Activate django-csp

SciPost_v1/settings/base.py

@@ -186,6 +186,7 @@ MIDDLEWARE = (
     'django.middleware.security.SecurityMiddleware',
     'maintenancemode.middleware.MaintenanceModeMiddleware',
     'django_referrer_policy.middleware.ReferrerPolicyMiddleware',
+    'csp.middleware.CSPMiddleware',
 )
 
 SECURE_BROWSER_XSS_FILTER = True
@@ -195,6 +196,13 @@ SECURE_HSTS_PRELOAD = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
 X_FRAME_OPTIONS = 'DENY'
 REFERRER_POLICY = 'same-origin'
+CSP_FONT_SRC = ("'self'", 'fonts.gstatic.com', 'cdnjs.cloudflare.com')
+CSP_FRAME_SRC = ('www.google.com')
+CSP_IMG_SRC = ("'self'", 'licensebuttons.net', 'crossmark-cdn.crossref.org')
+CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", 'ajax.googleapis.com', 'cdnjs.cloudflare.com',
+                  'crossmark-cdn.crossref.org', 'www.recaptcha.net', 'www.gstatic.com')
+CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", 'ajax.googleapis.com',
+                 'fonts.googleapis.com', 'cdnjs.cloudflare.com')
 
 ROOT_URLCONF = 'SciPost_v1.urls'
 

SciPost_v1/settings/production.py

@@ -69,3 +69,5 @@ sentry_sdk.init(
     dsn=get_secret('SENTRY_DSN'),
     integrations=[DjangoIntegration()]
 )
+CSP_REPORT_URI = get_secret('CSP_SENTRY')
+CSP_REPORT_ONLY = True

commentaries/templates/commentaries/commentary_list.html

@@ -5,10 +5,6 @@
 
 {% block pagetitle %}: Commentaries{% endblock pagetitle %}
 
-{% block headsup %}
-  <script type="text/javascript" async src="//cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-MML-AM_CHTML"></script>
-{% endblock headsup %}
-
 {% block content %}
   <div class="row">
     <div class="col-md-4">

comments/templates/comments/_add_comment_form.html

@@ -8,7 +8,7 @@
        comment_text_input.on('keyup', function(){
            var new_text = $(this).val()
            $("#preview-comment_text").text(new_text)
-           if( typeof MathJax !== 'undefined' ) {
+           if( typeof MathJax.Hub !== 'undefined' ) {
                MathJax.Hub.Queue(["Typeset",MathJax.Hub]);
            }
        }).trigger('keyup');

scipost/templates/scipost/bare_base.html

@@ -41,15 +41,24 @@
     {% include 'partials/scipost/notification_center_modal.html' %}
 
     <div class="backdrop" id="backdrop"></div>
-    <script type="text/x-mathjax-config">
-     MathJax.Hub.Config({
+    <!-- <script type="text/x-mathjax-config">
+	 MathJax.Hub.Config({
          tex2jax: {
-             inlineMath: [['$','$'], ['\\(','\\)']],
-             processEscapes: true
+         inlineMath: [['$','$'], ['\\(','\\)']],
+         processEscapes: true
          }
-     });
+	 });
+	 </script>
+	 <script type="text/javascript" async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML"></script> -->
+    <script>
+     var MathJax = {
+	 tex2jax: {
+	     inlineMath: [['$','$'],['\\(','\\)']],
+	     procesEscapes: true
+	 }
+     };
     </script>
-    <script type="text/javascript" async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-MML-AM_CHTML"></script>
+    <script type="text/javascript" async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML"></script>
 
     {% render_bundle 'main' 'js' %}
 

templates/email/_footer.html

@@ -5,7 +5,7 @@
     <ul style="font-size: 90%; list-style: none; padding: 0rem;">
       <li>
 	<a href="https://scipost.org/">
-	<img src="https://scipost.org/static/scipost/images/logo_scipost_RGB_HTML.png" style="background-color: #002b49; padding: 1rem;" width="100rem">
+	<img src="{% static 'scipost/images/logo_scipost_RGB_HTML.png' %}" style="background-color: #002b49; padding: 1rem;" width="100rem">
 	</a>
       </li>
       <li><a style="color: #eeeeee;" href="https://scipost.org/">Homepage</a></li>

theses/templates/theses/thesislink_list.html

@@ -5,10 +5,6 @@
 
 {% block pagetitle %}: Theses{% endblock pagetitle %}
 
-{% block headsup %}
-  <script type="text/javascript" async src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-MML-AM_CHTML"></script>
-{% endblock headsup %}
-
 {% block content %}
 
   <div class="row">