Skip to content

WT-536: improve our CSP unsafe-inline config by making it tighter and more specific #16994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
stevejalim wants to merge 3 commits into
base: main
Choose a base branch
from
Open

WT-536: improve our CSP unsafe-inline config by making it tighter and more specific #16994

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6db6594
fix: Remove `script-src: unsafe-inline` for main Web deployment; reta…
stevejalim Jan 8, 2026
cd00db6
fix: ensure `style-src: unsafe-inline` is only available when Transce…
stevejalim Jan 8, 2026
95a6a89
Fix comment
stevejalim Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions bedrock/settings/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,12 +109,12 @@
"www.googletagmanager.com",
"www.youtube.com",
csp.constants.UNSAFE_EVAL,
Copy link
Collaborator

@janbrasna janbrasna Jan 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[unrelated] Wondering whether to be adding UNSAFE_EVAL only if DEV? (Is there a risk of missing any legit use when this would always be allowed in dev, incl. demos, but never in prod/stage?)

csp.constants.UNSAFE_INLINE,
# Don't allow csp.constants.UNSAFE_INLINE wholesale in the default CSP. Be more targetted with it
Copy link

Copilot AI Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Corrected spelling of 'targetted' to 'targeted'.

Suggested change
# Don't allow csp.constants.UNSAFE_INLINE wholesale in the default CSP. Be more targetted with it
# Don't allow csp.constants.UNSAFE_INLINE wholesale in the default CSP. Be more targeted with it

Copilot uses AI. Check for mistakes.
}

_csp_style_src = {
csp.constants.SELF,
CSP_ASSETS_HOST,
csp.constants.UNSAFE_INLINE,
"cdn.transcend.io", # Transcend Consent Management
"transcend-cdn.com", # Transcend Consent Management
}
Comment on lines 115 to 120
Copy link

Copilot AI Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of unsafe-inline from _csp_style_src may break styling functionality if Transcend or other components require inline styles. The PR description mentions that unsafe-inline should only be available if Transcend is enabled, but this code doesn't show conditional logic for that. Consider verifying that inline styles are properly handled either through nonces or that all inline styles have been eliminated.

Copilot uses AI. Check for mistakes.
Expand Down Expand Up @@ -208,8 +208,14 @@ def _override_csp(
# /cms-admin/images/ loads just-uploaded images as blobs.
CMS_ADMIN_IMAGES_CSP = _override_csp(CONTENT_SECURITY_POLICY, append={"img-src": {"blob:"}})
CMS_ADMIN_IMAGES_CSP_RO = csp_ro_report_uri and _override_csp(CONTENT_SECURITY_POLICY_REPORT_ONLY, append={"img-src": {"blob:"}})
# The CMS admin frames itself for page previews.
CMS_ADMIN_CSP = _override_csp(CONTENT_SECURITY_POLICY, replace={"frame-ancestors": {csp.constants.SELF}})


# The CMS admin frames itself for page previews and needs script-src: 'unsafe-inline'
CMS_ADMIN_CSP = _override_csp(
CONTENT_SECURITY_POLICY,
replace={"frame-ancestors": {csp.constants.SELF}},
append={"script-src": {csp.constants.UNSAFE_INLINE}},
)
CMS_ADMIN_CSP_RO = csp_ro_report_uri and _override_csp(CONTENT_SECURITY_POLICY_REPORT_ONLY, replace={"frame-ancestors": {csp.constants.SELF}})

CSP_PATH_OVERRIDES = {
Expand Down