Add testing notes about CSP (#428)

Co-authored-by: Thibaud Colas <thibaudcolas@gmail.com>
pull/430/head
Storm Heg 2023-06-30 16:10:07 +02:00 zatwierdzone przez GitHub
rodzic 72fa09f9f4
commit a359f63701
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 4AEE18F83AFDEB23
2 zmienionych plików z 12 dodań i 2 usunięć

Wyświetl plik

@ -1,6 +1,9 @@
# This file contains Content Security Policy (CSP) directives.
# This file contains Content Security Policy (CSP) directives to test Wagtail's compatibility with CSP.
# If the variables defined here are loaded into the environment, CSP will be enabled.
# These values are commented out by default because Wagtail is not (yet) compatible with
# the strict policy defined below.
# Careful about the quoting of directives! It is easy to break.
# CSP_DEFAULT_SRC="'self'"

Wyświetl plik

@ -155,7 +155,7 @@ Next, we'll set up our local environment variables. We use [django-dotenv](https
to help with this. It reads environment variables located in a file name `.env` in the top level directory of the project. The only variable we need to start is `DJANGO_SETTINGS_MODULE`:
cp bakerydemo/settings/local.py.example bakerydemo/settings/local.py
touch .env
cp .env.example .env
To set up your database and load initial data, run the following commands:
@ -208,6 +208,13 @@ In production on your own site, you'll need to change this to:
and configure [SMTP settings](https://docs.djangoproject.com/en/3.2/topics/email/#smtp-backend) appropriate for your email provider.
## Testing Content-Security-Policy compliance in Wagtail
Bakerydemo is set up in such a way that it can be used to test [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) compatibility in Wagtail. It uses [django-csp](https://django-csp.readthedocs.io/en/latest/index.html) to generate the appropriate [CSP HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
By default, `django-csp` is not enabled since Wagtail isn't fully compatible yet. Set the `CSP_DEFAULT_SRC` environment variable in your `.env` file to set the default policy. An example can be found in `.env.example`.
### Ownership of demo content
All content in the demo is public domain. Textual content in this project is either sourced from Wikimedia (Wikipedia for blog posts, [Wikibooks for recipes](https://en.wikibooks.org/wiki/Cookbook:Table_of_Contents)) or is lorem ipsum. All images are from either Wikimedia Commons or other copyright-free sources.