Enforce a Content Security Policy #505
Description
Part of the Content Security Policy compatibility roadmap item. We’ve had CSP support on wagtail.org for a while, but no production configuration to apply it to live traffic.
I’ve now documented a strict baseline setup, but turned it off as it was creating too much reporting in Sentry. It would be great if we completed this with the view to actually enforce a CSP on this site.
Needed CSP changes
There are roughly three options:
- Enforce a less-strict CSP so it can be compatible with Wagtail (see CSP compatibility issues).
- Disable CSP enforcement altogether for the CMS (wouldn’t do anything to protect CMS users though)
- Wait for changes in Wagtail so we can enforce a strict CSP on this site
In addition to those options, it would be nice to update the site’s templates to be more CSP-friendly. At the moment, the site heavily relies on inline styles in particular.