I4 implement csp (#21)

.env.sample

@@ -18,3 +18,5 @@ ALLOWED_HOSTS=.loophole.site,.ngrok-free.app,.ngrok.app,.ngrok.io,127.0.0.1,loca
 MAIZEY_JWT_SECRET=secret
 # By default it is set to False running in Prod. For Development set = True, this will enable debugpy for remote debugging
 DEBUGPY_ENABLE=True
+#  A comma separated list of domains where you want to allow the application to be framed
+CSP_FRAME_ANCESTORS=canvas-test.it.umich.edu

backend/settings.py

@@ -13,7 +13,6 @@
 import os, logging
 from pathlib import Path
 from decouple import config
-# from csp.constants import SELF, UNSAFE_INLINE
 
 logger = logging.getLogger(__name__)
 logging.basicConfig(level='INFO')
@@ -38,10 +37,13 @@
 allowed_hosts = config('ALLOWED_HOSTS', '')
 ALLOWED_HOSTS = [host.strip() for host in allowed_hosts.split(',')]
 
+
 APPEND_SLASH=False
 CSRF_COOKIE_SECURE = True
 SESSION_COOKIE_SAMESITE =  None
 CSRF_COOKIE_SAMESITE = None
+SECURE_PROXY_SSL_HEADER =('HTTP_X_FORWARDED_PROTO', 'https')
+USE_X_FORWARDED_HOST = True
 
 
 # Application definition
@@ -54,23 +56,21 @@
     'django.contrib.messages',
     "whitenoise.runserver_nostatic",
     'django.contrib.staticfiles',
+    'django_mysql',
     'lti_redirect',
     'lti_tool',
-    'django_mysql'
-    # 'csp',
 ]
 
 MIDDLEWARE = [
     'django.middleware.security.SecurityMiddleware',
     "whitenoise.middleware.WhiteNoiseMiddleware",
     'django.contrib.sessions.middleware.SessionMiddleware',
-    # 'csp.middleware.CSPMiddleware',
     'lti_tool.middleware.LtiLaunchMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
-    # 'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'csp.middleware.CSPMiddleware',
 ]
 
 ROOT_URLCONF = 'backend.urls'
@@ -209,14 +209,9 @@
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 
 
-# CONTENT_SECURITY_POLICY = {
-#     "DIRECTIVES": {
-#         "default-src": ["'self'", "ngrok-free.app","loophole.site"],
-#         "frame-ancestors": ["'self'", "canvas-test.it.umich.edu" ,"umich.beta.instructure.com"],
-#         "form-action": ["'self'"],
-#         "report-uri": "/csp-report/",
-#         "frame-src": ["instructure.com", "umich.edu"],
-#         "style-src": ["'self'", "'unsafe-inline'"],
-#         "script-src": ["'self'", "'unsafe-inline'"],
-#     },
-# }
+CSP_DEFAULT_SRC = ["'self'",]
+CSP_SCRIPT_SRC = ["'self'", "'unsafe-inline'", "https:"]
+CSP_STYLE_SRC = ["'self'", "https:", "'unsafe-inline'"]
+CSP_FRAME_ANCESTORS = ["'self'"] + [url.strip() for url in config('CSP_FRAME_ANCESTORS', 'canvas-test.it.umich.edu').split(',')] 
+CSP_IMG_SRC = ["'self'", "data:"]
+CSP_FONT_SRC = ["'self'"]

lti_redirect/templates/home.html

@@ -2,11 +2,14 @@
 <html>
 <head>
     <meta charset="utf-8"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>{% block title %}{% endblock %}</title>
     {% load static %}
-    <link rel="stylesheet" type="text/css" href="{% static 'home.css' %}"/>
+    <link rel="stylesheet" type="text/css" href="{% static 'home.css' %}" />
     <script type=""text/javascript">
     window.onload = function() {
+        let currentYear = new Date().getFullYear();
+        document.getElementById('year').textContent = currentYear;
         let maizey_url = "{{ maizey_url }}"
         if(maizey_url) {
             window.open(maizey_url, '_blank')
@@ -19,7 +22,7 @@
 <div class="navbar">
     <a href="{% url 'home' %}" class="navbar-brand">LTI Redirect TOOL</a>
     {% if user.is_authenticated and user.is_superuser %}
-    <a class="navbar-item" href="{% url 'admin:index' %}">Admin</a>
+    <a class="navbar-item" href="{% url 'admin:index' %}" target="_blank">Admin</a>
     {% endif %}
     {% if user.is_authenticated %}
     <span class="navbar-user">{{ user.username }}</span>
@@ -31,7 +34,7 @@
     {% endblock %}
     <hr/>
     <footer>
-        <p>&copy; 2024  The Regents of the University of Michigan</p>
+        <p>&copy; <span id="year"></span>  The Regents of the University of Michigan</p>
     </footer>
 </div>
 </body>

lti_redirect/views.py

@@ -63,7 +63,6 @@ def login_user_from_lti(request, launch_data):
 
 class ApplicationLaunchView(LtiLaunchBaseView):
 
-    # @xframe_options_exempt
     def handle_resource_launch(self, request, lti_launch):
         ...  # Required. Typically redirects the users to the appropriate page.
         launch_data = lti_launch.get_launch_data()
@@ -77,10 +76,7 @@ def handle_resource_launch(self, request, lti_launch):
         context = {
             "maizey_url": maizey_url,
         }
-        if request.user.is_superuser:
-            return render(request, "home.html", context)
-        else:
-            return HttpResponseRedirect(maizey_url)
+        return render(request, "home.html", context)
 
     def handle_deep_linking_launch(self, request, lti_launch):
         ...  # Optional.

requirements.txt

@@ -1,10 +1,10 @@
-django
-pyjwt
-django-lti
-django-csp
-python-decouple
-mysqlclient
-django-mysql
-gunicorn
-whitenoise
-debugpy
+django==5.0.6
+pyjwt==2.8.0
+django-lti==0.6.0
+django-csp==3.8
+python-decouple==3.8
+mysqlclient==2.2.4
+django-mysql==4.14.0
+gunicorn==22.0.0
+whitenoise==6.7.0
+debugpy==1.8.2

setup/lti-config.json

@@ -30,7 +30,7 @@
       "term_name": "$Canvas.term.name",
       "canvas_url": "$Canvas.api.baseUrl",
       "term_start": "$Canvas.term.startAt",
-      "redirect_url": "https://dev.dev.umgpt.umich.edu/",
+      "redirect_url": "https://dev2.dev.umgpt.umich.edu/",
       "course_status": "$Canvas.course.workflowState",
       "user_canvas_id": "$Canvas.user.id",
       "course_account_name": "$Canvas.account.name",