task WI-46: Setup CMS using django-csp

[chandra-tacc]

Overview

To become fully secure site, adding detailed Content Security Policy is needed.
This uses django-csp to enable csp.

Related

• WP-46
• similar to Task/wi 46 Add CSP http headers Core-Portal#829
• delayed/replaced by Task WA-46: Add CSP Policy headers Camino#32

Changes

This PR adds CSP headers for

• font src
• script src
• style src
• connect src
  Also, ensure the current script tags use nonce.
  The setup right now is in "report only" mode to allow for opt-in and fully functional app.

Testing

1. Validated the site using UI and reducing console warnings.

UI

No UI change.

Notes:

At this point, due to possibly breaking the app due to CSP, this PR is in draft mode. Other mitigations are deployed via TACC/Camino#32

[wesleyboar]

Seems important, but I have not heard a request to revisit this, so I'm marking this "medium" priority.

[wesleyboar]

Do <link> elements actually use nonce?

• W3.org states "Nonce sources require a new nonce attribute to be added to both script and style elements."
• The MDN nonce page does not mention <link>. Only <script> and <style>.

I've created a merge conflict resolution for review — #745 — but it has a bug.

[wesleyboar]

I nor A.I. think this PR is ready to merge. It is also very old. I think it is not worth resolving conflicts. I intend to start fresh since major changes to Core-CMS and Camino.

Conceptually: yes. Using CSP in report-only mode and gradually tightening is the right approach.

Implementation quality: mixed. Based on the visible snippets and notes, nonce usage was partially misunderstood/applied, so the exact patch in that draft was not ready to be the final solution.
— A.I.