Add CSP support

2017-02-21 22:37:06 +02:00 · 2017-02-21 22:37:06 +02:00 · dfb89cacdc
parent 24124ed94b
commit dfb89cacdc
8 changed files with 58 additions and 23 deletions
--- a/network/settings/base.py
+++ b/network/settings/base.py
@ -22,6 +22,7 @@ THIRD_PARTY_APPS = (
    'allauth.account',
    'compressor',
    'djangobower',
+    'csp',
 )
 LOCAL_APPS = (
    'network.users',
@ -42,6 +43,7 @@ MIDDLEWARE_CLASSES = (
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'django.middleware.security.SecurityMiddleware',
+    'csp.middleware.CSPMiddleware',
 )

 # Email
@ -202,6 +204,21 @@ REST_FRAMEWORK = {

 # Security
 SECRET_KEY = getenv('SECRET_KEY', 'changeme')
+CSP_DEFAULT_SRC = (
+    "'self'",
+    'https://*.mapbox.com',
+)
+CSP_SCRIPT_SRC = (
+    "'self'",
+    'https://*.google-analytics.com',
+)
+CSP_IMG_SRC = (
+    "'self'",
+    'https://*.gravatar.com',
+    'https://*.mapbox.com',
+    'https://*.satnogs.org',
+)
+

 # Database
 DATABASE_URL = getenv('DATABASE_URL', 'sqlite:///db.sqlite3')
--- a/network/static/js/app.js
+++ b/network/static/js/app.js
@ -0,0 +1,7 @@
+$(document).ready(function() {
+    'use strict';
+
+    // Add current copyright year
+    var current_year = '-' + new Date().getFullYear();
+    $('#copy').text(current_year);
+});
--- a/network/static/js/home.js
+++ b/network/static/js/home.js
@ -3,6 +3,12 @@
 $(document).ready(function() {
    'use strict';

+    // Render Station success rate
+    var success_rate = $('.progress-bar-success').data('success-rate');
+    var percentagerest = $('.progress-bar-danger').data('percentagerest');
+    $('.progress-bar-success').css('width', success_rate + '%');
+    $('.progress-bar-danger').css('width', percentagerest + '%');
+
    var mapboxid = $('div#map').data('mapboxid');
    var mapboxtoken = $('div#map').data('mapboxtoken');
    var stations = $('div#map').data('stations');
--- a/network/static/js/station_view.js
+++ b/network/static/js/station_view.js
@ -3,9 +3,26 @@
 $(document).ready(function() {
    'use strict';

+    // Render Station success rate
+    var success_rate = $('.progress-bar-success').data('success-rate');
+    var percentagerest = $('.progress-bar-danger').data('percentagerest');
+    $('.progress-bar-success').css('width', success_rate + '%');
+    $('.progress-bar-danger').css('width', percentagerest + '%');
+
    // Reading data for station
    var station_info = $('#station-info').data();

