diff --git a/.env.sample b/.env.sample
index 1318cd3..e811512 100644
--- a/.env.sample
+++ b/.env.sample
@@ -18,3 +18,5 @@ ALLOWED_HOSTS=.loophole.site,.ngrok-free.app,.ngrok.app,.ngrok.io,127.0.0.1,loca
MAIZEY_JWT_SECRET=secret
# By default it is set to False running in Prod. For Development set = True, this will enable debugpy for remote debugging
DEBUGPY_ENABLE=True
+# A comma separated list of domains where you want to allow the application to be framed
+CSP_FRAME_ANCESTORS=canvas-test.it.umich.edu
diff --git a/backend/settings.py b/backend/settings.py
index 7c08c52..c545f65 100644
--- a/backend/settings.py
+++ b/backend/settings.py
@@ -13,7 +13,6 @@
import os, logging
from pathlib import Path
from decouple import config
-# from csp.constants import SELF, UNSAFE_INLINE
logger = logging.getLogger(__name__)
logging.basicConfig(level='INFO')
@@ -38,10 +37,13 @@
allowed_hosts = config('ALLOWED_HOSTS', '')
ALLOWED_HOSTS = [host.strip() for host in allowed_hosts.split(',')]
+
APPEND_SLASH=False
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SAMESITE = None
+SECURE_PROXY_SSL_HEADER =('HTTP_X_FORWARDED_PROTO', 'https')
+USE_X_FORWARDED_HOST = True
# Application definition
@@ -54,23 +56,21 @@
'django.contrib.messages',
"whitenoise.runserver_nostatic",
'django.contrib.staticfiles',
+ 'django_mysql',
'lti_redirect',
'lti_tool',
- 'django_mysql'
- # 'csp',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
"whitenoise.middleware.WhiteNoiseMiddleware",
'django.contrib.sessions.middleware.SessionMiddleware',
- # 'csp.middleware.CSPMiddleware',
'lti_tool.middleware.LtiLaunchMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
- # 'django.middleware.clickjacking.XFrameOptionsMiddleware',
+ 'csp.middleware.CSPMiddleware',
]
ROOT_URLCONF = 'backend.urls'
@@ -209,14 +209,9 @@
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
-# CONTENT_SECURITY_POLICY = {
-# "DIRECTIVES": {
-# "default-src": ["'self'", "ngrok-free.app","loophole.site"],
-# "frame-ancestors": ["'self'", "canvas-test.it.umich.edu" ,"umich.beta.instructure.com"],
-# "form-action": ["'self'"],
-# "report-uri": "/csp-report/",
-# "frame-src": ["instructure.com", "umich.edu"],
-# "style-src": ["'self'", "'unsafe-inline'"],
-# "script-src": ["'self'", "'unsafe-inline'"],
-# },
-# }
+CSP_DEFAULT_SRC = ["'self'",]
+CSP_SCRIPT_SRC = ["'self'", "'unsafe-inline'", "https:"]
+CSP_STYLE_SRC = ["'self'", "https:", "'unsafe-inline'"]
+CSP_FRAME_ANCESTORS = ["'self'"] + [url.strip() for url in config('CSP_FRAME_ANCESTORS', 'canvas-test.it.umich.edu').split(',')]
+CSP_IMG_SRC = ["'self'", "data:"]
+CSP_FONT_SRC = ["'self'"]
\ No newline at end of file
diff --git a/lti_redirect/templates/home.html b/lti_redirect/templates/home.html
index aaf45e8..157f933 100644
--- a/lti_redirect/templates/home.html
+++ b/lti_redirect/templates/home.html
@@ -2,11 +2,14 @@
+
{% block title %}{% endblock %}
{% load static %}
-
+