Remove CSP nonces

README.md

@@ -21,14 +21,14 @@ In addition to the [base Docker image variables](https://github.com/nationalarch
 | `WAGTAIL_API_URL`       | The base URL of the content API, including the `/api/v2` path             | _none_                                                  |
 | `SEARCH_API_URL`        | The base URL of the search API                                            | _none_                                                  |
 | `DOMAIN`                | The domain the site is hosted on                                          | _none_                                                  |
-| `FORCE_HTTPS`           | Redirect requests to HTTPS as part of the CSP                             | _none_                                                  |
 | `CSP_IMG_SRC`           | A comma separated list of CSP rules for `img-src`                         | `'self'`                                                |
 | `CSP_SCRIPT_SRC`        | A comma separated list of CSP rules for `script-src`                      | `'self'`                                                |
 | `CSP_STYLE_SRC`         | A comma separated list of CSP rules for `style-src`                       | `'self'`                                                |
 | `CSP_FONT_SRC`          | A comma separated list of CSP rules for `font-src`                        | `'self'`                                                |
 | `CSP_CONNECT_SRC`       | A comma separated list of CSP rules for `connect-src`                     | `'self'`                                                |
 | `CSP_MEDIA_SRC`         | A comma separated list of CSP rules for `media-src`                       | `'self'`                                                |
 | `FRAME_DOMAIN_ALLOW`    | A domain from which to allow frame embedding (used in CMS previews)       | _none_                                                  |
+| `FORCE_HTTPS`           | Redirect requests to HTTPS as part of the CSP                             | _none_                                                  |
 | `CACHE_TYPE`            | https://flask-caching.readthedocs.io/en/latest/#configuring-flask-caching | _none_                                                  |
 | `CACHE_DEFAULT_TIMEOUT` | The number of seconds to cache pages for                                  | `300` in production, `1` in develop, `0` elsewhere      |
 | `CACHE_DIR`             | Directory for storing cached responses                                    | `/tmp`                                                  |

app/__init__.py

@@ -48,14 +48,14 @@ def create_app(config_class):
         content_security_policy={
             "default-src": "'self'",
             "base-uri": "'none'",
+            "object-src": "'none'",
             "img-src": app.config["CSP_IMG_SRC"],
             "script-src": app.config["CSP_SCRIPT_SRC"],
             "style-src": app.config["CSP_STYLE_SRC"],
             "font-src": app.config["CSP_FONT_SRC"],
             "connect-src": app.config["CSP_CONNECT_SRC"],
             "media-src": app.config["CSP_MEDIA_SRC"],
         },
-        content_security_policy_nonce_in=["script-src"],
         feature_policy={
             "camera": "'none'",
             "fullscreen": "'self'",

app/templates/base.html

@@ -262,6 +262,6 @@
 {% endblock %}
 
 {% block bodyEnd %}
-<script src="{{ url_for('static', filename='main.min.js') }}" nonce="{{ csp_nonce() }}" defer></script>
-<script src="{{ url_for('static', filename='analytics.min.js') }}" nonce="{{ csp_nonce() }}" defer></script>
+<script src="{{ url_for('static', filename='main.min.js') }}" defer></script>
+<script src="{{ url_for('static', filename='analytics.min.js') }}" defer></script>
 {% endblock %}

app/templates/explore-the-collection/article-focused.html

@@ -147,6 +147,6 @@ <h2 class="etna-author-list__heading tna-heading-s">Author{{ 's' if page_data.au
 {% endblock %}
 
 {% block bodyEnd %}
-<script src="{{ url_for('static', filename='article.min.js') }}" nonce="{{ csp_nonce() }}" defer></script>
+<script src="{{ url_for('static', filename='article.min.js') }}" defer></script>
 {{ super() }}
 {% endblock %}

app/templates/explore-the-collection/article.html

@@ -88,6 +88,6 @@ <h1 class="tna-hgroup__title" itemprop="name">{{ page_data.title }}</h1>
 {% endblock %}
 
 {% block bodyEnd %}
-<script src="{{ url_for('static', filename='article.min.js') }}" nonce="{{ csp_nonce() }}" defer></script>
+<script src="{{ url_for('static', filename='article.min.js') }}" defer></script>
 {{ super() }}
 {% endblock %}

config.py

@@ -12,7 +12,6 @@ class Base(object):
     SEARCH_API_URL = os.environ.get("SEARCH_API_URL", "").rstrip("/")
 
