wagtail: A list of widgets breaking strict Content-Security-Policy (CSP) directives
Is your proposal related to a problem?
Wagtail uses inline javascript and styles to provide useful feedback to the user. This causes conflicts with CSP directives.
This issue attempts to list all of the potential places this occurs in the Wagtail codebase.
Directives to be reviewed:
- script-src ((completed 2021-04-21))
- img-src
- font-src
- style-src ((completed 2021-04-21))
Extra Notes
- The JS library
modernizer-2.6.2.min.jsis blocked by thestyle-src: 'self'CSP. You can trigger this by visiting /admin/
script-src: ‘self’
Wagtail Admin
Wagtail Admin Templates
-
wagtail/admin/templates/wagtailadmin/
-
wagtail/admin/templates/wagtailadmin/edit_handlers/
- wagtail/admin/templates/wagtailadmin/edit_handlers/inline_panel.html need to inspect how code is injected here to see if there are more ways this might break CSP
-
wagtail/admin/templates/wagtailadmin/home/
-
wagtail/admin/templates/wagtailadmin/pages/
- wagtail/admin/templates/wagtailadmin/pages/listing/_button_with_dropdown.html NOTE: need to inspect if this breaks CSP
- wagtail/admin/templates/wagtailadmin/pages/workflow_history/detail.html
- wagtail/admin/templates/wagtailadmin/pages/workflow_history/index.html
- wagtail/admin/templates/wagtailadmin/pages/_editor_js.html
- wagtail/admin/templates/wagtailadmin/pages/create.html NOTE: see comments above code linked here and check if relevant of if CSP still interprets this as an inline script
- wagtail/admin/templates/wagtailadmin/pages/edit.html NOTE: see comments above code linked here and check if relevant of if CSP still interprets this as an inline script
- wagtail/admin/templates/wagtailadmin/pages/index.html
- wagtail/admin/templates/wagtailadmin/pages/preview_error.html NOTE: need to inspect if this breaks CSP
- wagtail/admin/templates/wagtailadmin/pages/search.html
-
wagtail/admin/templates/wagtailadmin/permissions/includes/
-
wagtail/admin/templates/wagtailadmin/reports/
-
wagtail/admin/templates/wagtailadmin/shared/
- wagtail/admin/templates/wagtailadmin/shared/locale_selector.html NOTE: need to inspect if this breaks CSP
-
wagtail/admin/templates/wagtailadmin/widgets/
- wagtail/admin/templates/wagtailadmin/widgets/auto_height_text_input.html
- wagtail/admin/templates/wagtailadmin/widgets/date_input.html
- wagtail/admin/templates/wagtailadmin/widgets/datetime_input.html
- wagtail/admin/templates/wagtailadmin/widgets/draftail_rich_text_area.html
- wagtail/admin/templates/wagtailadmin/widgets/hallo_rich_text_area.html
- wagtail/admin/templates/wagtailadmin/widgets/tag_widget.html
- wagtail/admin/templates/wagtailadmin/widgets/time_input.html
-
wagtail/admin/templates/wagtailadmin/workflows/
Wagtail Contrib
- wagtail/contrib/forms/templates/wagtailforms/index_submissions.html#L7-L81
- wagtail/contrib/modeladmin/templates/modeladmin/prepopulated_slugs.html#L2-L6
- https://wagtail/contrib/modeladmin/templates/modeladmin/includes/search_form.html#L19
- wagtail/contrib/redirects/templates/wagtailredirects/choose_import_file.html#L7-L13
- wagtail/contrib/redirects/templates/wagtailredirects/index.html#L9-L15
- wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/add.html#L45-L52
- wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/edit.html#L37-L44
- wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/index.html#L7-L13
- wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/includes/searchpromotions_formset.html#L9-L13
- wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L913-L926
Wagtail Documents
- wagtail/documents/templates/wagtaildocs/documents/add.html#L12-L18
- wagtail/documents/templates/wagtaildocs/documents/edit.html#L12-L18
- wagtail/documents/templates/wagtaildocs/documents/index.html#L6-L18
- wagtail/documents/templates/wagtaildocs/multiple/add.html#L60-L76
- wagtail/documents/templates/wagtaildocs/multiple/add.html#L94-L101
Wagtail Images
- wagtail/images/templates/wagtailimages/images/add.html#L12-L18
- wagtail/images/templates/wagtailimages/images/edit.html#L20-L26
- wagtail/images/templates/wagtailimages/images/index.html#L9-L21
- wagtail/images/templates/wagtailimages/multiple/add.html#L60-L82
- wagtail/images/templates/wagtailimages/multiple/add.html#L104-L117
Wagtail Snippets
Wagtail Users
- wagtail/users/templates/wagtailusers/groups/index.html#L6-L12
- wagtail/users/templates/wagtailusers/groups/includes/page_permissions_formset.html#L45-L51
- wagtail/users/templates/wagtailusers/users/index.html#L6-L16
Wagtail Utils
- wagtail/utils/widgets.py#L30 NOTE: this uses a unique approach in all of the wagtail codebase to inject inline scripts
style-src: ‘self’
Wagtail Embeds
Wagtail Admin
- wagtail/admin/templates/wagtailadmin/home/upgrade_notification.html#L3
- wagtail/admin/templates/wagtailadmin/notifications/base.html#L7-L82
- wagtail/admin/templates/wagtailadmin/notifications/base.html#L84
