add config variables to define static additional rules

fsinfuhh · Nov 6, 2017 · dbc69de · dbc69de
1 parent cbfc2cd
commit dbc69de
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/README.rst b/README.rst
@@ -82,3 +82,12 @@ The URl CSP errors should be reportet to, set to "" if not used, or do not defin
 
 CSP_REPORT_ONLY = True
 Set the header to just report CSP errors do not enforce the CSP. Defaults to True.
+
+CSP_ADDITIONAL_SCRIPT_SRC = []
+List of additional hosts javascript is allowed to be loaded from
+
+CSP_ADDITIONAL_STYLE_SRC = []
+List of additional hosts CSS is allowed to be loaded from
+
+CSP_ADDITIONAL_IMG_SRC = []
+List of additional hosts images is allowed to be loaded from
diff --git a/django-simple-csp/middleware/csp.py b/django-simple-csp/middleware/csp.py
@@ -13,6 +13,11 @@ def __call__(self, request):
             'script-src': ["'self'"],
             'style-src': ["'self'"],
         }
+
+        policy['script-src'] += getattr(settings, 'CSP_ADDITIONAL_SCRIPT_SRC', [])
+        policy['style-src'] += getattr(settings, 'CSP_ADDITIONAL_STYLE_SRC', [])
+        policy['img-src'] += getattr(settings, 'CSP_ADDITIONAL_IMG_SRC', [])
+
         if hasattr(request, 'csp_js_nonces'):
             policy['script-src'] += ["'nonce-{}'".format(nonce) for nonce in request.csp_js_nonces]
 

diff --git a/setup.py b/setup.py
@@ -4,7 +4,7 @@
 from setuptools import setup, find_packages
 
 
-version = '0.1.dev2'
+version = '0.2.dev1'
 
 
 def read(*parts):