From 6db6594159bf4e434a67c80481281e2ee20f58c3 Mon Sep 17 00:00:00 2001 From: Steve Jalim Date: Thu, 8 Jan 2026 11:21:27 +0000 Subject: [PATCH 1/3] fix: Remove `script-src: unsafe-inline` for main Web deployment; retain for CMS deployment --- bedrock/settings/__init__.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py index c2af68e423c..ed8373557aa 100644 --- a/bedrock/settings/__init__.py +++ b/bedrock/settings/__init__.py @@ -109,7 +109,7 @@ "www.googletagmanager.com", "www.youtube.com", csp.constants.UNSAFE_EVAL, - csp.constants.UNSAFE_INLINE, + # Don't allow csp.constants.UNSAFE_INLINE wholesale in the default CSP. Only allow hashed/nonced inline scripts, r } _csp_style_src = { csp.constants.SELF, @@ -208,8 +208,18 @@ def _override_csp( # /cms-admin/images/ loads just-uploaded images as blobs. CMS_ADMIN_IMAGES_CSP = _override_csp(CONTENT_SECURITY_POLICY, append={"img-src": {"blob:"}}) CMS_ADMIN_IMAGES_CSP_RO = csp_ro_report_uri and _override_csp(CONTENT_SECURITY_POLICY_REPORT_ONLY, append={"img-src": {"blob:"}}) -# The CMS admin frames itself for page previews. -CMS_ADMIN_CSP = _override_csp(CONTENT_SECURITY_POLICY, replace={"frame-ancestors": {csp.constants.SELF}}) + + +# The CMS admin frames itself for page previews and needs script-src: allow-inline +cms_admin_script_src = deepcopy(_csp_script_src) +cms_admin_script_src.add(csp.constants.UNSAFE_INLINE) +CMS_ADMIN_CSP = _override_csp( + CONTENT_SECURITY_POLICY, + replace={ + "frame-ancestors": {csp.constants.SELF}, + "script-src": cms_admin_script_src, + }, +) CMS_ADMIN_CSP_RO = csp_ro_report_uri and _override_csp(CONTENT_SECURITY_POLICY_REPORT_ONLY, replace={"frame-ancestors": {csp.constants.SELF}}) CSP_PATH_OVERRIDES = { From cd00db6411ead1672b85041632fcaa9fbcb1403f Mon Sep 17 00:00:00 2001 From: Steve Jalim Date: Thu, 8 Jan 2026 11:22:59 +0000 Subject: [PATCH 2/3] fix: ensure `style-src: unsafe-inline` is only available when Transcend is enabled Note that the previous cut of the code didn't add style-src: unsafe inline only in Transcend mode: it was enabled all the time --- bedrock/settings/__init__.py | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py index ed8373557aa..bdaca405ec7 100644 --- a/bedrock/settings/__init__.py +++ b/bedrock/settings/__init__.py @@ -109,12 +109,12 @@ "www.googletagmanager.com", "www.youtube.com", csp.constants.UNSAFE_EVAL, - # Don't allow csp.constants.UNSAFE_INLINE wholesale in the default CSP. Only allow hashed/nonced inline scripts, r + # Don't allow csp.constants.UNSAFE_INLINE wholesale in the default CSP. Be more targetted with it } + _csp_style_src = { csp.constants.SELF, CSP_ASSETS_HOST, - csp.constants.UNSAFE_INLINE, "cdn.transcend.io", # Transcend Consent Management "transcend-cdn.com", # Transcend Consent Management } @@ -211,14 +211,10 @@ def _override_csp( # The CMS admin frames itself for page previews and needs script-src: allow-inline -cms_admin_script_src = deepcopy(_csp_script_src) -cms_admin_script_src.add(csp.constants.UNSAFE_INLINE) CMS_ADMIN_CSP = _override_csp( CONTENT_SECURITY_POLICY, - replace={ - "frame-ancestors": {csp.constants.SELF}, - "script-src": cms_admin_script_src, - }, + replace={"frame-ancestors": {csp.constants.SELF}}, + append={"script-src": {csp.constants.UNSAFE_INLINE}}, ) CMS_ADMIN_CSP_RO = csp_ro_report_uri and _override_csp(CONTENT_SECURITY_POLICY_REPORT_ONLY, replace={"frame-ancestors": {csp.constants.SELF}}) From 95a6a893c07a1e7ef6b2c33baead5d838b6d95dd Mon Sep 17 00:00:00 2001 From: Steve Jalim Date: Mon, 26 Jan 2026 17:40:17 +0400 Subject: [PATCH 3/3] Fix comment Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- bedrock/settings/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py index bdaca405ec7..ec3b397da15 100644 --- a/bedrock/settings/__init__.py +++ b/bedrock/settings/__init__.py @@ -210,7 +210,7 @@ def _override_csp( CMS_ADMIN_IMAGES_CSP_RO = csp_ro_report_uri and _override_csp(CONTENT_SECURITY_POLICY_REPORT_ONLY, append={"img-src": {"blob:"}}) -# The CMS admin frames itself for page previews and needs script-src: allow-inline +# The CMS admin frames itself for page previews and needs script-src: 'unsafe-inline' CMS_ADMIN_CSP = _override_csp( CONTENT_SECURITY_POLICY, replace={"frame-ancestors": {csp.constants.SELF}},