Allow CSP config to be set from env vars

README.md

@@ -20,12 +20,17 @@ In addition to the [base Docker image variables](https://github.com/nationalarch
 | `DEBUG`                 | If true, allow debugging[^1]                                              | `False`                                                 |
 | `WAGTAIL_API_URL`       | The base URL of the content API, including the `/api/v2` path             | _none_                                                  |
 | `SEARCH_API_URL`        | The base URL of the search API                                            | _none_                                                  |
-| `DOMAIN`                | The domain the site is hosted on, for CSP purposes                        | _none_                                                  |
-| `MEDIA_DOMAIN`          | The domain that media is served from, for CSP purposes                    | _none_                                                  |
-| `WAGTAIL_DOMAIN`        | The domain that wagtail is hosted on to allow the CMS preview             | _none_                                                  |
+| `DOMAIN`                | The domain the site is hosted on                                          | _none_                                                  |
 | `FORCE_HTTPS`           | Redirect requests to HTTPS as part of the CSP                             | _none_                                                  |
+| `CSP_IMG_SRC`           | A comma separated list of CSP rules for `img-src`                         | `'self'`                                                |
+| `CSP_SCRIPT_SRC`        | A comma separated list of CSP rules for `script-src`                      | `'self'`                                                |
+| `CSP_STYLE_SRC`         | A comma separated list of CSP rules for `style-src`                       | `'self'`                                                |
+| `CSP_FONT_SRC`          | A comma separated list of CSP rules for `font-src`                        | `'self'`                                                |
+| `CSP_CONNECT_SRC`       | A comma separated list of CSP rules for `connect-src`                     | `'self'`                                                |
+| `CSP_MEDIA_SRC`         | A comma separated list of CSP rules for `media-src`                       | `'self'`                                                |
+| `FRAME_DOMAIN_ALLOW`    | A domain from which to allow frame embedding (used in CMS previews)       | _none_                                                  |
 | `CACHE_TYPE`            | https://flask-caching.readthedocs.io/en/latest/#configuring-flask-caching | _none_                                                  |
-| `CACHE_DEFAULT_TIMEOUT` | The number of seconds to cache pages for                                  | `300`                                                   |
+| `CACHE_DEFAULT_TIMEOUT` | The number of seconds to cache pages for                                  | `300` in production, `1` in develop, `0` elsewhere      |
 | `CACHE_DIR`             | Directory for storing cached responses                                    | `/tmp`                                                  |
 | `BASE_DISCOVERY_URL`    | The base URL to allow records to have a link to Discovery                 | `https://discovery.nationalarchives.gov.uk`             |
 | `SEARCH_DISCOVERY_URL`  | The URL that accepts form posts to search discovery                       | `https://discovery.nationalarchives.gov.uk/results/r`   |

app/__init__.py

@@ -43,73 +43,29 @@ def create_app(config_class):
         },
     )
 
-    SELF = "'self'"
     Talisman(
         app,
         content_security_policy={
-            "default-src": SELF,
+            "default-src": "'self'",
             "base-uri": "'none'",
-            "img-src": [
-                SELF,
-                app.config["DOMAIN"],
-                app.config["MEDIA_DOMAIN"],
-                "https://*.google-analytics.com",
-                "https://*.googletagmanager.com",
-                "https://googletagmanager.com",
-                # "http://googletagmanager.com",
-                "https://ssl.gstatic.com",
-                "https://www.gstatic.com",
-                "https://www.nationalarchives.gov.uk",
-                "https://beta.nationalarchives.gov.uk",
-                "https://develop-sr3snxi-rasrzs7pi6sd4.uk-1.platformsh.site",
-            ],
-            "script-src": [
-                SELF,
-                "https://*.googletagmanager.com",
-                "https://googletagmanager.com",
-                # "http://googletagmanager.com",
-                "https://tagmanager.google.com",
-                # "http://tagmanager.google.com",
-            ],
-            "style-src": [
-                SELF,
-                "https://fonts.googleapis.com",
-                "https://p.typekit.net",
-                "https://use.typekit.net",
-                "https://googletagmanager.com",
-                # "http://googletagmanager.com",
-                "https://www.googletagmanager.com",
-                # "http://www.googletagmanager.com",
-                "https://tagmanager.google.com",
-                # "http://tagmanager.google.com",
-            ],
-            "font-src": [
-                SELF,
-                "https://fonts.gstatic.com",
-                "https://use.typekit.net",
-            ],
-            "connect-src": [
-                SELF,
-                "https://*.google-analytics.com",
-                "https://*.analytics.google.com",
-                "https://*.googletagmanager.com",
-            ],
-            "media-src": [
-                SELF,
-                app.config["MEDIA_DOMAIN"],
-            ],
+            "img-src": app.config["CSP_IMG_SRC"],
+            "script-src": app.config["CSP_SCRIPT_SRC"],
+            "style-src": app.config["CSP_STYLE_SRC"],
+            "font-src": app.config["CSP_FONT_SRC"],
+            "connect-src": app.config["CSP_CONNECT_SRC"],
+            "media-src": app.config["CSP_MEDIA_SRC"],
         },
         content_security_policy_nonce_in=["script-src"],
         feature_policy={
             "camera": "'none'",
-            "fullscreen": SELF,
+            "fullscreen": "'self'",
             "geolocation": "'none'",
             "microphone": "'none'",
             "screen-wake-lock": "'none'",
         },
         force_https=app.config["FORCE_HTTPS"],
         frame_options="ALLOW-FROM",
-        frame_options_allow_from=app.config["WAGTAIL_DOMAIN"],
+        frame_options_allow_from=app.config["FRAME_DOMAIN_ALLOW"],
     )
 