     DOMAIN = os.environ.get("DOMAIN", "")
-    FORCE_HTTPS = strtobool(os.getenv("FORCE_HTTPS", "False"))
 
     CSP_IMG_SRC = os.environ.get("CSP_IMG_SRC", "'self'").split(",")
     CSP_SCRIPT_SRC = os.environ.get("CSP_SCRIPT_SRC", "'self'").split(",")
@@ -21,6 +20,7 @@ class Base(object):
     CSP_CONNECT_SRC = os.environ.get("CSP_CONNECT_SRC", "'self'").split(",")
     CSP_MEDIA_SRC = os.environ.get("CSP_MEDIA_SRC", "'self'").split(",")
     FRAME_DOMAIN_ALLOW = os.environ.get("FRAME_DOMAIN_ALLOW", "")
+    FORCE_HTTPS = strtobool(os.getenv("FORCE_HTTPS", "False"))
 
     CACHE_TYPE = "FileSystemCache"
     CACHE_DEFAULT_TIMEOUT = 0
@@ -58,11 +58,10 @@ class Base(object):
 class Production(Base):
     ENVIRONMENT = "production"
 
-    # TODO: This invalidates the CSP nonces
-    CACHE_DEFAULT_TIMEOUT = int(os.environ.get("CACHE_DEFAULT_TIMEOUT", 300))
-
     FORCE_HTTPS = strtobool(os.getenv("FORCE_HTTPS", "True"))
 
+    CACHE_DEFAULT_TIMEOUT = int(os.environ.get("CACHE_DEFAULT_TIMEOUT", 300))
+
 
 class Develop(Base):
     ENVIRONMENT = "develop"

docker-compose.yml

@@ -12,11 +12,11 @@ services:
       - WAGTAIL_API_URL=http://host.docker.internal:8000/api/v2
       - SEARCH_API_URL=http://host.docker.internal:65534/api/v1
       - DOMAIN=http://localhost:65535
-      - CSP_IMG_SRC='self',localhost:65535,localhost:8000,https://*.google-analytics.com,https://*.googletagmanager.com,https://googletagmanager.com,http://googletagmanager.com,https://*.gstatic.com,https://*.nationalarchives.gov.uk,https://develop-sr3snxi-rasrzs7pi6sd4.uk-1.platformsh.site
-      - CSP_SCRIPT_SRC='self',https://*.googletagmanager.com,https://googletagmanager.com,http://googletagmanager.com,https://tagmanager.google.com,http://tagmanager.google.com
-      - CSP_STYLE_SRC='self',https://fonts.googleapis.com,https://p.typekit.net,https://use.typekit.net,https://googletagmanager.com,http://googletagmanager.com,https://www.googletagmanager.com,http://www.googletagmanager.com,https://tagmanager.google.com,http://tagmanager.google.com
-      - CSP_FONT_SRC='self',https://fonts.gstatic.com,https://use.typekit.net
-      - CSP_CONNECT_SRC='self',https://*.google-analytics.com,https://*.analytics.google.com,https://*.googletagmanager.com
+      - CSP_IMG_SRC='self',localhost:65535,localhost:8000,*.google-analytics.com,*.googletagmanager.com,googletagmanager.com,*.gstatic.com,*.nationalarchives.gov.uk,*.platformsh.site
+      - CSP_SCRIPT_SRC='self',*.googletagmanager.com,googletagmanager.com,tagmanager.google.com
+      - CSP_STYLE_SRC='self',fonts.googleapis.com,p.typekit.net,use.typekit.net,googletagmanager.com,www.googletagmanager.com,tagmanager.google.com
+      - CSP_FONT_SRC='self',fonts.gstatic.com,use.typekit.net
+      - CSP_CONNECT_SRC='self',*.google-analytics.com,*.analytics.google.com,*.googletagmanager.com
       - CSP_MEDIA_SRC='self',localhost:8000
       - FRAME_DOMAIN_ALLOW=localhost:8000
       - GA4_ID=GTM-KX8ZWVZG