- wagtail/admin/templates/wagtailadmin/notifications/base.html#L89
- wagtail/admin/templates/wagtailadmin/notifications/base.html#L95
- wagtail/admin/templates/wagtailadmin/notifications/base.html#L105
- wagtail/admin/templates/wagtailadmin/notifications/base.html#L107
- wagtail/admin/templates/wagtailadmin/notifications/base.html#L117
- wagtail/admin/templates/wagtailadmin/pages/add_subpage.html#L23
- wagtail/admin/templates/wagtailadmin/pages/confirm_delete.html#L31
- wagtail/admin/templates/wagtailadmin/pages/edit_alias.html#L5
- wagtail/admin/templates/wagtailadmin/pages/search_results.html#L19
- wagtail/admin/templates/wagtailadmin/pages/search_results.html#L26
- wagtail/admin/templates/wagtailadmin/pages/workflow_history/index.html#L11
- wagtail/admin/templates/wagtailadmin/permissions/includes/collection_member_permissions_formset.html#L31
- wagtail/admin/templates/wagtailadmin/shared/icons.html#L2
- wagtail/admin/templates/wagtailadmin/shared/locale_selector.html#L4
- wagtail/admin/templates/wagtailadmin/userbar/base.html#L9
- wagtail/admin/templates/wagtailadmin/workflows/includes/workflow_pages_formset.html#L28
Contrib
- wagtail/contrib/forms/templates/wagtailforms/list_submissions.html#L10
- wagtail/contrib/modeladmin/templates/modeladmin/index.html#L65
- wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/includes/searchpromotion_form.html#L2
- wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L327
- wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L336
- wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L345
- wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L468-L474
- wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L757
- wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L777
- wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L789-L803
Documents
- wagtail/documents/templates/wagtaildocs/multiple/add.html#L54
- wagtail/documents/templates/wagtaildocs/multiple/add.html#L65
Embeds
Images
- wagtail/images/templates/wagtailimages/images/edit.html#L66
- wagtail/images/templates/wagtailimages/multiple/add.html#L54
- wagtail/images/templates/wagtailimages/multiple/add.html#L66
Users
About this issue
- Original URL
- State: open
- Created 3 years ago
- Reactions: 3
- Comments: 15 (6 by maintainers)
Commits related to this issue
- redirects import page does not need header search JS - relates to #7053 — committed to lb-/wagtail by lb- 2 years ago
- redirects import page does not need header search JS - relates to #7053 — committed to lb-/wagtail by lb- 2 years ago
- redirects import page does not need header search JS - relates to #7053 — committed to wagtail/wagtail by lb- 2 years ago
- Replaced script tags with template tag for image/document bulk uploads - Fixes #10033 - Partial work on #7053 — committed to rishabhDev2700/wagtail by rishabhDev2700 a year ago
- Replaced script tags with template tag for image/document bulk uploads - Fixes #10033 - Partial work on #7053 — committed to wagtail/wagtail by rishabhDev2700 a year ago
- Remove WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Remove WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Remove WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Migrate submit translation bulk toggle to Stimulus Controller (w-bulk) - Closes #10247 - adding BulkController files and removing {% block extra_js %} from submit_translation.html - add unit tests fo... — committed to Hanoon02/wagtail by Hanoon02 a year ago
- Migrate submit translation bulk toggle to Stimulus Controller (w-bulk) - Closes #10247 - adding BulkController files and removing {% block extra_js %} from submit_translation.html - add unit tests fo... — committed to wagtail/wagtail by Hanoon02 a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
- Deprecate WidgetWithScript - potentially unsafe and no longer used - Avoid inline scripts in the test code, this approach is no longer recommended and causes CSP non-compliance - Relates to #7053 — committed to lb-/wagtail by lb- a year ago
Reading up / based on our discussion in Slack, we’ll need to get rid of those
style=""attributes in HTML/Python, and in JavaScript switch any usage ofsetAttribute('style')to adding individual properties on thestyleDOM attribute: https://stackoverflow.com/a/29089970/1798491.I couldn’t see any
setAttribute('style')in Wagtail’s JS code, but there could be in our dependencies.For
styleattributes in HTML, I could see two based on the list above that will be tricky to change:Does some clever math. This would either require a
<style>attribute with a nonce and adding styles via a unique id to each iframe… or I think we might be able to refactor this to use the more modernaspect-ratioCSS property.This might be easier by setting the values via JS.
All the other
styleattributes in HTML can either be replaced with CSS classes, or thehiddenHTML attribute.