From 0651f9f786fef9277c80ab778d3936372f4a8c58 Mon Sep 17 00:00:00 2001
From: Chad Weider <cweider@oofn.net>
Date: Mon, 17 Jul 2023 14:14:06 -0700
Subject: [PATCH 1/2] fix(security): amend CSP for base-uri

CSP reports some violations where `base` tag is being
used. While we have not been able to identify the source,
if it is legit, then `'self'` would be the only permissible
value. This change allows `'self'`, making illegitimate
uses, if any, visible.

Fixes: #2886
---
 cl/settings/project/security.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cl/settings/project/security.py b/cl/settings/project/security.py
index e8ab9ba0be..c17567ce72 100644
--- a/cl/settings/project/security.py
+++ b/cl/settings/project/security.py
@@ -134,7 +134,7 @@
     "'self'",
     f"https://{AWS_S3_CUSTOM_DOMAIN}/",
 )
-CSP_BASE_URI = "'none'"
+CSP_BASE_URI = "'self'"
 CSP_INCLUDE_NONCE_IN = ["script-src"]
 if not any(
     (DEVELOPMENT, TESTING)

From c24e2eac8a25378730d4bc495772717794894503 Mon Sep 17 00:00:00 2001
From: Chad Weider <cweider@oofn.net>
Date: Mon, 17 Jul 2023 14:22:14 -0700
Subject: [PATCH 2/2] fix(security): amend CSP for media-src

CSP reports some violations where a `data:` source is
being used for media. While we have not been able to
identify the source, it is a good bet that this is
caused by a browser extension - that it is not a
manifestation of unexpected behavior in CourtListener.

Nonetheless, allow `data:`, because it is relatively
benign: it is ineffective data exfiltration and will
remove a significant cause of nuisance reports.

Fixes: #2899
---
 cl/settings/project/security.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cl/settings/project/security.py b/cl/settings/project/security.py
index c17567ce72..0ecfbbc3aa 100644
--- a/cl/settings/project/security.py
+++ b/cl/settings/project/security.py
@@ -109,6 +109,11 @@
     "data:",  # @tailwindcss/forms uses data URIs for images.
     "https://*.stripe.com",
 )
+CSP_MEDIA_SRC = (
+    "'self'",
+    f"https://{AWS_S3_CUSTOM_DOMAIN}/",
+    "data:",  # Some browser extensions like this.
+)
 CSP_OBJECT_SRC = (
     "'self'",
     f"https://{AWS_S3_CUSTOM_DOMAIN}/",  # for embedded PDFs