Beispiel #1
0
def signal_process_response(sender, request: HttpRequest,
                            response: HttpResponse, **kwargs):
    if 'Content-Security-Policy' in response:
        h = _parse_csp(response['Content-Security-Policy'])
    else:
        h = {}

    sources = [
        'frame-src', 'style-src', 'script-src', 'img-src', 'connect-src'
    ]

    envs = ['test', 'live', 'live-au', 'live-us']

    csps = {
        src:
        ['https://checkoutshopper-{}.adyen.com'.format(env) for env in envs]
        for src in sources
    }

    # Adyen unfortunatly applies styles through their script-src
    # Also, the unsafe-inline needs to specified within single quotes!
    csps['style-src'].append("'unsafe-inline'")

    _merge_csp(h, csps)

    if h:
        response['Content-Security-Policy'] = _render_csp(h)
    return response
    def process_response(self, request, resp):
        h = {
            'script-src': [
                # Whitelist siteimprove urls in CSP.
                'https://siteimproveanalytics.com', 'https://*.siteimprove.com',
                # Whitelist cookieinformation urls and inline scripts.
                'https://*.cookieinformation.com', '\'unsafe-inline\'', '\'unsafe-eval\''
            ],
            'connect-src': ['https://*.cookieinformation.com'],
            'frame-src': ['https://*.cookieinformation.com'],
            'img-src': [
                'https://*.siteimprove.com',
                # The cookie consent form loads an image.
                'https://*.aarhus.dk'
            ],
            # Siteimprove adds inline styling.
            'style-src': ['\'unsafe-inline\''],
        }

        # Copied from super().process_response
        if 'Content-Security-Policy' in resp:
            _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))
        resp['Content-Security-Policy'] = _render_csp(h)

        return super().process_response(request, resp)
Beispiel #3
0
def signal_process_response(sender, request: HttpRequest,
                            response: HttpResponse, **kwargs):
    if 'Content-Security-Policy' in response:
        h = _parse_csp(response['Content-Security-Policy'])
    else:
        h = {}

    _merge_csp(h, {
        'frame-src': ['https://map.closer2event.com'],
    })

    if h:
        response['Content-Security-Policy'] = _render_csp(h)
    return response
Beispiel #4
0
def signal_process_response(sender, request: HttpRequest,
                            response: HttpResponse, **kwargs):
    provider = WirecardSettingsHolder(sender)
    url = resolve(request.path_info)
    if provider.settings.get(
            '_enabled', as_type=bool) and ("checkout" in url.url_name
                                           or "order.pay" in url.url_name):
        if 'Content-Security-Policy' in response:
            h = _parse_csp(response['Content-Security-Policy'])
        else:
            h = {}

        _merge_csp(h, {
            'form-action': ['checkout.wirecard.com'],
        })

        if h:
            response['Content-Security-Policy'] = _render_csp(h)
    return response
def signal_process_response(sender, request, response, **kwargs):
    # TODO: enable js only when question is asked
    # url = resolve(request.path_info)
    h = {}
    if 'Content-Security-Policy' in response:
        h = _parse_csp(response['Content-Security-Policy'])
    _merge_csp(
        h,
        {
            'style-src': [
                "'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='",
                "'sha256-O+AX3tWIOimhuzg+lrMfltcdtWo7Mp2Y9qJUkE6ysWE='",
            ],
            # Chrome correctly errors out without this CSP
            'connect-src': [
                "wss://bridge.walletconnect.org/",
            ],
            'manifest-src': ["'self'"],
        })
    response['Content-Security-Policy'] = _render_csp(h)
    return response
Beispiel #6
0
def signal_process_response(sender, request: HttpRequest,
                            response: HttpResponse, **kwargs):
    from .payment import BraintreeCC

    provider = BraintreeCC(sender)
    url = resolve(request.path_info)
    if provider.is_enabled and ("checkout" in url.url_name
                                or "order.pay" in url.url_name):
        if 'Content-Security-Policy' in response:
            h = _parse_csp(response['Content-Security-Policy'])
        else:
            h = {}

        _merge_csp(
            h, {
                'script-src': [
                    'js.braintreegateway.com', 'assets.braintreegateway.com',
                    'www.paypalobjects.com'
                ],
                'img-src': [
                    'assets.braintreegateway.com', 'checkout.paypal.com',
                    'data:'
                ],
                'child-src': ['assets.braintreegateway.com', 'c.paypal.com'],
                'frame-src': ['assets.braintreegateway.com', 'c.paypal.com'],
                'connect-src': [
                    'api.sandbox.braintreegateway.com',
                    'api.braintreegateway.com',
                    'client-analytics.braintreegateway.com',
                    'client-analytics.sandbox.braintreegateway.com'
                ],
            })

        if h:
            response['Content-Security-Policy'] = _render_csp(h)
    return response