     app.jinja_env.trim_blocks = True

config.py

@@ -12,10 +12,16 @@ class Base(object):
     SEARCH_API_URL = os.environ.get("SEARCH_API_URL", "").rstrip("/")
 
     DOMAIN = os.environ.get("DOMAIN", "")
-    MEDIA_DOMAIN = os.environ.get("MEDIA_DOMAIN", "")
-    WAGTAIL_DOMAIN = os.environ.get("WAGTAIL_DOMAIN", "")
     FORCE_HTTPS = strtobool(os.getenv("FORCE_HTTPS", "False"))
 
+    CSP_IMG_SRC = os.environ.get("CSP_IMG_SRC", "'self'").split(",")
+    CSP_SCRIPT_SRC = os.environ.get("CSP_SCRIPT_SRC", "'self'").split(",")
+    CSP_STYLE_SRC = os.environ.get("CSP_STYLE_SRC", "'self'").split(",")
+    CSP_FONT_SRC = os.environ.get("CSP_FONT_SRC", "'self'").split(",")
+    CSP_CONNECT_SRC = os.environ.get("CSP_CONNECT_SRC", "'self'").split(",")
+    CSP_MEDIA_SRC = os.environ.get("CSP_MEDIA_SRC", "'self'").split(",")
+    FRAME_DOMAIN_ALLOW = os.environ.get("FRAME_DOMAIN_ALLOW", "")
+
     CACHE_TYPE = "FileSystemCache"
     CACHE_DEFAULT_TIMEOUT = 0
     CACHE_IGNORE_ERRORS = True

docker-compose.yml

@@ -10,11 +10,15 @@ services:
       - SECRET_KEY=abc123
       - NPM_DEVELOP_COMMAND=dev
       - WAGTAIL_API_URL=http://host.docker.internal:8000/api/v2
-      # - WAGTAIL_API_URL=https://develop-sr3snxi-rasrzs7pi6sd4.uk-1.platformsh.site/api/v2
       - SEARCH_API_URL=http://host.docker.internal:65534/api/v1
-      - DOMAIN=localhost:65535
-      - MEDIA_DOMAIN=localhost:8000
-      - WAGTAIL_DOMAIN=localhost:8000
+      - DOMAIN=http://localhost:65535
+      - CSP_IMG_SRC='self',localhost:65535,localhost:8000,https://*.google-analytics.com,https://*.googletagmanager.com,https://googletagmanager.com,http://googletagmanager.com,https://*.gstatic.com,https://*.nationalarchives.gov.uk,https://develop-sr3snxi-rasrzs7pi6sd4.uk-1.platformsh.site
+      - CSP_SCRIPT_SRC='self',https://*.googletagmanager.com,https://googletagmanager.com,http://googletagmanager.com,https://tagmanager.google.com,http://tagmanager.google.com
+      - CSP_STYLE_SRC='self',https://fonts.googleapis.com,https://p.typekit.net,https://use.typekit.net,https://googletagmanager.com,http://googletagmanager.com,https://www.googletagmanager.com,http://www.googletagmanager.com,https://tagmanager.google.com,http://tagmanager.google.com
+      - CSP_FONT_SRC='self',https://fonts.gstatic.com,https://use.typekit.net
+      - CSP_CONNECT_SRC='self',https://*.google-analytics.com,https://*.analytics.google.com,https://*.googletagmanager.com
+      - CSP_MEDIA_SRC='self',localhost:8000
+      - FRAME_DOMAIN_ALLOW=localhost:8000
       - GA4_ID=GTM-KX8ZWVZG
     ports:
       - 65535:8080