Merge pull request #308 from clabs/dev

patch csp again
clabs · Jan 31, 2025 · 52bd633 · 52bd633
2 parents 3f8ef0b + c7a2a9e
commit 52bd633
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 24 deletions.
diff --git a/src/rockon/bands/templates/booking/bid_overview.html b/src/rockon/bands/templates/booking/bid_overview.html
@@ -36,15 +36,19 @@ <h1>Band Bewertungen</h1>
       order: [
         [1, 'desc'],
         [2, 'desc']
-      ],
+        ],
       drawCallback: function () {
-        $('.inlinesparkline:not(:has(canvas))').sparkline('html', {
-          type: 'bar',
-          barWidth: '20px',
-          barColor: '#fff300',
-          disableTooltips: true,
-          chartRangeMax: 6
-        })
+        $('.inlinesparkline').each(function() {
+          if (!$(this).find('canvas').length) {
+            $(this).sparkline('html', {
+              type: 'bar',
+              barWidth: '20px',
+              barColor: '#fff300',
+              disableTooltips: true,
+              chartRangeMax: 6
+            });
+          }
+        });
       }
     })
   })

diff --git a/src/rockon/base/templates/head.html b/src/rockon/base/templates/head.html
@@ -1,36 +1,51 @@
-{% load static %}{% load compress %}{% load compress %}
+{% load static %}
+{% load compress %}
+{% load compress %}
 <meta charset="utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>{{ site_title }} | rockon</title>
 {% compress css file theme_rocktreff %}
-<link rel="stylesheet" type="text/x-scss" href="{% static "rockon/theme.scss" %}">
-<link rel="stylesheet" type="text/css" href="{% static "css/overrides.css" %}">
+  <link rel="stylesheet"
+        type="text/x-scss"
+        href="{% static "rockon/theme.scss" %}">
+  <link rel="stylesheet"
+        type="text/css"
+        href="{% static "css/overrides.css" %}">
 {% endcompress %}
 {% compress js file vendor %}
-<script src="{% static "vendor/bootstrap.bundle.5.3.3.min.js" %}"></script>
-<script src="{% static "vendor/jquery-3.7.1.min.js" %}"></script>
-<script src="{% static "vendor/luxon.3.4.4.min.js" %}"></script>
+  <script src="{% static "vendor/bootstrap.bundle.5.3.3.min.js" %}"></script>
+  <script src="{% static "vendor/jquery-3.7.1.min.js" %}"></script>
+  <script src="{% static "vendor/luxon.3.4.4.min.js" %}"></script>
 {% endcompress %}
-<link rel="apple-touch-icon" sizes="180x180" href="{% static "favicon/apple-touch-icon.png" %}" />
-<link rel="icon" type="image/png" sizes="32x32" href="{% static "favicon/favicon-32x32.png" %}" />
-<link rel="icon" type="image/png" sizes="16x16" href="{% static "favicon/favicon-16x16.png" %}" />
+<link rel="apple-touch-icon"
+      sizes="180x180"
+      href="{% static "favicon/apple-touch-icon.png" %}" />
+<link rel="icon"
+      type="image/png"
+      sizes="32x32"
+      href="{% static "favicon/favicon-32x32.png" %}" />
+<link rel="icon"
+      type="image/png"
+      sizes="16x16"
+      href="{% static "favicon/favicon-16x16.png" %}" />
 <link rel="manifest" href="{% static "favicon/site.webmanifest" %}" />
 {% compress css file fontawmesome %}
-<link href="{% static "fontawesome/css/fontawesome.css" %}" rel="stylesheet">
-<link href="{% static "fontawesome/css/brands.css" %}" rel="stylesheet">
-<link href="{% static "fontawesome/css/solid.css" %}" rel="stylesheet">
+  <link href="{% static "fontawesome/css/fontawesome.css" %}"
+        rel="stylesheet">
+  <link href="{% static "fontawesome/css/brands.css" %}" rel="stylesheet">
+  <link href="{% static "fontawesome/css/solid.css" %}" rel="stylesheet">
 {% endcompress %}
 <meta name="theme-color" content="#303030">
 {% if SENTRY_FRONTEND_ENABLED %}
-<script src="{% static "vendor/sentry.8.19.0.bundle.tracing.min.js" %}"></script>
-<script language="javascript" nonce="{{request.csp_nonce}}">
+  <script src="{% static "vendor/sentry.8.19.0.bundle.tracing.min.js" %}"></script>
+  <script language="javascript" nonce="{{request.csp_nonce}}">
 Sentry.init({
   dsn: '{{ SENTRY_DSN }}',
   tracesSampleRate: {{SENTRY_TRACES_SAMPLE_RATE|floatformat:2}},
   environment: '{{ SENTRY_ENVIRONMENT }}',
   integrations: [Sentry.browserTracingIntegration()]
 });
-</script>
+  </script>
 {% endif %}
 <script language="javascript" nonce="{{request.csp_nonce}}">
   $(document).ready(() => {

diff --git a/src/rockon/settings.py b/src/rockon/settings.py
@@ -359,7 +359,7 @@
 CSP_FRAME_ANCESTORS = ["'none'"]
 CSP_FORM_ACTION = ["'self'"]
 CSP_BASE_URI = ["'self'"]
-CSP_INCLUDE_NONCE_IN = ["script-src"]
+CSP_INCLUDE_NONCE_IN = ["script-src", "script-src-elem"]
 
 if SENTRY_DSN:
     sentry_target = urlparse(SENTRY_DSN)