
+    # - "unsafe-inline" in script-src is needed for the script in the template index.html
+    "~^/api/beta/ui$" "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
 }

 server {
--- a/tildes/tildes/tweens.py
+++ b/tildes/tildes/tweens.py
@ -3,7 +3,6 @@

 """Contains Pyramid "tweens", used to insert additional logic into request-handling."""

-import secrets
 from collections.abc import Callable
 from time import time

@ -107,35 +106,8 @@ def theme_cookie_tween_factory(handler: Callable, registry: Registry) -> Callabl
    return theme_cookie_tween


-def inject_csp_header_tween_factory(handler: Callable, registry: Registry) -> Callable:
-    # pylint: disable=unused-argument
-    """Return a tween function that sets a CSP nonce (for Swagger UI)."""
-
-    def inject_csp_header_tween(request: Request) -> Response:
-        """Generate a CSP nonce and add it to the request and response.
-
-        Only apply to specific routes defined here, to minimize performance overhead.
-        """
-        nonce = None
-        route_name = request.matched_route.name if request.matched_route else None
-        if route_name == "pyramid_openapi3.explorer":
-            nonce = secrets.token_urlsafe(16)
-            request.csp_nonce = nonce
-
-        response = handler(request)
-
-        if nonce:
-            response.headers["Content-Security-Policy"] = (
-                f"script-src 'self' 'nonce-{nonce}'"
-            )
-        return response
-
-    return inject_csp_header_tween
-
-
 def includeme(config: Configurator) -> None:
    """Attach Tildes tweens to the Pyramid config."""
    config.add_tween("tildes.tweens.http_method_tween_factory")
    config.add_tween("tildes.tweens.metrics_tween_factory")
    config.add_tween("tildes.tweens.theme_cookie_tween_factory")
-    config.add_tween("tildes.tweens.inject_csp_header_tween_factory")