+    // Confirm station deletion
+    var message = 'Do you really want to delete this Ground Station?';
+    var actions = $('#station-delete');
+    if (actions.length) {
+        actions[0].addEventListener('click', function(e) {
+            if (! confirm(message)) {
+                e.preventDefault();
+            }
+        });
+    }
+
    // Init the map
    var mapboxid = $('div#map-station').data('mapboxid');
    var mapboxtoken = $('div#map-station').data('mapboxtoken');
--- a/network/templates/base.html
+++ b/network/templates/base.html
@ -103,7 +103,7 @@
        <hr>
        <div class="row">
          <div class="col-md-6">
-            <span class="glyphicon glyphicon-copyright-mark" aria-hidden="true"></span> 2014<script>document.write("-"+new Date().getFullYear());</script>
+            <span class="glyphicon glyphicon-copyright-mark" aria-hidden="true"></span> 2014<span id="copy"></span>
            <a href="http://librespacefoundation.org/" target="_blank">Libre Space Foundation</a>.<br>
            <span class="glyphicon glyphicon-cloud" aria-hidden="true"></span>
            Observation data are freely distributed under the
@ -120,6 +120,7 @@
    {% compress js %}
      <script src="{% static 'lib/jquery/jquery.min.js' %}"></script>
      <script src="{% static 'lib/bootstrap/dist/js/bootstrap.min.js' %}"></script>
+      <script src="{% static 'js/app.js' %}"></script>
      {% block javascript %}
      {% endblock javascript %}
    {% endcompress %}
--- a/network/templates/base/home.html
+++ b/network/templates/base/home.html
@ -38,7 +38,7 @@
          </div>
          <div class="panel-body">
            <div class="text-center">
-              <img src="{{ MEDIA_URL }}{{ featured_station.image }}"
+              <img src="{{ featured_station.get_image }}"
                   class="img-gs-front"
                   alt="{{ featured_station.name }}"
                   title="{{ featured_station.name }}">
@ -77,10 +77,10 @@
                  <span class="label label-info">Success Rate</span>
                  <span class="gs-front-data">
                    <div class="progress" title="{{ featured_station.success_rate }}%">
-                      <div class="progress-bar progress-bar-success" style="width: {{ featured_station.success_rate }}%">
+                      <div class="progress-bar progress-bar-success" data-success-rate="{{ featured_station.success_rate }}">
                        <span class="sr-only">{{ featured_station.success_rate }}% Complete (success)</span>
                      </div>
-                      <div class="progress-bar progress-bar-danger" style="width: {{ featured_station.success_rate|percentagerest }}%">
+                      <div class="progress-bar progress-bar-danger" data-percentagerest="{{ featured_station.success_rate|percentagerest }}">
                        <span class="sr-only">{{ featured_station.success_rate|percentagerest }}% Complete (danger)</span>
                      </div>
                    </div>
--- a/network/templates/base/station_view.html
+++ b/network/templates/base/station_view.html
@ -97,10 +97,10 @@
          <span class="label label-default">Success Rate</span>
          <span class="gs-front-data">
            <div class="progress" title="{{ station.success_rate }}%">
-              <div class="progress-bar progress-bar-success" style="width: {{ station.success_rate }}%">
+              <div class="progress-bar progress-bar-success" data-success-rate="{{ station.success_rate }}">
                <span class="sr-only">{{ station.success_rate }}% Complete (success)</span>
              </div>
-              <div class="progress-bar progress-bar-danger" style="width: {{ station.success_rate|percentagerest }}%">
+              <div class="progress-bar progress-bar-danger" data-percentagerest="{{ station.success_rate|percentagerest }}">
                <span class="sr-only">{{ station.success_rate|percentagerest }}% Complete (danger)</span>
              </div>
            </div>
@ -214,18 +214,4 @@
  <script src="{% static 'js/station_view.js' %}"></script>
  <script src="{% static 'js/gridsquare.js' %}"></script>
  <script src="{% static 'js/satellite.js' %}"></script>
-
-  <script type="text/javascript">
-      (function() {
-          var message = "Do you really want to delete this Ground Station?";
-          var actions = $('#station-delete');
-          if (actions.length) {
-              actions[0].addEventListener("click", function(e) {
-                  if (! confirm(message)) {
-                      e.preventDefault();
-                  }
-              });
-          }
-      })();
-  </script>
 {% endblock javascript %}
--- a/requirements/base.txt
+++ b/requirements/base.txt
@ -1,8 +1,6 @@
-# Basic stuff
+# Basic
 django==1.10.5
 django-shortuuidfield==0.1.3
-django_compressor==2.1.1
-django-bower==5.2.0

 # Configuration
 unicode-slugify==0.1.3
@ -13,9 +11,12 @@ opbeat==3.5.2

 # Security
 django-braces==1.11.0
+django-csp==3.2

 # Images
 Pillow==4.0.0
+django_compressor==2.1.1
+django-bower==5.2.0

 # Users
 django-allauth==0.30.0